The Official ISC2 CISSP CBK Reference (2021)
The Official ISC2 CISSP CBK Reference (2021) helps you master complex topics with simplified explanations.
Benjamin Clark
Contributor
4.9
53
about 2 months ago
Preview (31 of 674)
Sign in to access the full document!
CISSP: Certified Information
Systems Security Professional
The Official (ISC) 2 ®
CISSP® CBK®
Reference
Sixth Edition
ARTHUR DEANE
AARON KRAUS
Systems Security Professional
The Official (ISC) 2 ®
CISSP® CBK®
Reference
Sixth Edition
ARTHUR DEANE
AARON KRAUS
Loading page 4...
Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
ISBN: 978-1-119-78999-4
ISBN: 978-1-119-79001-3 (ebk.)
ISBN: 978-1-119-79000-6 (ebk.)
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108
of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization
through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive,
Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Pub-
lisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street,
Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this
book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this
book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty
may be created or extended by sales representatives or written sales materials. The advice and strategies contained
herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the
publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to
special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care
Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail-
able in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress Control Number: 2021942306
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permis-
sion. (ISC)2 , CISSP, and CBK are registered certification marks or trademarks of (ISC)2 , Inc. All other trademarks are
the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor men-
tioned in this book.
Cover Design: Wiley and (ISC) 2
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
ISBN: 978-1-119-78999-4
ISBN: 978-1-119-79001-3 (ebk.)
ISBN: 978-1-119-79000-6 (ebk.)
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108
of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization
through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive,
Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Pub-
lisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street,
Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this
book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this
book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty
may be created or extended by sales representatives or written sales materials. The advice and strategies contained
herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the
publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to
special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care
Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail-
able in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress Control Number: 2021942306
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permis-
sion. (ISC)2 , CISSP, and CBK are registered certification marks or trademarks of (ISC)2 , Inc. All other trademarks are
the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor men-
tioned in this book.
Cover Design: Wiley and (ISC) 2
Loading page 5...
iii
Lead Authors
ARTHUR DEANE, CISSP, CCSP, is a senior director at Capital
One Financial, where he leads information security activities in the
Card division. Prior to Capital One, Arthur held security leadership
roles at Google, Amazon, and PwC, in addition to several security engi-
neering and consulting roles with the U.S. federal government.
Arthur is an adjunct professor at American University and a member
of the Computer Science Advisory Board at Howard University. He
holds a bachelor’s degree in electrical engineering from Rochester Institute of Technology
(RIT) and a master’s degree in information security from the University of Maryland. Arthur is
also the author of CCSP for Dummies.
AARON KRAUS, CISSP, CCSP, is an information security
professional with more than 15 years of experience in security risk
management, auditing, and teaching cybersecurity topics. He has
worked in security and compliance leadership roles across industries
including U.S. federal government civilian agencies, financial services,
insurance, and technology startups.
Aaron is a course author, instructor, and cybersecurity curriculum
dean at Learning Tree International, and he most recently taught the Official (ISC) 2 CISSP
CBK Review Seminar. He is a co-author of The Official (ISC)2 Guide to the CCSP CBK, 3rd
Edition, and served as technical editor for numerous Wiley publications including (ISC)2
CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition; CCSP Offi-
cial (ISC)2 Practice Tests; The Official (ISC)2 Guide to the CISSP CBK Reference, 5th Edition;
and (ISC) 2 CISSP Certified Information Systems Security Professional Official Practice Tests,
2nd Edition.
Lead Authors
ARTHUR DEANE, CISSP, CCSP, is a senior director at Capital
One Financial, where he leads information security activities in the
Card division. Prior to Capital One, Arthur held security leadership
roles at Google, Amazon, and PwC, in addition to several security engi-
neering and consulting roles with the U.S. federal government.
Arthur is an adjunct professor at American University and a member
of the Computer Science Advisory Board at Howard University. He
holds a bachelor’s degree in electrical engineering from Rochester Institute of Technology
(RIT) and a master’s degree in information security from the University of Maryland. Arthur is
also the author of CCSP for Dummies.
AARON KRAUS, CISSP, CCSP, is an information security
professional with more than 15 years of experience in security risk
management, auditing, and teaching cybersecurity topics. He has
worked in security and compliance leadership roles across industries
including U.S. federal government civilian agencies, financial services,
insurance, and technology startups.
Aaron is a course author, instructor, and cybersecurity curriculum
dean at Learning Tree International, and he most recently taught the Official (ISC) 2 CISSP
CBK Review Seminar. He is a co-author of The Official (ISC)2 Guide to the CCSP CBK, 3rd
Edition, and served as technical editor for numerous Wiley publications including (ISC)2
CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition; CCSP Offi-
cial (ISC)2 Practice Tests; The Official (ISC)2 Guide to the CISSP CBK Reference, 5th Edition;
and (ISC) 2 CISSP Certified Information Systems Security Professional Official Practice Tests,
2nd Edition.
Loading page 6...
Technical Reviewer
MICHAEL S. WILLS, CAMS, CISSP, SSCP, is assistant professor
of applied and innovative information technologies at the College of
Business at Embry-Riddle Aeronautical University – Worldwide, where
he continues his graduate and undergraduate teaching and research in
cybersecurity and information assurance.
Mike has also been an advisor on science and technology policy to
the UK’s Joint Intelligence Committee, Ministry of Justice, and Defense
Science and Technology Laboratories, helping them to evolve an operational and policy con-
sensus relating topics from cryptography and virtual worlds, through the burgeoning surveil-
lance society, to the proliferation of weapons of mass disruption (not just “destruction”) and
their effects on global, regional, national, and personal security. For a time, this had him some-
times known as the UK’s nonresident expert on outer space law.
Mike has been supporting the work of (ISC)2 by writing, editing, and updating books, study
guides, and course materials for both their SSCP and CISSP programs. He wrote the SSCP Offi-
cial Study Guide, 2nd Edition (Sybex, 2019), followed quickly by the SSCP Official Common
Book of Knowledge, 5th Edition. He was lead author for the 2021 update of (ISC)2
’s official CISSP
and SSCP training materials. Mike has also contributed to several industry roundtables and white
papers on digital identity and cyber fraud detection and prevention and has been a panelist and
webinar presenter on these and related topics for ACAMS.
MICHAEL S. WILLS, CAMS, CISSP, SSCP, is assistant professor
of applied and innovative information technologies at the College of
Business at Embry-Riddle Aeronautical University – Worldwide, where
he continues his graduate and undergraduate teaching and research in
cybersecurity and information assurance.
Mike has also been an advisor on science and technology policy to
the UK’s Joint Intelligence Committee, Ministry of Justice, and Defense
Science and Technology Laboratories, helping them to evolve an operational and policy con-
sensus relating topics from cryptography and virtual worlds, through the burgeoning surveil-
lance society, to the proliferation of weapons of mass disruption (not just “destruction”) and
their effects on global, regional, national, and personal security. For a time, this had him some-
times known as the UK’s nonresident expert on outer space law.
