Official ISC2 Guide to the CISSP CBK (2019)
Official ISC2 Guide to the CISSP CBK (2019) provides detailed explanations to help you understand key concepts.
Samuel White
Contributor
4.8
40
about 2 months ago
Preview (31 of 928)
Sign in to access the full document!
CISSP
The Official (ISC) 2 ®
CISSP® CBK® Reference
Fifth Edition
The Official (ISC) 2 ®
CISSP® CBK® Reference
Fifth Edition
CISSP: Certified Information
Systems Security Professional
The Official (ISC) 2 ®
CISSP® CBK®
Reference
Fifth Edition
JOhn WaRSInKSe
WITh: MaRK GRaff, KevIn henRy, ChRISTOPheR hOOveR, Ben MalISOW,
Sean MuRPhy, C. Paul OaKeS, GeORGe PaJaRI, Jeff T. PaRKeR,
DavID SeIDl, MIKe vaSquez
Systems Security Professional
The Official (ISC) 2 ®
CISSP® CBK®
Reference
Fifth Edition
JOhn WaRSInKSe
WITh: MaRK GRaff, KevIn henRy, ChRISTOPheR hOOveR, Ben MalISOW,
Sean MuRPhy, C. Paul OaKeS, GeORGe PaJaRI, Jeff T. PaRKeR,
DavID SeIDl, MIKe vaSquez
Loading page 4...
Development Editor: Kelly Talbot
Senior Production Editor: Christine O’Connor
Copy Editor: Kim Wimpsett
Editorial Manager: Pete Gaughan
Production Manager: Kathleen Wisor
Associate Publisher: Jim Minatel
Proofreader: Louise Watson, Word One New York
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Copyright © 2019 by (ISC)2
Published simultaneously in Canada
ISBN: 978-1-119-42334-8
ISBN: 978-1-119-42332-4 (ebk.)
ISBN: 978-1-119-42331-7 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108
of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization
through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers,
MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201)
748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with
respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including
without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or
promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work
is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional
services. If professional assistance is required, the services of a competent professional person should be sought. Neither
the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is
referred to in this work as a citation and/or a potential source of further information does not mean that the author or
the publisher endorses the information the organization or Web site may provide or recommendations it may make.
Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between
when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer
Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with
standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media
such as a CD or DVD that is not included in the version you purchased, you may download this material at
http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2019936840
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permis-
sion. (ISC)2 , CISSP, and CBK are registered trademarks of (ISC)2, Inc. All other trademarks are the property of their
respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1
Senior Production Editor: Christine O’Connor
Copy Editor: Kim Wimpsett
Editorial Manager: Pete Gaughan
Production Manager: Kathleen Wisor
Associate Publisher: Jim Minatel
Proofreader: Louise Watson, Word One New York
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Copyright © 2019 by (ISC)2
Published simultaneously in Canada
ISBN: 978-1-119-42334-8
ISBN: 978-1-119-42332-4 (ebk.)
ISBN: 978-1-119-42331-7 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108
of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization
through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers,
MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201)
748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with
respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including
without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or
promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work
is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional
services. If professional assistance is required, the services of a competent professional person should be sought. Neither
the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is
referred to in this work as a citation and/or a potential source of further information does not mean that the author or
the publisher endorses the information the organization or Web site may provide or recommendations it may make.
Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between
when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer
Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with
standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media
such as a CD or DVD that is not included in the version you purchased, you may download this material at
http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2019936840
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permis-
sion. (ISC)2 , CISSP, and CBK are registered trademarks of (ISC)2, Inc. All other trademarks are the property of their
respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1
Loading page 5...
lead author and lead Technical
Reviewer
Over the course of his 30-plus years as an information technology professional, John Warsinske
has been exposed to a breadth of technologies and governance structures. He has been, at
various times, a network analyst, IT manager, project manager, security analyst, and chief
information officer. He has worked in local, state, and federal government; has worked in
public, private, and nonprofit organizations; and has been variously a contractor, direct
employee, and volunteer. He has served in the U.S. military in assignments at the tactical,
operational, and strategic levels across the entire spectrum from peace to war. In these diverse
environments, he has experienced both the uniqueness and the similarities in the activities
necessary to secure their respective information assets.
Mr. Warsinske has been an instructor for (ISC)2 for more than five years; prior to that, he
was an adjunct faculty instructor at the College of Southern Maryland. His (ISC)2 certifications
include the Certified Information Systems Security Professional (CISSP), Certified Cloud-
Security Professional (CCSP), and HealthCare Information Security and Privacy Practitioner
(HCISPP). He maintains several other industry credentials as well.
When he is not traveling, Mr. Warsinske currently resides in Ormond Beach, Florida, with
his wife and two extremely spoiled Carolina dogs.
v
Reviewer
Over the course of his 30-plus years as an information technology professional, John Warsinske
has been exposed to a breadth of technologies and governance structures. He has been, at
various times, a network analyst, IT manager, project manager, security analyst, and chief
information officer. He has worked in local, state, and federal government; has worked in
public, private, and nonprofit organizations; and has been variously a contractor, direct
employee, and volunteer. He has served in the U.S. military in assignments at the tactical,
operational, and strategic levels across the entire spectrum from peace to war. In these diverse
environments, he has experienced both the uniqueness and the similarities in the activities
necessary to secure their respective information assets.
Mr. Warsinske has been an instructor for (ISC)2 for more than five years; prior to that, he
was an adjunct faculty instructor at the College of Southern Maryland. His (ISC)2 certifications
include the Certified Information Systems Security Professional (CISSP), Certified Cloud-
Security Professional (CCSP), and HealthCare Information Security and Privacy Practitioner
(HCISPP). He maintains several other industry credentials as well.
When he is not traveling, Mr. Warsinske currently resides in Ormond Beach, Florida, with
his wife and two extremely spoiled Carolina dogs.
v
Loading page 6...
Loading page 7...
Contributing authors
Mark Graff (CISSP), former chief information security officer for both NASDAQ and Law-
rence Livermore National Laboratory, is a seasoned cybersecurity practitioner and thought
leader. He has lectured on risk analysis, cybersecurity, and privacy issues before the American
Academy for the Advancement of Science, the Federal Communications Commission, the
Pentagon, the National Nuclear Security Administration, and other U.S. national security
facilities. Graff has twice testified before Congress on cybersecurity, and in 2018–2019 served
as an expert witness on software security to the Federal Trade Commission. His books—notably
Secure Coding: Principles and Practices—have been used at dozens of universities worldwide in
teaching how to design and build secure software-based systems. Today, as head of the consult-
ing firm Tellagraff LLC (www.markgraff.com), Graff provides strategic advice to large compa-
nies, small businesses, and government agencies. Recent work has included assisting multiple
state governments in the area of election security.
Kevin Henry (CAP, CCSP, CISSP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, CSSLP,
and SSCP) is a passionate and effective educator and consultant in information security.
Kevin has taught CISSP classes around the world and has contributed to the development of
(ISC)2 materials for nearly 20 years. He is a frequent speaker at security conferences and the
author of several books on security management. Kevin’s years of work in telecommunications,
government, and private industry have led to his strength in being able to combine real-world
experience with the concepts and application of information security topics in an understand-
able and effective manner.
Chris Hoover, CISSP, CISA, is a cybersecurity and risk management professional with 20
years in the field. He spent most of his career protecting the U.S. government’s most sensitive
data in the Pentagon, the Baghdad Embassy, NGA Headquarters, Los Alamos Labs, and many
other locations. Mr. Hoover also developed security products for RSA that are deployed across
the U.S. federal government, many state governments, and internationally. He is currently
consulting for the DoD and runs a risk management start-up called Riskuary. He has a master’s
degree in information assurance.
Ben Malisow, CISSP, CISM, CCSP, Security+, SSCP, has been involved in INFOSEC and
education for more than 20 years. At Carnegie Mellon University, he crafted and delivered the
CISSP prep course for CMU’s CERT/SEU. Malisow was the ISSM for the FBI’s most highly
classified counterterror intelligence-sharing network, served as an Air Force officer, and taught
vii
Mark Graff (CISSP), former chief information security officer for both NASDAQ and Law-
rence Livermore National Laboratory, is a seasoned cybersecurity practitioner and thought
leader. He has lectured on risk analysis, cybersecurity, and privacy issues before the American
Academy for the Advancement of Science, the Federal Communications Commission, the
Pentagon, the National Nuclear Security Administration, and other U.S. national security
facilities. Graff has twice testified before Congress on cybersecurity, and in 2018–2019 served
as an expert witness on software security to the Federal Trade Commission. His books—notably
Secure Coding: Principles and Practices—have been used at dozens of universities worldwide in
teaching how to design and build secure software-based systems. Today, as head of the consult-
ing firm Tellagraff LLC (www.markgraff.com), Graff provides strategic advice to large compa-
nies, small businesses, and government agencies. Recent work has included assisting multiple
state governments in the area of election security.
Kevin Henry (CAP, CCSP, CISSP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, CSSLP,
and SSCP) is a passionate and effective educator and consultant in information security.