Mike has been supporting the work of (ISC)2 by writing, editing, and updating books, study
guides, and course materials for both their SSCP and CISSP programs. He wrote the SSCP Offi-
cial Study Guide, 2nd Edition (Sybex, 2019), followed quickly by the SSCP Official Common
Book of Knowledge, 5th Edition. He was lead author for the 2021 update of (ISC)2
’s official CISSP
and SSCP training materials. Mike has also contributed to several industry roundtables and white
papers on digital identity and cyber fraud detection and prevention and has been a panelist and
webinar presenter on these and related topics for ACAMS.
Loading page 7...
v
Contents at a Glance
Foreword xix
Introduction xxi
DOMAIN 1: SECURITY AND RISK MANAGEMENT 1
DOMAIN 2: ASSET SECURITY 97
DOMAIN 3: SECURITY ARCHITECTURE AND ENGINEERING 147
DOMAIN 4: COMMUNICATION AND NETWORK SECURITY 283
DOMAIN 5: IDENTITY AND ACCESS MANAGEMENT 377
DOMAIN 6: SECURITY ASSESSMENT AND TESTING 419
DOMAIN 7: SECURITY OPERATIONS 463
DOMAIN 8: SOFTWARE DEVELOPMENT SECURITY 549
Index 625
Contents at a Glance
Foreword xix
Introduction xxi
DOMAIN 1: SECURITY AND RISK MANAGEMENT 1
DOMAIN 2: ASSET SECURITY 97
DOMAIN 3: SECURITY ARCHITECTURE AND ENGINEERING 147
DOMAIN 4: COMMUNICATION AND NETWORK SECURITY 283
DOMAIN 5: IDENTITY AND ACCESS MANAGEMENT 377
DOMAIN 6: SECURITY ASSESSMENT AND TESTING 419
DOMAIN 7: SECURITY OPERATIONS 463
DOMAIN 8: SOFTWARE DEVELOPMENT SECURITY 549
Index 625
Loading page 8...
Loading page 9...
vii
Contents
Foreword xix
Introduction xxi
DOMAIN 1: SECURITY AND RISK MANAGEMENT 1
Understand, Adhere to, and Promote Professional Ethics 2
(ISC)2 Code of Professional Ethics 2
Organizational Code of Ethics 3
Understand and Apply Security Concepts 4
Confidentiality 4
Integrity 5
Availability 6
Limitations of the CIA Triad 7
Evaluate and Apply Security Governance Principles 8
Alignment of the Security Function to Business Strategy, Goals,
Mission, and Objectives 9
Organizational Processes 10
Organizational Roles and Responsibilities 14
Security Control Frameworks 15
Due Care and Due Diligence 22
Determine Compliance and Other Requirements 23
Legislative and Regulatory Requirements 23
Industry Standards and Other Compliance Requirements 25
Privacy Requirements 27
Understand Legal and Regulatory Issues That Pertain to Information Security in a
Holistic Context 28
Cybercrimes and Data Breaches 28
Licensing and Intellectual Property Requirements 36
Import/Export Controls 39
Contents
Foreword xix
Introduction xxi
DOMAIN 1: SECURITY AND RISK MANAGEMENT 1
Understand, Adhere to, and Promote Professional Ethics 2
(ISC)2 Code of Professional Ethics 2
Organizational Code of Ethics 3
Understand and Apply Security Concepts 4
Confidentiality 4
Integrity 5
Availability 6
Limitations of the CIA Triad 7
Evaluate and Apply Security Governance Principles 8
Alignment of the Security Function to Business Strategy, Goals,
Mission, and Objectives 9
Organizational Processes 10
Organizational Roles and Responsibilities 14
Security Control Frameworks 15
Due Care and Due Diligence 22
Determine Compliance and Other Requirements 23
Legislative and Regulatory Requirements 23
Industry Standards and Other Compliance Requirements 25
Privacy Requirements 27
Understand Legal and Regulatory Issues That Pertain to Information Security in a
Holistic Context 28
Cybercrimes and Data Breaches 28
Licensing and Intellectual Property Requirements 36
Import/Export Controls 39
Loading page 10...
Contentsviii
Transborder Data Flow 40
Privacy 41
Understand Requirements for Investigation Types 48
Administrative 49
Criminal 50
Civil 52
Regulatory 53
Industry Standards 54
Develop, Document, and Implement Security Policy, Standards, Procedures,
and Guidelines 55
Policies 55
Standards 56
Procedures 57
Guidelines 57
Identify, Analyze, and Prioritize Business Continuity Requirements 58
Business Impact Analysis 59
Develop and Document the Scope and the Plan 61
Contribute to and Enforce Personnel Security Policies and Procedures 63
Candidate Screening and Hiring 63
Employment Agreements and Policies 64
Onboarding, Transfers, and Termination Processes 65
Vendor, Consultant, and Contractor Agreements and Controls 67
Compliance Policy Requirements 67
Privacy Policy Requirements 68
Understand and Apply Risk Management Concepts 68
Identify Threats and Vulnerabilities 68
Risk Assessment 70
Risk Response/Treatment 72
Countermeasure Selection and Implementation 73
Applicable Types of Controls 75
Control Assessments 76
Monitoring and Measurement 77
Reporting 77
Continuous Improvement 78
Risk Frameworks 78
Understand and Apply Threat Modeling Concepts and Methodologies 83
Threat Modeling Concepts 84
Threat Modeling Methodologies 85
Apply Supply Chain Risk Management Concepts 88
Risks Associated with Hardware, Software, and Services 88
Transborder Data Flow 40
Privacy 41
Understand Requirements for Investigation Types 48
Administrative 49
Criminal 50
Civil 52
Regulatory 53
Industry Standards 54
Develop, Document, and Implement Security Policy, Standards, Procedures,
and Guidelines 55
Policies 55
Standards 56
Procedures 57
Guidelines 57
Identify, Analyze, and Prioritize Business Continuity Requirements 58
Business Impact Analysis 59
Develop and Document the Scope and the Plan 61
Contribute to and Enforce Personnel Security Policies and Procedures 63
Candidate Screening and Hiring 63
Employment Agreements and Policies 64
Onboarding, Transfers, and Termination Processes 65
Vendor, Consultant, and Contractor Agreements and Controls 67
Compliance Policy Requirements 67
Privacy Policy Requirements 68
Understand and Apply Risk Management Concepts 68
Identify Threats and Vulnerabilities 68
Risk Assessment 70
Risk Response/Treatment 72
Countermeasure Selection and Implementation 73
Applicable Types of Controls 75
Control Assessments 76
Monitoring and Measurement 77
Reporting 77
Continuous Improvement 78
Risk Frameworks 78
Understand and Apply Threat Modeling Concepts and Methodologies 83
Threat Modeling Concepts 84
Threat Modeling Methodologies 85
Apply Supply Chain Risk Management Concepts 88
Risks Associated with Hardware, Software, and Services 88
Loading page 11...
Contents ix
Third-Party Assessment and Monitoring 89
Minimum Security Requirements 90
Service-Level Requirements 90
Frameworks 91
Establish and Maintain a Security Awareness, Education, and Training Program 92
Methods and Techniques to Present Awareness and Training 93
Periodic Content Reviews 94
Program Effectiveness Evaluation 94
Summary 95
DOMAIN 2: ASSET SECURITY 97
Identify and Classify Information and Assets 97
Data Classification and Data Categorization 99
Asset Classification 101
Establish Information and Asset Handling Requirements 104
Marking and Labeling 104
Handling 105
Storage 105
Declassification 106
Provision Resources Securely 108
Information and Asset Ownership 108
Asset Inventory 109
Asset Management 112
Manage Data Lifecycle 115
Data Roles 116
Data Collection 120
Data Location 120
Data Maintenance 121
Data Retention 122
Data Destruction 123
Data Remanence 123
Ensure Appropriate Asset Retention 127
Determining Appropriate Records Retention 129
Records Retention Best Practices 130
Determine Data Security Controls and Compliance Requirements 131
Data States 133
Scoping and Tailoring 135
Standards Selection 137
Data Protection Methods 141
Summary 144
Third-Party Assessment and Monitoring 89
Minimum Security Requirements 90
Service-Level Requirements 90
Frameworks 91
Establish and Maintain a Security Awareness, Education, and Training Program 92
Methods and Techniques to Present Awareness and Training 93
Periodic Content Reviews 94
Program Effectiveness Evaluation 94
Summary 95
DOMAIN 2: ASSET SECURITY 97
Identify and Classify Information and Assets 97
Data Classification and Data Categorization 99
Asset Classification 101
Establish Information and Asset Handling Requirements 104
Marking and Labeling 104
Handling 105
Storage 105
Declassification 106
Provision Resources Securely 108
Information and Asset Ownership 108
Asset Inventory 109
Asset Management 112
Manage Data Lifecycle 115
Data Roles 116
Data Collection 120
Data Location 120
Data Maintenance 121
Data Retention 122
Data Destruction 123
Data Remanence 123
Ensure Appropriate Asset Retention 127
Determining Appropriate Records Retention 129
Records Retention Best Practices 130
Determine Data Security Controls and Compliance Requirements 131
Data States 133
Scoping and Tailoring 135
Standards Selection 137
Data Protection Methods 141
Summary 144
Loading page 12...
Contentsx
DOMAIN 3: SECURITY ARCHITECTURE AND ENGINEERING 147
Research, Implement, and Manage Engineering Processes Using Secure
Design Principles 149
ISO/IEC 19249 150
Threat Modeling 157
Secure Defaults 160
Fail Securely 161
Separation of Duties 161
Keep It Simple 162
Trust, but Verify 162
Zero Trust 163
Privacy by Design 165
Shared Responsibility 166
Defense in Depth 167
Understand the Fundamental Concepts of Security Models 168
Primer on Common Model Components 168
Information Flow Model 169
Noninterference Model 169
Bell–LaPadula Model 170
Biba Integrity Model 172
Clark–Wilson Model 173
Brewer–Nash Model 173
Take-Grant Model 175
Select Controls Based Upon Systems Security Requirements 175
Understand Security Capabilities of Information Systems 179
Memory Protection 180
Secure Cryptoprocessor 182
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and
Solution Elements 187
Client-Based Systems 187
Server-Based Systems 189
Database Systems 191
Cryptographic Systems 194
Industrial Control Systems 200
Cloud-Based Systems 203
Distributed Systems 207
Internet of Things 208
Microservices 212
Containerization 214
DOMAIN 3: SECURITY ARCHITECTURE AND ENGINEERING 147
Research, Implement, and Manage Engineering Processes Using Secure
Design Principles 149
ISO/IEC 19249 150
Threat Modeling 157
Secure Defaults 160
Fail Securely 161
Separation of Duties 161
Keep It Simple 162
Trust, but Verify 162
Zero Trust 163
Privacy by Design 165
Shared Responsibility 166
Defense in Depth 167
Understand the Fundamental Concepts of Security Models 168
Primer on Common Model Components 168
Information Flow Model 169
Noninterference Model 169
Bell–LaPadula Model 170
Biba Integrity Model 172
Clark–Wilson Model 173
Brewer–Nash Model 173
Take-Grant Model 175
Select Controls Based Upon Systems Security Requirements 175
Understand Security Capabilities of Information Systems 179
Memory Protection 180
Secure Cryptoprocessor 182
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and
Solution Elements 187
Client-Based Systems 187
Server-Based Systems 189
Database Systems 191
Cryptographic Systems 194
Industrial Control Systems 200
Cloud-Based Systems 203
Distributed Systems 207
Internet of Things 208
Microservices 212
Containerization 214
Loading page 13...
Contents xi
Serverless 215
Embedded Systems 216
High-Performance Computing Systems 219
Edge Computing Systems 220
Virtualized Systems 221
Select and Determine Cryptographic Solutions 224
Cryptography Basics 225
Cryptographic Lifecycle 226
Cryptographic Methods 229
Public Key Infrastructure 243
Key Management Practices 246
Digital Signatures and Digital Certificates 250
Nonrepudiation 252
Integrity 253
Understand Methods of Cryptanalytic Attacks 257
Brute Force 258
Ciphertext Only 260
Known Plaintext 260
Chosen Plaintext Attack 260
Frequency Analysis 261
Chosen Ciphertext 261
Implementation Attacks 261
Side- Channel Attacks 261
Fault Injection 263
Timing Attacks 263
Man-in-the-Middle 263
Pass the Hash 263
Kerberos Exploitation 264
Ransomware 264
Apply Security Principles to Site and Facility Design 265
Design Site and Facility Security Controls 265
Wiring Closets/Intermediate Distribution Facilities 266
Server Rooms/Data Centers 267
Media Storage Facilities 268
Evidence Storage 269
Restricted and Work Area Security 270
Utilities and Heating, Ventilation, and Air Conditioning 272
Environmental Issues 275
Fire Prevention, Detection, and Suppression 277
Summary 281
Serverless 215
Embedded Systems 216
High-Performance Computing Systems 219
Edge Computing Systems 220
Virtualized Systems 221
Select and Determine Cryptographic Solutions 224
Cryptography Basics 225
Cryptographic Lifecycle 226
Cryptographic Methods 229
Public Key Infrastructure 243
Key Management Practices 246
Digital Signatures and Digital Certificates 250
Nonrepudiation 252
Integrity 253
Understand Methods of Cryptanalytic Attacks 257
Brute Force 258
Ciphertext Only 260
Known Plaintext 260
Chosen Plaintext Attack 260
Frequency Analysis 261
Chosen Ciphertext 261
Implementation Attacks 261
Side- Channel Attacks 261
Fault Injection 263
Timing Attacks 263
Man-in-the-Middle 263
Pass the Hash 263
Kerberos Exploitation 264
Ransomware 264
Apply Security Principles to Site and Facility Design 265
Design Site and Facility Security Controls 265
Wiring Closets/Intermediate Distribution Facilities 266
Server Rooms/Data Centers 267
Media Storage Facilities 268
Evidence Storage 269
Restricted and Work Area Security 270
Utilities and Heating, Ventilation, and Air Conditioning 272
Environmental Issues 275
Fire Prevention, Detection, and Suppression 277
Summary 281
Loading page 14...