Kevin has taught CISSP classes around the world and has contributed to the development of
(ISC)2 materials for nearly 20 years. He is a frequent speaker at security conferences and the
author of several books on security management. Kevin’s years of work in telecommunications,
government, and private industry have led to his strength in being able to combine real-world
experience with the concepts and application of information security topics in an understand-
able and effective manner.
Chris Hoover, CISSP, CISA, is a cybersecurity and risk management professional with 20
years in the field. He spent most of his career protecting the U.S. government’s most sensitive
data in the Pentagon, the Baghdad Embassy, NGA Headquarters, Los Alamos Labs, and many
other locations. Mr. Hoover also developed security products for RSA that are deployed across
the U.S. federal government, many state governments, and internationally. He is currently
consulting for the DoD and runs a risk management start-up called Riskuary. He has a master’s
degree in information assurance.
Ben Malisow, CISSP, CISM, CCSP, Security+, SSCP, has been involved in INFOSEC and
education for more than 20 years. At Carnegie Mellon University, he crafted and delivered the
CISSP prep course for CMU’s CERT/SEU. Malisow was the ISSM for the FBI’s most highly
classified counterterror intelligence-sharing network, served as an Air Force officer, and taught
vii
Loading page 8...
viii Contributing Authors
grades 6–12 at a reform school in the Las Vegas public school district (probably his most
dangerous employment to date). His latest work has included CCSP Practice Tests and
CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide, also from Sybex/
Wiley, and How to Pass Your INFOSEC Certification Test: A Guide to Passing the CISSP,
CISA, CISM, Network+, Security+, and CCSP, available from Amazon Direct. In addi-
tion to other consulting and teaching, Ben is a certified instructor for (ISC)2
, delivering
CISSP, CCSP, and SSCP courses. You can reach him at www.benmalisow.com or his
INFOSEC blog, securityzed.com. Ben would also like to extend his personal gratitude
to Todd R. Slack, MS, JD, CIPP/US, CIPP/E, CIPM, FIP, CISSP, for his invaluable con-
tributions to this book.
Sean Murphy, CISSP, HCISSP, is the vice president and chief information security
officer for Premera Blue Cross (Seattle). He is responsible for providing and optimizing
an enterprise-wide security program and architecture that minimizes risk, enables busi-
ness imperatives, and further strengthens the health plan company’s security posture. He’s
a healthcare information security expert with more than 20 years of experience in highly
regulated, security-focused organizations. Sean retired from the U.S. Air Force (Medical
Service Corps) after achieving the rank of lieutenant colonel. He has served as CIO and
CISO in the military service and private sector at all levels of healthcare organizations.
Sean has a master’s degree in business administration (advanced IT concentration) from
the University of South Florida, a master’s degree in health services administration from
Central Michigan University, and a bachelor’s degree in human resource management
from the University of Maryland. He is a board chair of the Association for Executives
in Healthcare Information Security (AEHIS). Sean is a past chairman of the HIMSS
Privacy and Security Committee. He served on the (ISC)2 committee to develop the
HCISPP credential. He is also a noted speaker at the national level and the author of
numerous industry whitepapers, articles, and educational materials, including his book
Healthcare Information Security and Privacy.
C. Paul Oakes, CISSP, CISSP-ISSAP, CCSP, CCSK, CSM, and CSPO, is an author,
speaker, educator, technologist, and thought leader in cybersecurity, software devel-
opment, and process improvement. Paul has worn many hats over his 20-plus years of
experience. In his career he has been a security architect, consultant, software engineer,
mentor, educator, and executive. Paul has worked with companies in various industries
such as the financial industry, banking, publishing, utilities, government, e-commerce,
education, training, research, and technology start-ups. His work has advanced the cause
of software and information security on many fronts, ranging from writing security policy
to implementing secure code and showing others how to do the same. Paul’s passion is to
help people develop the skills they need to most effectively defend the line in cyberspace
grades 6–12 at a reform school in the Las Vegas public school district (probably his most
dangerous employment to date). His latest work has included CCSP Practice Tests and
CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide, also from Sybex/
Wiley, and How to Pass Your INFOSEC Certification Test: A Guide to Passing the CISSP,
CISA, CISM, Network+, Security+, and CCSP, available from Amazon Direct. In addi-
tion to other consulting and teaching, Ben is a certified instructor for (ISC)2
, delivering
CISSP, CCSP, and SSCP courses. You can reach him at www.benmalisow.com or his
INFOSEC blog, securityzed.com. Ben would also like to extend his personal gratitude
to Todd R. Slack, MS, JD, CIPP/US, CIPP/E, CIPM, FIP, CISSP, for his invaluable con-
tributions to this book.
Sean Murphy, CISSP, HCISSP, is the vice president and chief information security
officer for Premera Blue Cross (Seattle). He is responsible for providing and optimizing
an enterprise-wide security program and architecture that minimizes risk, enables busi-
ness imperatives, and further strengthens the health plan company’s security posture. He’s
a healthcare information security expert with more than 20 years of experience in highly
regulated, security-focused organizations. Sean retired from the U.S. Air Force (Medical
Service Corps) after achieving the rank of lieutenant colonel. He has served as CIO and
CISO in the military service and private sector at all levels of healthcare organizations.
Sean has a master’s degree in business administration (advanced IT concentration) from
the University of South Florida, a master’s degree in health services administration from
Central Michigan University, and a bachelor’s degree in human resource management
from the University of Maryland. He is a board chair of the Association for Executives
in Healthcare Information Security (AEHIS). Sean is a past chairman of the HIMSS
Privacy and Security Committee. He served on the (ISC)2 committee to develop the
HCISPP credential. He is also a noted speaker at the national level and the author of
numerous industry whitepapers, articles, and educational materials, including his book
Healthcare Information Security and Privacy.
C. Paul Oakes, CISSP, CISSP-ISSAP, CCSP, CCSK, CSM, and CSPO, is an author,
speaker, educator, technologist, and thought leader in cybersecurity, software devel-
opment, and process improvement. Paul has worn many hats over his 20-plus years of
experience. In his career he has been a security architect, consultant, software engineer,
mentor, educator, and executive. Paul has worked with companies in various industries
such as the financial industry, banking, publishing, utilities, government, e-commerce,
education, training, research, and technology start-ups. His work has advanced the cause
of software and information security on many fronts, ranging from writing security policy
to implementing secure code and showing others how to do the same. Paul’s passion is to
help people develop the skills they need to most effectively defend the line in cyberspace
Loading page 9...
ixContributing Authors
and advance the standard of cybersecurity practice. To this end, Paul continuously col-
laborates with experts across many disciplines, ranging from cybersecurity to accelerated
learning to mind-body medicine, to create and share the most effective strategies to
rapidly learn cybersecurity and information technology subject matter. Most of all, Paul
enjoys his life with his wife and young son, both of whom are the inspirations for his
passion.
George E. Pajari, CISSP-ISSAP, CISM, CIPP/E, is a fractional CISO, providing
cybersecurity leadership on a consulting basis to a number of cloud service providers.
Previously he was the chief information security officer (CISO) at Hootsuite, the most
widely used social media management platform, trusted by more than 16 million
people and employees at 80 percent of the Fortune 1000. He has presented at conferences
including CanSecWest, ISACA CACS, and BSides Vancouver. As a volunteer, he helps
with the running of BSides Vancouver, the (ISC)² Vancouver chapter, and the University
of British Columbia’s Cybersecurity Summit. He is a recipient of the ISACA CISM
Worldwide Excellence Award.
Jeff Parker, CISSP, CySA+, CASP, is a certified technical trainer and security consultant
specializing in governance, risk management, and compliance (GRC). Jeff began his
information security career as a software engineer with an HP consulting group out of
Boston. Enterprise clients for which Jeff has consulted on site include hospitals,
universities, the U.S. Senate, and a half-dozen UN agencies. Jeff assessed these clients’
security posture and provided gap analysis and remediation. In 2006 Jeff relocated to
Prague, Czech Republic, for a few years, where he designed a new risk management
strategy for a multinational logistics firm. Presently, Jeff resides in Halifax, Canada, while
consulting primarily for a GRC firm in Virginia.
David Seidl, CISSP, GPEN, GCIH, CySA+, Pentest+, is the vice president for infor-
mation technology and CIO at Miami University of Ohio. During his IT career, he has
served in a variety of technical and information security roles, including serving as the
senior director for Campus Technology Services at the University of Notre Dame and
leading Notre Dame’s information security team as director of information security.
David has taught college courses on information security and writes books on information
security and cyberwarfare, including CompTIA CySA+ Study Guide: Exam CS0-001,
CompTIA PenTest+ Study Guide: Exam PT0-001, CISSP Official (ISC)2 Practice
Tests, and CompTIA CySA+ Practice Tests: Exam CS0-001, all from Wiley, and Cyberwar-
fare: Information Operations in a Connected World from Jones and Bartlett. David holds
a bachelor’s degree in communication technology and a master’s degree in information
security from Eastern Michigan University.
and advance the standard of cybersecurity practice. To this end, Paul continuously col-
laborates with experts across many disciplines, ranging from cybersecurity to accelerated
learning to mind-body medicine, to create and share the most effective strategies to
rapidly learn cybersecurity and information technology subject matter. Most of all, Paul
enjoys his life with his wife and young son, both of whom are the inspirations for his
passion.
George E. Pajari, CISSP-ISSAP, CISM, CIPP/E, is a fractional CISO, providing
cybersecurity leadership on a consulting basis to a number of cloud service providers.
Previously he was the chief information security officer (CISO) at Hootsuite, the most
widely used social media management platform, trusted by more than 16 million
people and employees at 80 percent of the Fortune 1000. He has presented at conferences
including CanSecWest, ISACA CACS, and BSides Vancouver. As a volunteer, he helps
with the running of BSides Vancouver, the (ISC)² Vancouver chapter, and the University
of British Columbia’s Cybersecurity Summit. He is a recipient of the ISACA CISM
Worldwide Excellence Award.
Jeff Parker, CISSP, CySA+, CASP, is a certified technical trainer and security consultant
specializing in governance, risk management, and compliance (GRC). Jeff began his
information security career as a software engineer with an HP consulting group out of
Boston. Enterprise clients for which Jeff has consulted on site include hospitals,
universities, the U.S. Senate, and a half-dozen UN agencies. Jeff assessed these clients’
security posture and provided gap analysis and remediation. In 2006 Jeff relocated to
Prague, Czech Republic, for a few years, where he designed a new risk management
strategy for a multinational logistics firm. Presently, Jeff resides in Halifax, Canada, while
consulting primarily for a GRC firm in Virginia.
David Seidl, CISSP, GPEN, GCIH, CySA+, Pentest+, is the vice president for infor-
mation technology and CIO at Miami University of Ohio. During his IT career, he has
served in a variety of technical and information security roles, including serving as the
senior director for Campus Technology Services at the University of Notre Dame and
leading Notre Dame’s information security team as director of information security.
David has taught college courses on information security and writes books on information
security and cyberwarfare, including CompTIA CySA+ Study Guide: Exam CS0-001,
CompTIA PenTest+ Study Guide: Exam PT0-001, CISSP Official (ISC)2 Practice
Tests, and CompTIA CySA+ Practice Tests: Exam CS0-001, all from Wiley, and Cyberwar-
fare: Information Operations in a Connected World from Jones and Bartlett. David holds
a bachelor’s degree in communication technology and a master’s degree in information
security from Eastern Michigan University.
Loading page 10...
x
Michael Neal Vasquez has more than 25 years of IT experience and has held several
industry certifications, including CISSP, MCSE: Security, MCSE+I, MCDBA, and
CCNA. Mike is a senior security engineer on the red team for a Fortune 500 financial
services firm, where he spends his days (and nights) looking for security holes. After
obtaining his BA from Princeton University, he forged a security-focused IT career, both
working in the trenches and training other IT professionals. Mike is a highly sought-after
instructor because his classes blend real-world experience and practical knowledge with
the technical information necessary to comprehend difficult material, and his students
praise his ability to make any course material entertaining and informative. Mike has
taught CISSP, security, and Microsoft to thousands of students across the globe through
local colleges and online live classes. He has performed penetration testing engagements
for healthcare, financial services, retail, utilities, and government entities. He also runs
his own consulting and training company and can be reached on LinkedIn at
https://www.linkedin.com/in/mnvasquez.
Contributing Authors
Michael Neal Vasquez has more than 25 years of IT experience and has held several
industry certifications, including CISSP, MCSE: Security, MCSE+I, MCDBA, and
CCNA. Mike is a senior security engineer on the red team for a Fortune 500 financial
services firm, where he spends his days (and nights) looking for security holes. After
obtaining his BA from Princeton University, he forged a security-focused IT career, both
working in the trenches and training other IT professionals. Mike is a highly sought-after
instructor because his classes blend real-world experience and practical knowledge with
the technical information necessary to comprehend difficult material, and his students
praise his ability to make any course material entertaining and informative. Mike has
taught CISSP, security, and Microsoft to thousands of students across the globe through
local colleges and online live classes. He has performed penetration testing engagements
for healthcare, financial services, retail, utilities, and government entities. He also runs
his own consulting and training company and can be reached on LinkedIn at
https://www.linkedin.com/in/mnvasquez.
Contributing Authors
Loading page 11...
Technical Reviewers
Bill Burke, CISSP, CCSP, CRISC, CISM, CEH, is a security professional with more than
35 years serving the information technology and services community. He specializes in security
architecture, governance, and compliance, primarily in the cloud space. He previously served
on the board of directors of the Silicon Valley (ISC)2 chapter, in addition to the board
of directors of the Cloud Services Alliance – Silicon Valley. Bill can be reached via email at
billburke@cloudcybersec.com.
Charles Gaughf, CISSP, SSCP, CCSP, is both a member and an employee of (ISC)², the
global nonprofit leader in educating and certifying information security professionals. For more
than 15 years, he has worked in IT and security in different capacities for nonprofit, higher edu-
cation, and telecommunications organizations to develop security education for the industry
at large. In leading the security team for the last five years as the senior manager of security at
(ISC)², he was responsible for the global security operations, security posture, and overall secu-
rity health of (ISC)². Most recently he transitioned to the (ISC)² education team to develop
immersive and enriching CPE opportunities and security training and education for the industry
at large. He holds degrees in management of information systems and communications.
Dr. Meng-Chow Kang, CISSP, is a practicing information security professional with more
than 30 years of field experience in various technical information security and risk manage-
ment roles for organizations that include the Singapore government, major global financial
institutions, and security and technology providers. His research and part of his experience
in the field have been published in his book Responsive Security: Be Ready to Be Secure from
CRC Press. Meng-Chow has been a CISSP since 1998 and was a member of the (ISC)2 board
of directors from 2015 through 2017. He is also a recipient of the (ISC)2 James Wade Service
Award.
Aaron Kraus, CISSP, CCSP, Security+, began his career as a security auditor for U.S. federal
government clients working with the NIST RMF and Cybersecurity Framework, and then
moved to the healthcare industry as an auditor working with the HIPAA and HITRUST frame-
works. Next, he entered the financial services industry, where he designed a control and audit
program for vendor risk management, incorporating financial compliance requirements and
industry-standard frameworks including COBIT and ISO 27002. Since 2016 Aaron has been
xi
Bill Burke, CISSP, CCSP, CRISC, CISM, CEH, is a security professional with more than
35 years serving the information technology and services community. He specializes in security
architecture, governance, and compliance, primarily in the cloud space. He previously served
on the board of directors of the Silicon Valley (ISC)2 chapter, in addition to the board
of directors of the Cloud Services Alliance – Silicon Valley. Bill can be reached via email at
billburke@cloudcybersec.com.
Charles Gaughf, CISSP, SSCP, CCSP, is both a member and an employee of (ISC)², the
global nonprofit leader in educating and certifying information security professionals. For more
than 15 years, he has worked in IT and security in different capacities for nonprofit, higher edu-
cation, and telecommunications organizations to develop security education for the industry
at large. In leading the security team for the last five years as the senior manager of security at
(ISC)², he was responsible for the global security operations, security posture, and overall secu-
rity health of (ISC)². Most recently he transitioned to the (ISC)² education team to develop
immersive and enriching CPE opportunities and security training and education for the industry
at large. He holds degrees in management of information systems and communications.
Dr. Meng-Chow Kang, CISSP, is a practicing information security professional with more
than 30 years of field experience in various technical information security and risk manage-
ment roles for organizations that include the Singapore government, major global financial
institutions, and security and technology providers. His research and part of his experience
in the field have been published in his book Responsive Security: Be Ready to Be Secure from
CRC Press. Meng-Chow has been a CISSP since 1998 and was a member of the (ISC)2 board
of directors from 2015 through 2017. He is also a recipient of the (ISC)2 James Wade Service
Award.
Aaron Kraus, CISSP, CCSP, Security+, began his career as a security auditor for U.S. federal
government clients working with the NIST RMF and Cybersecurity Framework, and then
moved to the healthcare industry as an auditor working with the HIPAA and HITRUST frame-
works. Next, he entered the financial services industry, where he designed a control and audit
program for vendor risk management, incorporating financial compliance requirements and
industry-standard frameworks including COBIT and ISO 27002. Since 2016 Aaron has been
xi
Loading page 12...
xii Technical Reviewers
working with startups based in San Francisco, first on a GRC SaaS platform and more
recently in cyber-risk insurance, where he focuses on assisting small- to medium-sized
businesses to identify their risks, mitigate them appropriately, and transfer risk via insur-
ance. In addition to his technical certifications, he is a Learning Tree certified instructor
who teaches cybersecurity exam prep and risk management.