Contentsxii
DOMAIN 4: COMMUNICATION AND NETWORK SECURITY 283
Assess and Implement Secure Design Principles in Network Architectures 283
Open System Interconnection and Transmission Control
Protocol/Internet Protocol Models 285
The OSI Reference Model 286
The TCP/IP Reference Model 299
Internet Protocol Networking 302
Secure Protocols 311
Implications of Multilayer Protocols 313
Converged Protocols 315
Microsegmentation 316
Wireless Networks 319
Cellular Networks 333
Content Distribution Networks 334
Secure Network Components 335
Operation of Hardware 335
Repeaters, Concentrators, and Amplifiers 341
Hubs 341
Bridges 342
Switches 342
Routers 343
Gateways 343
Proxies 343
Transmission Media 345
Network Access Control 352
Endpoint Security 354
Mobile Devices 355
Implement Secure Communication Channels According to Design 357
Voice 357
Multimedia Collaboration 359
Remote Access 365
Data Communications 371
Virtualized Networks 373
Third-Party Connectivity 374
Summary 374
DOMAIN 5: IDENTITY AND ACCESS MANAGEMENT 377
Control Physical and Logical Access to Assets 378
Access Control Definitions 378
Information 379
DOMAIN 4: COMMUNICATION AND NETWORK SECURITY 283
Assess and Implement Secure Design Principles in Network Architectures 283
Open System Interconnection and Transmission Control
Protocol/Internet Protocol Models 285
The OSI Reference Model 286
The TCP/IP Reference Model 299
Internet Protocol Networking 302
Secure Protocols 311
Implications of Multilayer Protocols 313
Converged Protocols 315
Microsegmentation 316
Wireless Networks 319
Cellular Networks 333
Content Distribution Networks 334
Secure Network Components 335
Operation of Hardware 335
Repeaters, Concentrators, and Amplifiers 341
Hubs 341
Bridges 342
Switches 342
Routers 343
Gateways 343
Proxies 343
Transmission Media 345
Network Access Control 352
Endpoint Security 354
Mobile Devices 355
Implement Secure Communication Channels According to Design 357
Voice 357
Multimedia Collaboration 359
Remote Access 365
Data Communications 371
Virtualized Networks 373
Third-Party Connectivity 374
Summary 374
DOMAIN 5: IDENTITY AND ACCESS MANAGEMENT 377
Control Physical and Logical Access to Assets 378
Access Control Definitions 378
Information 379
Loading page 15...
Contents xiii
Systems 380
Devices 381
Facilities 383
Applications 386
Manage Identification and Authentication of People, Devices, and Services 387
Identity Management Implementation 388
Single/Multifactor Authentication 389
Accountability 396
Session Management 396
Registration, Proofing, and Establishment of Identity 397
Federated Identity Management 399
Credential Management Systems 399
Single Sign-On 400
Just-In-Time 401
Federated Identity with a Third-Party Service 401
On Premises 402
Cloud 403
Hybrid 403
Implement and Manage Authorization Mechanisms 404
Role-Based Access Control 405
Rule-Based Access Control 405
Mandatory Access Control 406
Discretionary Access Control 406
Attribute-Based Access Control 407
Risk-Based Access Control 408
Manage the Identity and Access Provisioning Lifecycle 408
Account Access Review 409
Account Usage Review 411
Provisioning and Deprovisioning 411
Role Definition 412
Privilege Escalation 413
Implement Authentication Systems 414
OpenID Connect/Open Authorization 414
Security Assertion Markup Language 415
Kerberos 416
Remote Authentication Dial-In User Service/Terminal Access Controller Access
Control System Plus 417
Summary 418
Systems 380
Devices 381
Facilities 383
Applications 386
Manage Identification and Authentication of People, Devices, and Services 387
Identity Management Implementation 388
Single/Multifactor Authentication 389
Accountability 396
Session Management 396
Registration, Proofing, and Establishment of Identity 397
Federated Identity Management 399
Credential Management Systems 399
Single Sign-On 400
Just-In-Time 401
Federated Identity with a Third-Party Service 401
On Premises 402
Cloud 403
Hybrid 403
Implement and Manage Authorization Mechanisms 404
Role-Based Access Control 405
Rule-Based Access Control 405
Mandatory Access Control 406
Discretionary Access Control 406
Attribute-Based Access Control 407
Risk-Based Access Control 408
Manage the Identity and Access Provisioning Lifecycle 408
Account Access Review 409
Account Usage Review 411
Provisioning and Deprovisioning 411
Role Definition 412
Privilege Escalation 413
Implement Authentication Systems 414
OpenID Connect/Open Authorization 414
Security Assertion Markup Language 415
Kerberos 416
Remote Authentication Dial-In User Service/Terminal Access Controller Access
Control System Plus 417
Summary 418
Loading page 16...
Contentsxiv
DOMAIN 6: SECURITY ASSESSMENT AND TESTING 419
Design and Validate Assessment, Test, and Audit Strategies 420
Internal 421
External 422
Third-Party 423
Conduct Security Control Testing 423
Vulnerability Assessment 423
Penetration Testing 428
Log Reviews 435
Synthetic Transactions 435
Code Review and Testing 436
Misuse Case Testing 437
Test Coverage Analysis 438
Interface Testing 439
Breach Attack Simulations 440
Compliance Checks 441
Collect Security Process Data 442
Technical Controls and Processes 443
Administrative Controls 443
Account Management 444
Management Review and Approval 445
Management Reviews for Compliance 446
Key Performance and Risk Indicators 447
Backup Verification Data 450
Training and Awareness 450
Disaster Recovery and Business Continuity 451
Analyze Test Output and Generate Report 452
Typical Audit Report Contents 453
Remediation 454
Exception Handling 455
Ethical Disclosure 456
Conduct or Facilitate Security Audits 458
Designing an Audit Program 458
Internal Audits 459
External Audits 460
Third-Party Audits 460
Summary 461
DOMAIN 7: SECURITY OPERATIONS 463
Understand and Comply with Investigations 464
Evidence Collection and Handling 465
DOMAIN 6: SECURITY ASSESSMENT AND TESTING 419
Design and Validate Assessment, Test, and Audit Strategies 420
Internal 421
External 422
Third-Party 423
Conduct Security Control Testing 423
Vulnerability Assessment 423
Penetration Testing 428
Log Reviews 435
Synthetic Transactions 435
Code Review and Testing 436
Misuse Case Testing 437
Test Coverage Analysis 438
Interface Testing 439
Breach Attack Simulations 440
Compliance Checks 441
Collect Security Process Data 442
Technical Controls and Processes 443
Administrative Controls 443
Account Management 444
Management Review and Approval 445
Management Reviews for Compliance 446
Key Performance and Risk Indicators 447
Backup Verification Data 450
Training and Awareness 450
Disaster Recovery and Business Continuity 451
Analyze Test Output and Generate Report 452
Typical Audit Report Contents 453
Remediation 454
Exception Handling 455
Ethical Disclosure 456
Conduct or Facilitate Security Audits 458
Designing an Audit Program 458
Internal Audits 459
External Audits 460
Third-Party Audits 460
Summary 461
DOMAIN 7: SECURITY OPERATIONS 463
Understand and Comply with Investigations 464
Evidence Collection and Handling 465
Loading page 17...
Contents xv
Reporting and Documentation 467
Investigative Techniques 469
Digital Forensics Tools, Tactics, and Procedures 470
Artifacts 475
Conduct Logging and Monitoring Activities 478
Intrusion Detection and Prevention 478
Security Information and Event Management 480
Continuous Monitoring 481
Egress Monitoring 483
Log Management 484
Threat Intelligence 486
User and Entity Behavior Analytics 488
Perform Configuration Management 489
Provisioning 490
Asset Inventory 492
Baselining 492
Automation 493
Apply Foundational Security Operations Concepts 494
Need- to-Know/Least Privilege 494
Separation of Duties and Responsibilities 495
Privileged Account Management 496
Job Rotation 498
Service-Level Agreements 498
Apply Resource Protection 499
Media Management 500
Media Protection Techniques 501
Conduct Incident Management 502
Incident Management Plan 503
Detection 505
Response 506
Mitigation 507
Reporting 508
Recovery 510
Remediation 510
Lessons Learned 511
Operate and Maintain Detective and Preventative Measures 511
Firewalls 512
Intrusion Detection Systems and Intrusion Prevention Systems 514
Whitelisting/Blacklisting 515
Third-Party-Provided Security Services 515
Sandboxing 517
Reporting and Documentation 467
Investigative Techniques 469
Digital Forensics Tools, Tactics, and Procedures 470
Artifacts 475
Conduct Logging and Monitoring Activities 478
Intrusion Detection and Prevention 478
Security Information and Event Management 480
Continuous Monitoring 481
Egress Monitoring 483
Log Management 484
Threat Intelligence 486
User and Entity Behavior Analytics 488
Perform Configuration Management 489
Provisioning 490
Asset Inventory 492
Baselining 492
Automation 493
Apply Foundational Security Operations Concepts 494
Need- to-Know/Least Privilege 494
Separation of Duties and Responsibilities 495
Privileged Account Management 496
Job Rotation 498
Service-Level Agreements 498
Apply Resource Protection 499
Media Management 500
Media Protection Techniques 501
Conduct Incident Management 502
Incident Management Plan 503
Detection 505
Response 506
Mitigation 507
Reporting 508
Recovery 510
Remediation 510
Lessons Learned 511
Operate and Maintain Detective and Preventative Measures 511
Firewalls 512
Intrusion Detection Systems and Intrusion Prevention Systems 514
Whitelisting/Blacklisting 515
Third-Party-Provided Security Services 515
Sandboxing 517
Loading page 18...
Contentsxvi
Honeypots/Honeynets 517
Anti-malware 518
Machine Learning and Artificial Intelligence Based Tools 518
Implement and Support Patch and Vulnerability Management 519
Patch Management 519
Vulnerability Management 521
Understand and Participate in Change Management Processes 522
Implement Recovery Strategies 523
Backup Storage Strategies 524
Recovery Site Strategies 527
Multiple Processing Sites 527
System Resilience, High Availability, Quality of Service, and Fault Tolerance 528
Implement Disaster Recovery Processes 529
Response 529
Personnel 530
Communications 531
Assessment 532
Restoration 533
Training and Awareness 534
Lessons Learned 534
Test Disaster Recovery Plans 535
Read-through/Tabletop 536
Walkthrough 536
Simulation 537
Parallel 537
Full Interruption 537
Participate in Business Continuity Planning and Exercises 538
Implement and Manage Physical Security 539
Perimeter Security Controls 541
Internal Security Controls 543
Address Personnel Safety and Security Concerns 545
Travel 545
Security Training and Awareness 546
Emergency Management 546
Duress 547
Summary 548
DOMAIN 8: SOFTWARE DEVELOPMENT SECURITY 549
Understand and Integrate Security in the Software Development Life Cycle (SDLC) 550
Development Methodologies 551
Honeypots/Honeynets 517
Anti-malware 518
Machine Learning and Artificial Intelligence Based Tools 518
Implement and Support Patch and Vulnerability Management 519
Patch Management 519
Vulnerability Management 521
Understand and Participate in Change Management Processes 522
Implement Recovery Strategies 523
Backup Storage Strategies 524
Recovery Site Strategies 527
Multiple Processing Sites 527
System Resilience, High Availability, Quality of Service, and Fault Tolerance 528
Implement Disaster Recovery Processes 529
Response 529
Personnel 530
Communications 531
Assessment 532
Restoration 533
Training and Awareness 534
Lessons Learned 534
Test Disaster Recovery Plans 535
Read-through/Tabletop 536
Walkthrough 536
Simulation 537
Parallel 537
Full Interruption 537
Participate in Business Continuity Planning and Exercises 538
Implement and Manage Physical Security 539
Perimeter Security Controls 541
Internal Security Controls 543
Address Personnel Safety and Security Concerns 545
Travel 545
Security Training and Awareness 546
Emergency Management 546
Duress 547
Summary 548
DOMAIN 8: SOFTWARE DEVELOPMENT SECURITY 549
Understand and Integrate Security in the Software Development Life Cycle (SDLC) 550
Development Methodologies 551
Loading page 19...