Professor Jill Slay, CISSP, CCFP, is the optus chair of cybersecurity at La Trobe Uni-
versity, leads the Optus La Trobe Cyber Security Research Hub, and is the director of
cyber-resilience initiatives for the Australian Computer Society. Jill is a director of the
Victorian Oceania Research Centre and previously served two terms as a director of the
International Information Systems Security Certification Consortium. She has estab-
lished an international research reputation in cybersecurity (particularly digital forensics)
and has worked in collaboration with many industry partners. She was made a member
of the Order of Australia (AM) for service to the information technology industry through
contributions in the areas of forensic computer science, security, protection of infrastruc-
ture, and cyberterrorism. She is a fellow of the Australian Computer Society and a fellow
of the International Information Systems Security Certification Consortium, both for her
service to the information security industry. She also is a MACS CP.
working with startups based in San Francisco, first on a GRC SaaS platform and more
recently in cyber-risk insurance, where he focuses on assisting small- to medium-sized
businesses to identify their risks, mitigate them appropriately, and transfer risk via insur-
ance. In addition to his technical certifications, he is a Learning Tree certified instructor
who teaches cybersecurity exam prep and risk management.
Professor Jill Slay, CISSP, CCFP, is the optus chair of cybersecurity at La Trobe Uni-
versity, leads the Optus La Trobe Cyber Security Research Hub, and is the director of
cyber-resilience initiatives for the Australian Computer Society. Jill is a director of the
Victorian Oceania Research Centre and previously served two terms as a director of the
International Information Systems Security Certification Consortium. She has estab-
lished an international research reputation in cybersecurity (particularly digital forensics)
and has worked in collaboration with many industry partners. She was made a member
of the Order of Australia (AM) for service to the information technology industry through
contributions in the areas of forensic computer science, security, protection of infrastruc-
ture, and cyberterrorism. She is a fellow of the Australian Computer Society and a fellow
of the International Information Systems Security Certification Consortium, both for her
service to the information security industry. She also is a MACS CP.
Loading page 13...
Contents at a Glance
Foreword xxv
Introduction xxvii
Domain 1: SEcurity anD riSk managEmEnt 1
Domain 2: aSSEt SEcurity 131
Domain 3: SEcurity architEcturE anD EnginEEring 213
Domain 4: communication anD nEtwork SEcurity 363
Domain 5: iDEntity anD accESS managEmEnt 483
Domain 6: SEcurity aSSESSmEnt anD tESting 539
Domain 7: SEcurity opErationS 597
Domain 8: SoFtwarE DEvElopmEnt SEcurity 695
Index 875
xiii
Foreword xxv
Introduction xxvii
Domain 1: SEcurity anD riSk managEmEnt 1
Domain 2: aSSEt SEcurity 131
Domain 3: SEcurity architEcturE anD EnginEEring 213
Domain 4: communication anD nEtwork SEcurity 363
Domain 5: iDEntity anD accESS managEmEnt 483
Domain 6: SEcurity aSSESSmEnt anD tESting 539
Domain 7: SEcurity opErationS 597
Domain 8: SoFtwarE DEvElopmEnt SEcurity 695
Index 875
xiii
Loading page 14...
Loading page 15...
Contents
Foreword xxv
Introduction xxvii
Domain 1: Security anD riSk management 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2
Information Security 3
Evaluate and Apply Security Governance Principles 6
Alignment of Security Functions to Business Strategy, Goals, Mission,
and Objectives 6
Vision, Mission, and Strategy 6
Governance 7
Due Care 10
Determine Compliance Requirements 11
Legal Compliance 12
Jurisdiction 12
Legal Tradition 12
Legal Compliance Expectations 13
Understand Legal and Regulatory Issues That Pertain to Information Security in a
Global Context 13
Cyber Crimes and Data Breaches 14
Privacy 36
Understand, Adhere to, and Promote Professional Ethics 49
Ethical Decision-Making 49
Established Standards of Ethical Conduct 51
(ISC)² Ethical Practices 56
Develop, Document, and Implement Security Policy, Standards, Procedures,
and Guidelines 57
Organizational Documents 58
Policy Development 61
Policy Review Process 61
xv
Foreword xxv
Introduction xxvii
Domain 1: Security anD riSk management 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2
Information Security 3
Evaluate and Apply Security Governance Principles 6
Alignment of Security Functions to Business Strategy, Goals, Mission,
and Objectives 6
Vision, Mission, and Strategy 6
Governance 7
Due Care 10
Determine Compliance Requirements 11
Legal Compliance 12
Jurisdiction 12
Legal Tradition 12
Legal Compliance Expectations 13
Understand Legal and Regulatory Issues That Pertain to Information Security in a
Global Context 13
Cyber Crimes and Data Breaches 14
Privacy 36
Understand, Adhere to, and Promote Professional Ethics 49
Ethical Decision-Making 49
Established Standards of Ethical Conduct 51
(ISC)² Ethical Practices 56
Develop, Document, and Implement Security Policy, Standards, Procedures,
and Guidelines 57
Organizational Documents 58
Policy Development 61
Policy Review Process 61
xv
Loading page 16...
Contentsxvi
Identify, Analyze, and Prioritize Business Continuity Requirements 62
Develop and Document Scope and Plan 62
Risk Assessment 70
Business Impact Analysis 71
Develop the Business Continuity Plan 73
Contribute to and Enforce Personnel Security Policies and Procedures 80
Key Control Principles 80
Candidate Screening and Hiring 82
Onboarding and Termination Processes 91
Vendor, Consultant, and Contractor Agreements and Controls 96
Privacy in the Workplace 97
Understand and Apply Risk Management Concepts 99
Risk 99
Risk Management Frameworks 99
Risk Assessment Methodologies 108
Understand and Apply Threat Modeling Concepts and Methodologies 111
Threat Modeling Concepts 111
Threat Modeling Methodologies 112
Apply Risk-Based Management Concepts to the Supply Chain 116
Supply Chain Risks 116
Supply Chain Risk Management 119
Establish and Maintain a Security Awareness, Education, and Training Program 121
Security Awareness Overview 122
Developing an Awareness Program 123
Training 127
Summary 128
Domain 2: aSSet Security 131
Asset Security Concepts 131
Data Policy 132
Data Governance 132
Data Quality 133
Data Documentation 134
Data Organization 136
Identify and Classify Information and Assets 139
Asset Classification 141
Determine and Maintain Information and Asset Ownership 145
Asset Management Lifecycle 146
Software Asset Management 148
Identify, Analyze, and Prioritize Business Continuity Requirements 62
Develop and Document Scope and Plan 62
Risk Assessment 70
Business Impact Analysis 71
Develop the Business Continuity Plan 73
Contribute to and Enforce Personnel Security Policies and Procedures 80
Key Control Principles 80
Candidate Screening and Hiring 82
Onboarding and Termination Processes 91
Vendor, Consultant, and Contractor Agreements and Controls 96
Privacy in the Workplace 97
Understand and Apply Risk Management Concepts 99
Risk 99
Risk Management Frameworks 99
Risk Assessment Methodologies 108
Understand and Apply Threat Modeling Concepts and Methodologies 111
Threat Modeling Concepts 111
Threat Modeling Methodologies 112
Apply Risk-Based Management Concepts to the Supply Chain 116
Supply Chain Risks 116
Supply Chain Risk Management 119
Establish and Maintain a Security Awareness, Education, and Training Program 121
Security Awareness Overview 122
Developing an Awareness Program 123
Training 127
Summary 128
Domain 2: aSSet Security 131
Asset Security Concepts 131
Data Policy 132
Data Governance 132
Data Quality 133
Data Documentation 134
Data Organization 136
Identify and Classify Information and Assets 139
Asset Classification 141
Determine and Maintain Information and Asset Ownership 145
Asset Management Lifecycle 146
Software Asset Management 148
Loading page 17...
Contentsxvii
Protect Privacy 152
Cross-Border Privacy and Data Flow Protection 153
Data Owners 161
Data Controllers 162
Data Processors 163
Data Stewards 164
Data Custodians 164
Data Remanence 164
Data Sovereignty 168
Data Localization or Residency 169
Government and Law Enforcement Access to Data 171
Collection Limitation 172
Understanding Data States 173
Data Issues with Emerging Technologies 173
Ensure Appropriate Asset Retention 175
Retention of Records 178
Determining Appropriate Records Retention 178
Retention of Records in Data Lifecycle 179
Records Retention Best Practices 180
Determine Data Security Controls 181
Technical, Administrative, and Physical Controls 183
Establishing the Baseline Security 185
Scoping and Tailoring 186
Standards Selection 189
Data Protection Methods 198
Establish Information and Asset Handling Requirements 208
Marking and Labeling 208
Handling 209
Declassifying Data 210
Storage 211
Summary 212
Domain 3: Security architecture anD engineering 213
Implement and Manage Engineering Processes Using Secure Design Principles 215
Saltzer and Schroeder’s Principles 216
ISO/IEC 19249 221
Defense in Depth 229
Using Security Principles 230
Protect Privacy 152
Cross-Border Privacy and Data Flow Protection 153
Data Owners 161
Data Controllers 162
Data Processors 163
Data Stewards 164
Data Custodians 164
Data Remanence 164
Data Sovereignty 168
Data Localization or Residency 169
Government and Law Enforcement Access to Data 171
Collection Limitation 172
Understanding Data States 173
Data Issues with Emerging Technologies 173
Ensure Appropriate Asset Retention 175
Retention of Records 178
Determining Appropriate Records Retention 178
Retention of Records in Data Lifecycle 179
Records Retention Best Practices 180
Determine Data Security Controls 181
Technical, Administrative, and Physical Controls 183
Establishing the Baseline Security 185
Scoping and Tailoring 186
Standards Selection 189
Data Protection Methods 198
Establish Information and Asset Handling Requirements 208
Marking and Labeling 208
Handling 209
Declassifying Data 210
Storage 211
Summary 212
Domain 3: Security architecture anD engineering 213
Implement and Manage Engineering Processes Using Secure Design Principles 215
Saltzer and Schroeder’s Principles 216
ISO/IEC 19249 221
Defense in Depth 229
Using Security Principles 230
Loading page 18...
Contentsxviii
Understand the Fundamental Concepts of Security Models 230
Bell-LaPadula Model 232
The Biba Integrity Model 234
The Clark-Wilson Model 235
The Brewer-Nash Model 235
Select Controls Based upon Systems Security Requirements 237
Understand Security Capabilities of Information Systems 241
Memory Protection 241
Virtualization 244
Secure Cryptoprocessor 247
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and
Solution Elements 253
Client-Based Systems 254
Server-Based Systems 255
Database Systems 257
Cryptographic Systems 260
Industrial Control Systems 267
Cloud-Based Systems 271
Distributed Systems 274
Internet of Things 275
Assess and Mitigate Vulnerabilities in Web-Based Systems 278
Injection Vulnerabilities 279
Broken Authentication 280
Sensitive Data Exposure 283
XML External Entities 284
Broken Access Control 284
Security Misconfiguration 285
Cross-Site Scripting 285
Using Components with Known Vulnerabilities 286
Insufficient Logging and Monitoring 286
Cross-Site Request Forgery 287
Assess and Mitigate Vulnerabilities in Mobile Systems 287
Passwords 288
Multifactor Authentication 288
Session Lifetime 289
Wireless Vulnerabilities 290
Mobile Malware 290
Unpatched Operating System or Browser 290
Understand the Fundamental Concepts of Security Models 230
Bell-LaPadula Model 232
The Biba Integrity Model 234
The Clark-Wilson Model 235
The Brewer-Nash Model 235
Select Controls Based upon Systems Security Requirements 237
Understand Security Capabilities of Information Systems 241
Memory Protection 241
Virtualization 244
Secure Cryptoprocessor 247
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and
Solution Elements 253
Client-Based Systems 254
Server-Based Systems 255
Database Systems 257
Cryptographic Systems 260
Industrial Control Systems 267
Cloud-Based Systems 271
Distributed Systems 274
Internet of Things 275
Assess and Mitigate Vulnerabilities in Web-Based Systems 278
Injection Vulnerabilities 279
Broken Authentication 280
Sensitive Data Exposure 283
XML External Entities 284
Broken Access Control 284
Security Misconfiguration 285
Cross-Site Scripting 285
Using Components with Known Vulnerabilities 286
Insufficient Logging and Monitoring 286
Cross-Site Request Forgery 287
Assess and Mitigate Vulnerabilities in Mobile Systems 287
Passwords 288
Multifactor Authentication 288
Session Lifetime 289
Wireless Vulnerabilities 290
Mobile Malware 290
Unpatched Operating System or Browser 290
Loading page 19...
Contentsxix
Insecure Devices 291
Mobile Device Management 291
Assess and Mitigate Vulnerabilities in Embedded Devices 292
Apply Cryptography 295
Cryptographic Lifecycle 295
Cryptographic Methods 298
Public Key Infrastructure 311
Key Management Practices 315
Digital Signatures 318
Non-Repudiation 320
Integrity 321
Understand Methods of Cryptanalytic Attacks 325
Digital Rights Management 339
Apply Security Principles to Site and Facility Design 342
Implement Site and Facility Security Controls 343
Physical Access Controls 343
Wiring Closets/Intermediate Distribution Facilities 345
Server Rooms/Data Centers 346
Media Storage Facilities 348
Evidence Storage 349
Restricted and Work Area Security 349
Utilities and Heating, Ventilation, and Air Conditioning 351
Environmental Issues 355
Fire Prevention, Detection, and Suppression 358
Summary 362
Domain 4: communication anD network Security 363
Implement Secure Design Principles in Network Architectures 364
Open Systems Interconnection and Transmission Control
Protocol/Internet Protocol Models 365
Internet Protocol Networking 382
Implications of Multilayer Protocols 392
Converged Protocols 394
Software-Defined Networks 395
Wireless Networks 396
Internet, Intranets, and Extranets 409
Demilitarized Zones 410
Virtual LANs 410
Insecure Devices 291
Mobile Device Management 291
Assess and Mitigate Vulnerabilities in Embedded Devices 292
Apply Cryptography 295
Cryptographic Lifecycle 295
Cryptographic Methods 298
Public Key Infrastructure 311
Key Management Practices 315
Digital Signatures 318
Non-Repudiation 320
Integrity 321
Understand Methods of Cryptanalytic Attacks 325
Digital Rights Management 339
Apply Security Principles to Site and Facility Design 342
Implement Site and Facility Security Controls 343
Physical Access Controls 343
Wiring Closets/Intermediate Distribution Facilities 345
Server Rooms/Data Centers 346
Media Storage Facilities 348
Evidence Storage 349
Restricted and Work Area Security 349
Utilities and Heating, Ventilation, and Air Conditioning 351
Environmental Issues 355
Fire Prevention, Detection, and Suppression 358
Summary 362
Domain 4: communication anD network Security 363
Implement Secure Design Principles in Network Architectures 364
Open Systems Interconnection and Transmission Control
Protocol/Internet Protocol Models 365
Internet Protocol Networking 382
Implications of Multilayer Protocols 392
Converged Protocols 394
Software-Defined Networks 395
Wireless Networks 396
Internet, Intranets, and Extranets 409
Demilitarized Zones 410
Virtual LANs 410
Loading page 20...
Contentsxx
Secure Network Components 411
Firewalls 412
Network Address Translation 418
Intrusion Detection System 421
Security Information and Event Management 422
Network Security from Hardware Devices 423
Transmission Media 429
Endpoint Security 442
Implementing Defense in Depth 447
Content Distribution Networks 448
Implement Secure Communication Channels According to Design 449
Secure Voice Communications 449
Multimedia Collaboration 452
Remote Access 458
Data Communications 466
Virtualized Networks 470
Summary 481
Domain 5: iDentity anD acceSS management 483
Control Physical and Logical Access to Assets 484
Information 485
Systems 486
Devices 487
Facilities 488
Manage Identification and Authentication of People, Devices, and Services 492
Identity Management Implementation 494
Single Factor/Multifactor Authentication 496
Accountability 511
Session Management 511
Registration and Proofing of Identity 513
Federated Identity Management 520
Credential Management Systems 524
Integrate Identity as a Third-Party Service 525
On-Premise 526
Cloud 527
Federated 527
Implement and Manage Authorization Mechanisms 528
Role-Based Access Control 528
Rule-Based Access Control 529
Secure Network Components 411
Firewalls 412
Network Address Translation 418
Intrusion Detection System 421
Security Information and Event Management 422
Network Security from Hardware Devices 423
Transmission Media 429
Endpoint Security 442
Implementing Defense in Depth 447
Content Distribution Networks 448
Implement Secure Communication Channels According to Design 449
Secure Voice Communications 449
Multimedia Collaboration 452
Remote Access 458
Data Communications 466
Virtualized Networks 470
Summary 481
Domain 5: iDentity anD acceSS management 483
Control Physical and Logical Access to Assets 484
Information 485
Systems 486
Devices 487
Facilities 488
Manage Identification and Authentication of People, Devices, and Services 492
Identity Management Implementation 494
Single Factor/Multifactor Authentication 496
Accountability 511
Session Management 511
Registration and Proofing of Identity 513
Federated Identity Management 520
Credential Management Systems 524
Integrate Identity as a Third-Party Service 525
On-Premise 526
Cloud 527
Federated 527
Implement and Manage Authorization Mechanisms 528
Role-Based Access Control 528
Rule-Based Access Control 529
Loading page 21...