Contents xvii
Maturity Models 561
Operation and Maintenance 567
Change Management 568
Integrated Product Team 571
Identify and Apply Security Controls in Software Development Ecosystems 572
Programming Languages 572
Libraries 577
Toolsets 578
Integrated Development Environment 579
Runtime 580
Continuous Integration and Continuous Delivery 581
Security Orchestration, Automation, and Response 583
Software Configuration Management 585
Code Repositories 586
Application Security Testing 588
Assess the Effectiveness of Software Security 590
Auditing and Logging of Changes 590
Risk Analysis and Mitigation 595
Assess Security Impact of Acquired Software 599
Commercial Off-the-Shelf 599
Open Source 601
Third-Party 602
Managed Services (SaaS, IaaS, PaaS) 602
Define and Apply Secure Coding Guidelines and Standards 604
Security Weaknesses and Vulnerabilities at the Source-Code Level 605
Security of Application Programming Interfaces 613
API Security Best Practices 613
Secure Coding Practices 618
Software-Defined Security 621
Summary 624
Index 625
Maturity Models 561
Operation and Maintenance 567
Change Management 568
Integrated Product Team 571
Identify and Apply Security Controls in Software Development Ecosystems 572
Programming Languages 572
Libraries 577
Toolsets 578
Integrated Development Environment 579
Runtime 580
Continuous Integration and Continuous Delivery 581
Security Orchestration, Automation, and Response 583
Software Configuration Management 585
Code Repositories 586
Application Security Testing 588
Assess the Effectiveness of Software Security 590
Auditing and Logging of Changes 590
Risk Analysis and Mitigation 595
Assess Security Impact of Acquired Software 599
Commercial Off-the-Shelf 599
Open Source 601
Third-Party 602
Managed Services (SaaS, IaaS, PaaS) 602
Define and Apply Secure Coding Guidelines and Standards 604
Security Weaknesses and Vulnerabilities at the Source-Code Level 605
Security of Application Programming Interfaces 613
API Security Best Practices 613
Secure Coding Practices 618
Software-Defined Security 621
Summary 624
Index 625
Loading page 20...
Loading page 21...
xix
Foreword
EARNING THE GLOBALLY RECOGNIZED CISSP® security
certification is a proven way to build your career and demonstrate deep
knowledge of cybersecurity concepts across a broad range of domains.
Whether you are picking up this book to supplement your preparation
to sit for the exam or are an existing CISSP using it as a desk reference,
you’ll find the The Official (ISC)2® CISSP® CBK® Reference to be the
perfect primer on the security concepts covered in the eight domains of
the CISSP CBK.
The CISSP is the most globally recognized certification in the information security market.
It immediately signifies that the holder has the advanced cybersecurity skills and knowledge to
design, engineer, implement, and manage information security programs and teams that pro-
tect against increasingly sophisticated attacks. It also conveys an adherence to best practices,
policies, and procedures established by (ISC) 2 cybersecurity experts.
The recognized leader in the field of information security education and certification,
(ISC)2 promotes the development of information security professionals throughout the world.
As a CISSP with all the benefits of (ISC)2 membership, you are part of a global network of
more than 161,000 certified professionals who are working to inspire a safe and secure cyber
world.
Drawing from a comprehensive, up-to-date global body of knowledge, the CISSP CBK
provides you with valuable insights on the skills, techniques, and best practices a security
professional should be familiar with, including how different elements of the information tech-
nology ecosystem interact.
If you are an experienced CISSP, you will find this edition of the CISSP CBK an indispens-
able reference. If you are still gaining the experience and knowledge you need to join the ranks
of CISSPs, the CISSP CBK is a deep dive that can be used to supplement your studies.
As the largest nonprofit membership body of certified information security professionals
worldwide, (ISC)2 recognizes the need to identify and validate not only information security
competency, but also the ability to build, manage, and lead a security organization. Written by
a team of subject matter experts, this comprehensive compendium covers all CISSP objectives
Foreword
EARNING THE GLOBALLY RECOGNIZED CISSP® security
certification is a proven way to build your career and demonstrate deep
knowledge of cybersecurity concepts across a broad range of domains.
Whether you are picking up this book to supplement your preparation
to sit for the exam or are an existing CISSP using it as a desk reference,
you’ll find the The Official (ISC)2® CISSP® CBK® Reference to be the
perfect primer on the security concepts covered in the eight domains of
the CISSP CBK.
The CISSP is the most globally recognized certification in the information security market.
It immediately signifies that the holder has the advanced cybersecurity skills and knowledge to
design, engineer, implement, and manage information security programs and teams that pro-
tect against increasingly sophisticated attacks. It also conveys an adherence to best practices,
policies, and procedures established by (ISC) 2 cybersecurity experts.
The recognized leader in the field of information security education and certification,
(ISC)2 promotes the development of information security professionals throughout the world.
As a CISSP with all the benefits of (ISC)2 membership, you are part of a global network of
more than 161,000 certified professionals who are working to inspire a safe and secure cyber
world.
Drawing from a comprehensive, up-to-date global body of knowledge, the CISSP CBK
provides you with valuable insights on the skills, techniques, and best practices a security
professional should be familiar with, including how different elements of the information tech-
nology ecosystem interact.
If you are an experienced CISSP, you will find this edition of the CISSP CBK an indispens-
able reference. If you are still gaining the experience and knowledge you need to join the ranks
of CISSPs, the CISSP CBK is a deep dive that can be used to supplement your studies.
As the largest nonprofit membership body of certified information security professionals
worldwide, (ISC)2 recognizes the need to identify and validate not only information security
competency, but also the ability to build, manage, and lead a security organization. Written by
a team of subject matter experts, this comprehensive compendium covers all CISSP objectives
Loading page 22...
Forewordxx
and subobjectives in a structured format with common practices for each objective,
a common lexicon and references to widely accepted computing standards and case
studies.
The opportunity has never been greater for dedicated professionals to advance their
careers and inspire a safe and secure cyber world. The CISSP CBK will be your constant
companion in protecting your organization and will serve you for years to come.
Sincerely,
Clar Rosso
CEO, (ISC)2
and subobjectives in a structured format with common practices for each objective,
a common lexicon and references to widely accepted computing standards and case
studies.
The opportunity has never been greater for dedicated professionals to advance their
careers and inspire a safe and secure cyber world. The CISSP CBK will be your constant
companion in protecting your organization and will serve you for years to come.
Sincerely,
Clar Rosso
CEO, (ISC)2
Loading page 23...
xxi
Introduction
THE CERTIFIED INFORMATION SYSTEMS Security Professional (CISSP) certification
identifies a professional who has demonstrated skills, knowledge, and abilities across a wide
array of security practices and principles. The exam covers eight domains of practice, which are
codified in the CISSP Common Body of Knowledge (CBK). The CBK presents topics that a
CISSP can use in their daily role to identify and manage security risks to data and information
systems and is built on a foundation comprising fundamental security concepts of confidenti-
ality, integrity, availability, nonrepudiation, and authenticity (CIANA), as well as privacy and
security (CIANA+PS). A variety of controls can be implemented for both data and systems,
with the goal of either safeguarding or mitigating security risks to each of these foundational
principles.
Global professionals take many paths into information security, and each candidate’s
experience must be combined with variations in practice and perspective across industries and
regions due to the global reach of the certification. For most security practitioners, achiev-
ing CISSP requires study and learning new disciplines, and professionals are unlikely to work
across all eight domains on a daily basis. The CISSP CBK is a baseline standard of security
knowledge to help security practitioners deal with new and evolving risks, and this guide pro-
vides easy reference to aid practitioners in applying security topics and principles. This baseline
must be connected with the reader’s own experience and the unique operating environment
of the reader’s organization to be effective. The rapid pace of change in security also demands
that practitioners continuously maintain their knowledge, so CISSP credential holders are also
expected to maintain their knowledge via continuing education. Reference materials like this
guide, along with other content sources such as industry conferences, webinars, and research
are vital to maintaining this knowledge.