Contentsxxi
Mandatory Access Control 530
Discretionary Access Control 531
Attribute-Based Access Control 531
Manage the Identity and Access Provisioning Lifecycle 533
User Access Review 534
System Account Access Review 535
Provisioning and Deprovisioning 535
Auditing and Enforcement 536
Summary 537
Domain 6: Security aSSeSSment anD teSting 539
Design and Validate Assessment, Test, and Audit Strategies 540
Assessment Standards 543
Conduct Security Control Testing 545
Vulnerability Assessment 546
Penetration Testing 554
Log Reviews 564
Synthetic Transactions 565
Code Review and Testing 567
Misuse Case Testing 571
Test Coverage Analysis 573
Interface Testing 574
Collect Security Process Data 575
Account Management 577
Management Review and Approval 579
Key Performance and Risk Indicators 580
Backup Verification Data 583
Training and Awareness 584
Disaster Recovery and Business Continuity 585
Analyze Test Output and Generate Report 587
Conduct or Facilitate Security Audits 590
Internal Audits 591
External Audits 591
Third-Party Audits 592
Integrating Internal and External Audits 593
Auditing Principles 593
Audit Programs 594
Summary 596
Mandatory Access Control 530
Discretionary Access Control 531
Attribute-Based Access Control 531
Manage the Identity and Access Provisioning Lifecycle 533
User Access Review 534
System Account Access Review 535
Provisioning and Deprovisioning 535
Auditing and Enforcement 536
Summary 537
Domain 6: Security aSSeSSment anD teSting 539
Design and Validate Assessment, Test, and Audit Strategies 540
Assessment Standards 543
Conduct Security Control Testing 545
Vulnerability Assessment 546
Penetration Testing 554
Log Reviews 564
Synthetic Transactions 565
Code Review and Testing 567
Misuse Case Testing 571
Test Coverage Analysis 573
Interface Testing 574
Collect Security Process Data 575
Account Management 577
Management Review and Approval 579
Key Performance and Risk Indicators 580
Backup Verification Data 583
Training and Awareness 584
Disaster Recovery and Business Continuity 585
Analyze Test Output and Generate Report 587
Conduct or Facilitate Security Audits 590
Internal Audits 591
External Audits 591
Third-Party Audits 592
Integrating Internal and External Audits 593
Auditing Principles 593
Audit Programs 594
Summary 596
Loading page 22...
Contentsxxii
Domain 7: Security operationS 597
Understand and Support Investigations 598
Evidence Collection and Handling 599
Reporting and Documentation 601
Investigative Techniques 602
Digital Forensics Tools, Techniques, and Procedures 604
Understand Requirements for Investigation Types 610
Administrative 611
Criminal 613
Civil 614
Regulatory 616
Industry Standards 616
Conduct Logging and Monitoring Activities 617
Define Auditable Events 618
Time 619
Protect Logs 620
Intrusion Detection and Prevention 621
Security Information and Event Management 623
Continuous Monitoring 625
Ingress Monitoring 629
Egress Monitoring 631
Securely Provision Resources 632
Asset Inventory 632
Asset Management 634
Configuration Management 635
Understand and Apply Foundational Security Operations Concepts 637
Need to Know/Least Privilege 637
Separation of Duties and Responsibilities 638
Privileged Account Management 640
Job Rotation 642
Information Lifecycle 643
Service Level Agreements 644
Apply Resource Protection Techniques to Media 647
Marking 647
Protecting 647
Transport 648
Sanitization and Disposal 649
Domain 7: Security operationS 597
Understand and Support Investigations 598
Evidence Collection and Handling 599
Reporting and Documentation 601
Investigative Techniques 602
Digital Forensics Tools, Techniques, and Procedures 604
Understand Requirements for Investigation Types 610
Administrative 611
Criminal 613
Civil 614
Regulatory 616
Industry Standards 616
Conduct Logging and Monitoring Activities 617
Define Auditable Events 618
Time 619
Protect Logs 620
Intrusion Detection and Prevention 621
Security Information and Event Management 623
Continuous Monitoring 625
Ingress Monitoring 629
Egress Monitoring 631
Securely Provision Resources 632
Asset Inventory 632
Asset Management 634
Configuration Management 635
Understand and Apply Foundational Security Operations Concepts 637
Need to Know/Least Privilege 637
Separation of Duties and Responsibilities 638
Privileged Account Management 640
Job Rotation 642
Information Lifecycle 643
Service Level Agreements 644
Apply Resource Protection Techniques to Media 647
Marking 647
Protecting 647
Transport 648
Sanitization and Disposal 649
Loading page 23...
Contentsxxiii
Conduct Incident Management 650
An Incident Management Program 651
Detection 653
Response 656
Mitigation 657
Reporting 658
Recovery 661
Remediation 661
Lessons Learned 661
Third-Party Considerations 662
Operate and Maintain Detective and Preventative Measures 663
White-listing/Black-listing 665
Third-Party Security Services 665
Honeypots/Honeynets 667
Anti-Malware 667
Implement and Support Patch and Vulnerability Management 670
Understand and Participate in Change Management Processes 672
Implement Recovery Strategies 673
Backup Storage Strategies 673
Recovery Site Strategies 676
Multiple Processing Sites 678
System Resilience, High Availability, Quality of Service, and Fault Tolerance 679
Implement Disaster Recovery Processes 679
Response 680
Personnel 680
Communications 682
Assessment 682
Restoration 683
Training and Awareness 684
Test Disaster Recovery Plans 685
Read-Through/Tabletop 686
Walk-Through 687
Simulation 687
Parallel 687
Full Interruption 688
Participate in Business Continuity Planning and Exercises 688
Implement and Manage Physical Security 689
Physical Access Control 689
The Data Center 692
Conduct Incident Management 650
An Incident Management Program 651
Detection 653
Response 656
Mitigation 657
Reporting 658
Recovery 661
Remediation 661
Lessons Learned 661
Third-Party Considerations 662
Operate and Maintain Detective and Preventative Measures 663
White-listing/Black-listing 665
Third-Party Security Services 665
Honeypots/Honeynets 667
Anti-Malware 667
Implement and Support Patch and Vulnerability Management 670
Understand and Participate in Change Management Processes 672
Implement Recovery Strategies 673
Backup Storage Strategies 673
Recovery Site Strategies 676
Multiple Processing Sites 678
System Resilience, High Availability, Quality of Service, and Fault Tolerance 679
Implement Disaster Recovery Processes 679
Response 680
Personnel 680
Communications 682
Assessment 682
Restoration 683
Training and Awareness 684
Test Disaster Recovery Plans 685
Read-Through/Tabletop 686
Walk-Through 687
Simulation 687
Parallel 687
Full Interruption 688
Participate in Business Continuity Planning and Exercises 688
Implement and Manage Physical Security 689
Physical Access Control 689
The Data Center 692
Loading page 24...
Contentsxxiv
Address Personnel Safety and Security Concerns 693
Travel 693
Duress 693
Summary 694
Domain 8: Software Development Security 695
Understand and Integrate Security in the Software Development Lifecycle 696
Development Methodologies 696
Maturity Models 753
Operations and Maintenance 768
Change Management 770
Integrated Product Team 773
Identify and Apply Security Controls in Development Environments 776
Security of the Software Environment 777
Configuration Management as an Aspect of Secure Coding 796
Security of Code Repositories 798
Assess the Effectiveness of Software Security 802
Logging and Auditing of Changes 802
Risk Analysis and Mitigation 817
Assess the Security Impact of Acquired Software 835
Acquired Software Types 835
Software Acquisition Process 842
Relevant Standards 845
Software Assurance 848
Certification and Accreditation 852
Define and Apply Secure Coding Standards and Guidelines 853
Security Weaknesses and Vulnerabilities at the
Source-Code Level 854
Security of Application Programming Interfaces 859
Secure Coding Practices 868
Summary 874
Index 875
Address Personnel Safety and Security Concerns 693
Travel 693
Duress 693
Summary 694
Domain 8: Software Development Security 695
Understand and Integrate Security in the Software Development Lifecycle 696
Development Methodologies 696
Maturity Models 753
Operations and Maintenance 768
Change Management 770
Integrated Product Team 773
Identify and Apply Security Controls in Development Environments 776
Security of the Software Environment 777
Configuration Management as an Aspect of Secure Coding 796
Security of Code Repositories 798
Assess the Effectiveness of Software Security 802
Logging and Auditing of Changes 802
Risk Analysis and Mitigation 817
Assess the Security Impact of Acquired Software 835
Acquired Software Types 835
Software Acquisition Process 842
Relevant Standards 845
Software Assurance 848
Certification and Accreditation 852
Define and Apply Secure Coding Standards and Guidelines 853
Security Weaknesses and Vulnerabilities at the
Source-Code Level 854
Security of Application Programming Interfaces 859
Secure Coding Practices 868
Summary 874
Index 875
Loading page 25...
Foreword
Being recognized as a cissP is an important step in investing
in your information security career. Whether you are picking up this book
to supplement your preparation to sit for the exam or you are an existing
cissP using this as a desk reference, you’ve acknowledged that this certifi-
cation makes you recognized as one of the most respected and sought-after
cybersecurity leaders in the world. after all, that’s what the cissP sym-
bolizes. You and your peers are among the ranks of the most knowledge-
able practitioners in our community. The designation of cissP instantly
communicates to everyone within our industry that you are intellectually curious and traveling
along a path of lifelong learning and improvement. importantly, as a member of (isc)² you
have officially committed to ethical conduct commensurate to your position of trust as a cyber-
security professional.
The recognized leader in the field of information security education and certification,
(isc)2 promotes the development of information security professionals throughout the world.
as a cissP with all the benefits of (isc)2 membership, you are part of a global network of more
than 140,000 certified professionals who are working to inspire a safe and secure cyber world.
Being a cissP, though, is more than a credential; it is what you demonstrate daily in your
information security role. The value of your knowledge is the proven ability to effectively
design, implement, and manage a best-in-class cybersecurity program within your organization.
To that end, it is my great pleasure to present the Official (ISC)2 Guide to the CISSP (Certified
Information Systems Security Professional) CBK. drawing from a comprehensive, up-to-date
global body of knowledge, the CISSP CBK provides you with valuable insights on how to
implement every aspect of cybersecurity in your organization.
if you are an experienced cissP, you will find this edition of the CISSP CBK to be a
timely book to frequently reference for reminders on best practices. if you are still gaining the
experience and knowledge you need to join the ranks of cissPs, the CISSP CBK is a deep dive
that can be used to supplement your studies.
as the largest nonprofit membership body of certified information security professionals
worldwide, (isc)² recognizes the need to identify and validate not only information security
xxv
Being recognized as a cissP is an important step in investing
in your information security career. Whether you are picking up this book
to supplement your preparation to sit for the exam or you are an existing
cissP using this as a desk reference, you’ve acknowledged that this certifi-
cation makes you recognized as one of the most respected and sought-after
cybersecurity leaders in the world. after all, that’s what the cissP sym-
bolizes. You and your peers are among the ranks of the most knowledge-
able practitioners in our community. The designation of cissP instantly
communicates to everyone within our industry that you are intellectually curious and traveling
along a path of lifelong learning and improvement. importantly, as a member of (isc)² you
have officially committed to ethical conduct commensurate to your position of trust as a cyber-
security professional.
The recognized leader in the field of information security education and certification,
(isc)2 promotes the development of information security professionals throughout the world.
as a cissP with all the benefits of (isc)2 membership, you are part of a global network of more
than 140,000 certified professionals who are working to inspire a safe and secure cyber world.
Being a cissP, though, is more than a credential; it is what you demonstrate daily in your
information security role. The value of your knowledge is the proven ability to effectively
design, implement, and manage a best-in-class cybersecurity program within your organization.
To that end, it is my great pleasure to present the Official (ISC)2 Guide to the CISSP (Certified
Information Systems Security Professional) CBK. drawing from a comprehensive, up-to-date
global body of knowledge, the CISSP CBK provides you with valuable insights on how to
implement every aspect of cybersecurity in your organization.
if you are an experienced cissP, you will find this edition of the CISSP CBK to be a
timely book to frequently reference for reminders on best practices. if you are still gaining the
experience and knowledge you need to join the ranks of cissPs, the CISSP CBK is a deep dive
that can be used to supplement your studies.
as the largest nonprofit membership body of certified information security professionals
worldwide, (isc)² recognizes the need to identify and validate not only information security
xxv
Loading page 26...
Forewordxxvi
competency but also the ability to connect knowledge of several domains when building
high-functioning cybersecurity teams that demonstrate cyber resiliency. The cissP cre-
dential represents advanced knowledge and competency in security design, implementa-
tion, architecture, operations, controls, and more.
if you are leading or ready to lead your security team, reviewing the Official (ISC)2
Guide to the CISSP CBK will be a great way to refresh your knowledge of the many fac-
tors that go into securely implementing and managing cybersecurity systems that match
your organization’s iT strategy and governance requirements. The goal for cissP cre-
dential holders is to achieve the highest standard for cybersecurity expertise—managing
multiplatform iT infrastructures while keeping sensitive data secure. This becomes espe-
cially crucial in the era of digital transformation, where cybersecurity permeates virtually
every value stream imaginable. organizations that can demonstrate world-class cyberse-
curity capabilities and trusted transaction methods can enable customer loyalty and fuel
success.
The opportunity has never been greater for dedicated men and women to carve out a
meaningful career and make a difference in their organizations. The CISSP CBK will be
your constant companion in protecting and securing the critical data assets of your orga-
nization that will serve you for years to come.
regards,
david P. shearer, cissP
ceo, (isc)2
competency but also the ability to connect knowledge of several domains when building
high-functioning cybersecurity teams that demonstrate cyber resiliency. The cissP cre-
dential represents advanced knowledge and competency in security design, implementa-
tion, architecture, operations, controls, and more.
if you are leading or ready to lead your security team, reviewing the Official (ISC)2
Guide to the CISSP CBK will be a great way to refresh your knowledge of the many fac-
tors that go into securely implementing and managing cybersecurity systems that match
your organization’s iT strategy and governance requirements. The goal for cissP cre-
dential holders is to achieve the highest standard for cybersecurity expertise—managing
multiplatform iT infrastructures while keeping sensitive data secure. This becomes espe-
cially crucial in the era of digital transformation, where cybersecurity permeates virtually
every value stream imaginable. organizations that can demonstrate world-class cyberse-
curity capabilities and trusted transaction methods can enable customer loyalty and fuel
success.
The opportunity has never been greater for dedicated men and women to carve out a
meaningful career and make a difference in their organizations. The CISSP CBK will be
your constant companion in protecting and securing the critical data assets of your orga-
nization that will serve you for years to come.
regards,
david P. shearer, cissP
ceo, (isc)2
Loading page 27...
Introduction
The cerTified inforMaTion sYsTeMs security Professional (cissP) sig-
nifies that an individual has a cross-disciplinary expertise across the broad spectrum of
information security and that he or she understands the context of it within a business
environment. There are two main requirements that must be met in order to achieve
the status of cissP. one must take and pass the certification exam, while also proving a
minimum of five years of direct full-time security work experience in two or more of the
domains of the (isc)² cissP cBK. The field of information security is wide, and there
are many potential paths along one’s journey through this constantly and rapidly chang-
ing profession.
a firm comprehension of the domains within the cissP cBK and an understand-
ing of how they connect back to the business and its people are important components
in meeting the requirements of the cissP credential. every reader will connect these
domains to their own background and perspective. These connections will vary based
on industry, regulatory environment, geography, culture, and unique business operating
environment. With that sentiment in mind, this book’s purpose is not to address all of
these issues or prescribe a set path in these areas. instead, the aim is to provide an official
guide to the cissP cBK and allow you, as a security professional, to connect your own
knowledge, experience, and understanding to the cissP domains and translate the cBK
into value for your organization and the users you protect.
SecurIty and rISk ManageMent
The security and risk Management domain entails many of the foundational security
concepts and principles of information security. This domain covers a broad set of topics
and demonstrates how to generally apply the concepts of confidentiality, integrity and
availability across a security program. This domain also includes understanding compli-
ance requirements, governance, building security policies and procedures, business con-
tinuity planning, risk management, security education, and training and awareness, and
xxvii
The cerTified inforMaTion sYsTeMs security Professional (cissP) sig-
nifies that an individual has a cross-disciplinary expertise across the broad spectrum of
information security and that he or she understands the context of it within a business
environment. There are two main requirements that must be met in order to achieve
the status of cissP. one must take and pass the certification exam, while also proving a
minimum of five years of direct full-time security work experience in two or more of the
domains of the (isc)² cissP cBK. The field of information security is wide, and there
are many potential paths along one’s journey through this constantly and rapidly chang-
ing profession.
a firm comprehension of the domains within the cissP cBK and an understand-
ing of how they connect back to the business and its people are important components
in meeting the requirements of the cissP credential. every reader will connect these
domains to their own background and perspective. These connections will vary based
on industry, regulatory environment, geography, culture, and unique business operating
environment. With that sentiment in mind, this book’s purpose is not to address all of
these issues or prescribe a set path in these areas. instead, the aim is to provide an official
guide to the cissP cBK and allow you, as a security professional, to connect your own
knowledge, experience, and understanding to the cissP domains and translate the cBK
into value for your organization and the users you protect.
SecurIty and rISk ManageMent
The security and risk Management domain entails many of the foundational security
concepts and principles of information security. This domain covers a broad set of topics
and demonstrates how to generally apply the concepts of confidentiality, integrity and
availability across a security program. This domain also includes understanding compli-
ance requirements, governance, building security policies and procedures, business con-
tinuity planning, risk management, security education, and training and awareness, and
xxvii
Loading page 28...
Introductionxxviii
most importantly it lays out the ethnical canons and professional conduct to be demon-
strated by (isc)2 members.
The information security professional will be involved in all facets of security and risk
management as part of the functions they perform across the enterprise. These functions
may include developing and enforcing policy, championing governance and risk man-
agement, and ensuring the continuity of operations across an organization in the event of
unforeseen circumstances. To that end, the information security professional must safe-
guard the organization’s people and data.
aSSet SecurIty
The asset security domain covers the safeguarding of information and information assets
across their lifecycle to include the proper collection, classification, handling, selection,
and application of controls. important concepts within this domain are data ownership,
privacy, data security controls, and cryptography. asset security is used to identify controls
for information and the technology that supports the exchange of that information to
include systems, media, transmission, and privilege.
The information security professional is expected to have a solid understanding of
what must be protected, what access should be restricted, the control mechanisms avail-
able, how those mechanisms may be abused, and the appropriateness of those controls,
and they should be able to apply the principles of confidentiality, integrity, availability,
and privacy against those assets.