The domains presented in the CBK are progressive, starting with a foundation of basic
security and risk management concepts in Chapter 1, “Security and Risk Management,”
as well as fundamental topics of identifying, valuing, and applying proper risk mitigations
for asset security in Chapter 2,“Asset Security.” Applying security to complex technology
environments can be achieved by applying architecture and engineering concepts,
which are presented in Chapter 3, “Security Architecture and Engineering.”
Introduction
THE CERTIFIED INFORMATION SYSTEMS Security Professional (CISSP) certification
identifies a professional who has demonstrated skills, knowledge, and abilities across a wide
array of security practices and principles. The exam covers eight domains of practice, which are
codified in the CISSP Common Body of Knowledge (CBK). The CBK presents topics that a
CISSP can use in their daily role to identify and manage security risks to data and information
systems and is built on a foundation comprising fundamental security concepts of confidenti-
ality, integrity, availability, nonrepudiation, and authenticity (CIANA), as well as privacy and
security (CIANA+PS). A variety of controls can be implemented for both data and systems,
with the goal of either safeguarding or mitigating security risks to each of these foundational
principles.
Global professionals take many paths into information security, and each candidate’s
experience must be combined with variations in practice and perspective across industries and
regions due to the global reach of the certification. For most security practitioners, achiev-
ing CISSP requires study and learning new disciplines, and professionals are unlikely to work
across all eight domains on a daily basis. The CISSP CBK is a baseline standard of security
knowledge to help security practitioners deal with new and evolving risks, and this guide pro-
vides easy reference to aid practitioners in applying security topics and principles. This baseline
must be connected with the reader’s own experience and the unique operating environment
of the reader’s organization to be effective. The rapid pace of change in security also demands
that practitioners continuously maintain their knowledge, so CISSP credential holders are also
expected to maintain their knowledge via continuing education. Reference materials like this
guide, along with other content sources such as industry conferences, webinars, and research
are vital to maintaining this knowledge.
The domains presented in the CBK are progressive, starting with a foundation of basic
security and risk management concepts in Chapter 1, “Security and Risk Management,”
as well as fundamental topics of identifying, valuing, and applying proper risk mitigations
for asset security in Chapter 2,“Asset Security.” Applying security to complex technology
environments can be achieved by applying architecture and engineering concepts,
which are presented in Chapter 3, “Security Architecture and Engineering.”
Loading page 24...
Introductionxxii
Chapter 4, “Communication and Network Security,” details both the critical risks to as
well as the critical defensive role played by communications networks, and Chapter 5,
“Identity and Access Management,” covers the crucial practices of identifying users
(both human and nonhuman) and controlling their access to systems, data, and other
resources. Once a security program is designed, it is vital to gather information about and
assess its effectiveness, which is covered in Chapter 6, “Security Assessment and Testing,”
and keep the entire affair running — also known as security operations or SecOps, which
is covered in Chapter 7, “Security Operations.” Finally, the vital role played by software is
addressed in Chapter 8, “Software Development Security,” which covers both principles
of securely developing software as well as risks and threats to software and development
environments. The following presents overviews for each of these chapters in a little
more detail.
Security and Risk Management
The foundation of the CISSP CBK is the assessment and management of risk to data
and the information systems that process it. The Security and Risk Management domain
introduces the foundational CIANA+PS concepts needed to build a risk management
program. Using these concepts, a security practitioner can build a program for gover-
nance, risk, and compliance (GRC), which allows the organization to design a system of
governance needed to implement security controls. These controls should address the
risks faced by the organization as well as any necessary legal and regulatory compliance
obligations.
Risk management principles must be applied throughout an organization’s opera-
tions, so topics of business continuity (BC), personnel security, and supply chain risk
management are also introduced in this domain. Ensuring that operations can continue
in the event of a disruption supports the goal of availability, while properly designed per-
sonnel security controls require training programs and well-documented policies and
other security guidance.
One critical concept is presented in this domain: the (ISC)2 code of professional
ethics. All CISSP candidates must agree to be bound by the code as part of the
certification process, and credential holders face penalties up to and including loss of
their credentials for violating the code. Regardless of what area of security a practitioner
is working in, the need to preserve the integrity of the profession by adhering to a code of
ethics is critical to fostering trust in the security profession.
Asset Security
Assets are anything that an organization uses to generate value, including ideas,
processes, information, and computing hardware. Classifying and categorizing assets
allows organizations to prioritize limited security resources to achieve a proper balance
Chapter 4, “Communication and Network Security,” details both the critical risks to as
well as the critical defensive role played by communications networks, and Chapter 5,
“Identity and Access Management,” covers the crucial practices of identifying users
(both human and nonhuman) and controlling their access to systems, data, and other
resources. Once a security program is designed, it is vital to gather information about and
assess its effectiveness, which is covered in Chapter 6, “Security Assessment and Testing,”
and keep the entire affair running — also known as security operations or SecOps, which
is covered in Chapter 7, “Security Operations.” Finally, the vital role played by software is
addressed in Chapter 8, “Software Development Security,” which covers both principles
of securely developing software as well as risks and threats to software and development
environments. The following presents overviews for each of these chapters in a little
more detail.
Security and Risk Management
The foundation of the CISSP CBK is the assessment and management of risk to data
and the information systems that process it. The Security and Risk Management domain
introduces the foundational CIANA+PS concepts needed to build a risk management
program. Using these concepts, a security practitioner can build a program for gover-
nance, risk, and compliance (GRC), which allows the organization to design a system of
governance needed to implement security controls. These controls should address the
risks faced by the organization as well as any necessary legal and regulatory compliance
obligations.
Risk management principles must be applied throughout an organization’s opera-
tions, so topics of business continuity (BC), personnel security, and supply chain risk
management are also introduced in this domain. Ensuring that operations can continue
in the event of a disruption supports the goal of availability, while properly designed per-
sonnel security controls require training programs and well-documented policies and
other security guidance.
One critical concept is presented in this domain: the (ISC)2 code of professional
ethics. All CISSP candidates must agree to be bound by the code as part of the
certification process, and credential holders face penalties up to and including loss of
their credentials for violating the code. Regardless of what area of security a practitioner
is working in, the need to preserve the integrity of the profession by adhering to a code of
ethics is critical to fostering trust in the security profession.
Asset Security
Assets are anything that an organization uses to generate value, including ideas,
processes, information, and computing hardware. Classifying and categorizing assets
allows organizations to prioritize limited security resources to achieve a proper balance
Loading page 25...
Introduction xxiii
of costs and benefits, and this domain introduces important concepts of asset valuation,
classification and categorization, and asset handling to apply appropriate protection
based on an asset’s value. The value of an asset dictates the level of protection it requires,
which is often expressed as a security baseline or compliance obligation that the asset
owner must meet.