SecurIty archItecture and engIneerIng
The security architecture and engineering domain covers the process of designing and
building secure and resilient information systems and associated architecture so that the
information systems can perform their function while minimizing the threats that can be
caused by malicious actors, human error, natural disasters, or system failures. security
must be considered in the design, in the implementation, and during the continuous
delivery of an information system through its lifecycle. it is paramount to understand
secure design principles and to be able to apply security models to a wide variety of dis-
tributed and disparate systems and to protect the facilities that house these systems.
an information security professional is expected to develop designs that demonstrate how
controls are positioned and how they function within a system. The security controls must tie
back to the overall system architecture and demonstrate how, through security engineering,
those systems maintain the attributes of confidentiality, integrity, and availability.
most importantly it lays out the ethnical canons and professional conduct to be demon-
strated by (isc)2 members.
The information security professional will be involved in all facets of security and risk
management as part of the functions they perform across the enterprise. These functions
may include developing and enforcing policy, championing governance and risk man-
agement, and ensuring the continuity of operations across an organization in the event of
unforeseen circumstances. To that end, the information security professional must safe-
guard the organization’s people and data.
aSSet SecurIty
The asset security domain covers the safeguarding of information and information assets
across their lifecycle to include the proper collection, classification, handling, selection,
and application of controls. important concepts within this domain are data ownership,
privacy, data security controls, and cryptography. asset security is used to identify controls
for information and the technology that supports the exchange of that information to
include systems, media, transmission, and privilege.
The information security professional is expected to have a solid understanding of
what must be protected, what access should be restricted, the control mechanisms avail-
able, how those mechanisms may be abused, and the appropriateness of those controls,
and they should be able to apply the principles of confidentiality, integrity, availability,
and privacy against those assets.
SecurIty archItecture and engIneerIng
The security architecture and engineering domain covers the process of designing and
building secure and resilient information systems and associated architecture so that the
information systems can perform their function while minimizing the threats that can be
caused by malicious actors, human error, natural disasters, or system failures. security
must be considered in the design, in the implementation, and during the continuous
delivery of an information system through its lifecycle. it is paramount to understand
secure design principles and to be able to apply security models to a wide variety of dis-
tributed and disparate systems and to protect the facilities that house these systems.
an information security professional is expected to develop designs that demonstrate how
controls are positioned and how they function within a system. The security controls must tie
back to the overall system architecture and demonstrate how, through security engineering,
those systems maintain the attributes of confidentiality, integrity, and availability.
Loading page 29...
Introduction xxix
coMMunIcatIon and network SecurIty
The communication and network security domain covers secure design principles as they
relate to network architectures. The domain provides a thorough understanding of com-
ponents of a secure network, secure design, and models for secure network operation. The
domain covers aspects of a layered defense, secure network technologies, and management
techniques to prevent threats across a number of network types and converged networks.
it is necessary for an information security professional to have a thorough understand-
ing of networks and the way in which organizations communicate. The connected world
in which security professionals operate requires that organizations be able to access infor-
mation and execute transactions in real time with an assurance of security. it is therefore
important that an information security professional be able to identify threats and risks
and then implement mitigation techniques and strategies to protect these communication
channels.
IdentIty and acceSS ManageMent (IaM)
The identity and access Management (iaM) domain covers the mechanisms by which
an information system permits or revokes the right to access information or perform an
action against an information system. iaM is the mechanism by which organizations
manage digital identities. iaM also includes the organizational policies and processes for
managing digital identities as well as the underlying technologies and protocols needed
to support identity management.
information security professionals and users alike interact with components of iaM
every day. This includes business services logon authentication, file and print systems,
and nearly any information system that retrieves and manipulates data. This can mean
users or a web service that exposes data for user consumption. iaM plays a critical and
indispensable part in these transactions and in determining whether a user’s request is
validated or disqualified from access.
SecurIty aSSeSSMent and teStIng
The security assessment and Testing domain covers the tenets of how to perform and
manage the activities involved in security assessment and testing, which includes provid-
ing a check and balance to regularly verify that security controls are performing optimally
and efficiently to protect information assets. The domain describes the array of tools and
methodologies for performing various activities such as vulnerability assessments, pene-
tration tests, and software tests.
coMMunIcatIon and network SecurIty
The communication and network security domain covers secure design principles as they
relate to network architectures. The domain provides a thorough understanding of com-
ponents of a secure network, secure design, and models for secure network operation. The
domain covers aspects of a layered defense, secure network technologies, and management
techniques to prevent threats across a number of network types and converged networks.
it is necessary for an information security professional to have a thorough understand-
ing of networks and the way in which organizations communicate. The connected world
in which security professionals operate requires that organizations be able to access infor-
mation and execute transactions in real time with an assurance of security. it is therefore
important that an information security professional be able to identify threats and risks
and then implement mitigation techniques and strategies to protect these communication
channels.
IdentIty and acceSS ManageMent (IaM)
The identity and access Management (iaM) domain covers the mechanisms by which
an information system permits or revokes the right to access information or perform an
action against an information system. iaM is the mechanism by which organizations
manage digital identities. iaM also includes the organizational policies and processes for
managing digital identities as well as the underlying technologies and protocols needed
to support identity management.
information security professionals and users alike interact with components of iaM
every day. This includes business services logon authentication, file and print systems,
and nearly any information system that retrieves and manipulates data. This can mean
users or a web service that exposes data for user consumption. iaM plays a critical and
indispensable part in these transactions and in determining whether a user’s request is
validated or disqualified from access.
SecurIty aSSeSSMent and teStIng
The security assessment and Testing domain covers the tenets of how to perform and
manage the activities involved in security assessment and testing, which includes provid-
ing a check and balance to regularly verify that security controls are performing optimally
and efficiently to protect information assets. The domain describes the array of tools and
methodologies for performing various activities such as vulnerability assessments, pene-
tration tests, and software tests.
Loading page 30...
Introductionxxx
The information security professional plays a critical role in ensuring that security
controls remain effective over time. changes to the business environment, technical
environment, and new threats will alter the effectiveness of controls. it is important that
the security professional be able to adapt controls in order to protect the confidentiality,
integrity, and availability of information assets.
SecurIty operatIonS
The security operations domain includes a wide range of concepts, principles, best
practices, and responsibilities that are core to effectively running security operations in
any organization. This domain explains how to protect and control information pro-
cessing assets in centralized and distributed environments and how to execute the daily
tasks required to keep security services operating reliably and efficiently. These activities
include performing and supporting investigations, monitoring security, performing inci-
dent response, implementing disaster recovery strategies, and managing physical security
and personnel safety.
in the day-to-day operations of the organization, sustaining expected levels of con-
fidentiality, availability, and integrity of information and business services is where the
information security professional affects operational resiliency. The day-to-day securing,
responding, monitoring, and maintenance of resources demonstrates how the informa-
tion security professional is able to protect information assets and provide value to the
organization.
SoFtware developMent SecurIty
The software development security domain refers to the controls around software, its
development lifecycle, and the vulnerabilities inherent in systems and applications.
applications and data are the foundation of an information system. an understanding of
this process is essential to the development and maintenance required to ensure depend-
able and secure software. This domain also covers the development of secure coding
guidelines and standards, as well as the impacts of acquired software.
software underpins of every system that the information security professional and
users in every business interact with on a daily basis. Being able to provide leadership
and direction to the development process, audit mechanisms, database controls, and web
application threats are all elements that the information security professional will put in
place as part of the software development security domain.
The information security professional plays a critical role in ensuring that security
controls remain effective over time. changes to the business environment, technical
environment, and new threats will alter the effectiveness of controls. it is important that
the security professional be able to adapt controls in order to protect the confidentiality,
integrity, and availability of information assets.
SecurIty operatIonS
The security operations domain includes a wide range of concepts, principles, best
practices, and responsibilities that are core to effectively running security operations in
any organization. This domain explains how to protect and control information pro-
cessing assets in centralized and distributed environments and how to execute the daily
tasks required to keep security services operating reliably and efficiently. These activities
include performing and supporting investigations, monitoring security, performing inci-
dent response, implementing disaster recovery strategies, and managing physical security
and personnel safety.
in the day-to-day operations of the organization, sustaining expected levels of con-
fidentiality, availability, and integrity of information and business services is where the
information security professional affects operational resiliency. The day-to-day securing,
responding, monitoring, and maintenance of resources demonstrates how the informa-
tion security professional is able to protect information assets and provide value to the
organization.
SoFtware developMent SecurIty
The software development security domain refers to the controls around software, its
development lifecycle, and the vulnerabilities inherent in systems and applications.
applications and data are the foundation of an information system. an understanding of
this process is essential to the development and maintenance required to ensure depend-
able and secure software. This domain also covers the development of secure coding
guidelines and standards, as well as the impacts of acquired software.
software underpins of every system that the information security professional and
users in every business interact with on a daily basis. Being able to provide leadership
and direction to the development process, audit mechanisms, database controls, and web
application threats are all elements that the information security professional will put in
place as part of the software development security domain.
Loading page 31...
28 more pages available. Scroll down to load them.
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
AI Assistant
Document Details
Subject
Certified Information Systems Security Professional