CISSP credential holders will spend a large amount of their time focused on data and
information security concerns. The data lifecycle is introduced in this domain to provide
distinct phases for determining data security requirements. Protection begins by defining
roles and processes for handling data, and once the data is created, these processes must
be followed. This includes managing data throughout creation, use, archival, and even-
tual destruction when no longer needed, and it focuses on data in three main states: in
use, in transit, and at rest.
Handling sensitive data for many organizations will involve legal or regulatory
obligations to protect specific data types, such as personally identifiable information
(PII) or transactional data related to payment cards. Payment card data is regulated
by the Payment Card Industry (PCI) Council, and PII often requires protections to
comply with regional or local laws like the European Union General Data Protection
Regulation (EU GDPR). Both compliance frameworks dictate specific protection
obligations an organization must meet when collecting, handling, and using the regu-
lated data.
Security Architecture and Engineering
The Security Architecture and Engineering domain covers topics relevant to imple-
menting and managing security controls across a variety of systems. Secure design prin-
ciples are introduced that are used to build a security program, such as secure defaults,
zero trust, and privacy by design. Common security models are also covered in this
domain, which provide an abstract way of viewing a system or environment and allow
for identification of security requirements related to the CIANA+PS principles. Specific
system types are discussed in detail to highlight the application of security controls in a
variety of architectures, including client- and server-based systems, industrial control sys-
tems (ICSs), Internet of Things (IoT), and emerging system types like microservices and
containerized applications.
This domain presents the foundational details of cryptography and introduces topics
covering basic definitions of encryption, hashing, and various cryptographic methods, as
well as attacks against cryptography known as cryptanalysis. Applications of cryptography
are integrated throughout all domains where relevant, such as the use of encryption
in secure network protocols, which is covered in Chapter 4. Physical architecture
security — including fire suppression and detection, secure facility design, and
environmental control — is also introduced in this domain.
of costs and benefits, and this domain introduces important concepts of asset valuation,
classification and categorization, and asset handling to apply appropriate protection
based on an asset’s value. The value of an asset dictates the level of protection it requires,
which is often expressed as a security baseline or compliance obligation that the asset
owner must meet.
CISSP credential holders will spend a large amount of their time focused on data and
information security concerns. The data lifecycle is introduced in this domain to provide
distinct phases for determining data security requirements. Protection begins by defining
roles and processes for handling data, and once the data is created, these processes must
be followed. This includes managing data throughout creation, use, archival, and even-
tual destruction when no longer needed, and it focuses on data in three main states: in
use, in transit, and at rest.
Handling sensitive data for many organizations will involve legal or regulatory
obligations to protect specific data types, such as personally identifiable information
(PII) or transactional data related to payment cards. Payment card data is regulated
by the Payment Card Industry (PCI) Council, and PII often requires protections to
comply with regional or local laws like the European Union General Data Protection
Regulation (EU GDPR). Both compliance frameworks dictate specific protection
obligations an organization must meet when collecting, handling, and using the regu-
lated data.
Security Architecture and Engineering
The Security Architecture and Engineering domain covers topics relevant to imple-
menting and managing security controls across a variety of systems. Secure design prin-
ciples are introduced that are used to build a security program, such as secure defaults,
zero trust, and privacy by design. Common security models are also covered in this
domain, which provide an abstract way of viewing a system or environment and allow
for identification of security requirements related to the CIANA+PS principles. Specific
system types are discussed in detail to highlight the application of security controls in a
variety of architectures, including client- and server-based systems, industrial control sys-
tems (ICSs), Internet of Things (IoT), and emerging system types like microservices and
containerized applications.
This domain presents the foundational details of cryptography and introduces topics
covering basic definitions of encryption, hashing, and various cryptographic methods, as
well as attacks against cryptography known as cryptanalysis. Applications of cryptography
are integrated throughout all domains where relevant, such as the use of encryption
in secure network protocols, which is covered in Chapter 4. Physical architecture
security — including fire suppression and detection, secure facility design, and
environmental control — is also introduced in this domain.
Loading page 26...
Introductionxxiv
Communication and Network Security
One major value of modern information systems lies in their ability to share and
exchange data, so fundamentals of networking are presented in the Communication
and Network Security domain along with details of implementing adequate security pro-
tections for these communications. This domain introduces common models used for
network services, including the Open Systems Interconnection (OSI) and Transmission
Control Protocol/Internet Protocol (TCP/IP) models. These layered abstractions provide
a method for identifying specific security risks and control capabilities to safeguard data,
and the domain presents fundamentals, risks, and countermeasures available at each
level of the OSI and TCP/IP models.
Properly securing networks and communications requires strategic planning to ensure
proper architectural choices are made and implemented. Concepts of secure network
design — such as planning and segmentation, availability of hardware, and network
access control (NAC) — are introduced in this domain. Common network types and
their specific security risks are introduced as well, including software-defined networks
(SDNs), voice networks, and remote access and collaboration technologies.
Identity and Access Management
Controlling access to assets is one of the fundamental goals of security and offers the
ability to safeguard all five CIANA+PS security concepts. Properly identifying users and
authenticating the access they request can preserve confidentiality and authenticity of
information, while properly implemented controls reduce the risk of lost or corrupted
data, thereby preserving availability and integrity. Logging the actions taken by identified
users or accounts supports nonrepudiation by verifiably demonstrating which user or pro-
cess performed took a particular action.
The Identity and Access Management (IAM) domain introduces important concepts
related to identifying subjects and controlling their access to objects. Subjects can be
users, processes, or other systems, and objects are typically systems or data that a subject
is trying to access. IAM requirements are presented through four fundamental aspects,
including identification, authentication, authorization, and accountability (IAAA). The
domain also presents important concepts for managing identities and access, including
federation and the use of third-party identity service providers.
Security Assessment and Testing
It is necessary to evaluate the effectiveness of security controls to determine if they are
providing sufficient risk mitigation. Assessment, testing, and auditing are methods pre-
sented in this domain that allow a security practitioner to identify deficiencies in the
security program and prioritize remedial activities.
Communication and Network Security
One major value of modern information systems lies in their ability to share and
exchange data, so fundamentals of networking are presented in the Communication
and Network Security domain along with details of implementing adequate security pro-
tections for these communications. This domain introduces common models used for
network services, including the Open Systems Interconnection (OSI) and Transmission
Control Protocol/Internet Protocol (TCP/IP) models. These layered abstractions provide
a method for identifying specific security risks and control capabilities to safeguard data,
and the domain presents fundamentals, risks, and countermeasures available at each
level of the OSI and TCP/IP models.
Properly securing networks and communications requires strategic planning to ensure
proper architectural choices are made and implemented. Concepts of secure network
design — such as planning and segmentation, availability of hardware, and network
access control (NAC) — are introduced in this domain. Common network types and
their specific security risks are introduced as well, including software-defined networks
(SDNs), voice networks, and remote access and collaboration technologies.
Identity and Access Management
Controlling access to assets is one of the fundamental goals of security and offers the
ability to safeguard all five CIANA+PS security concepts. Properly identifying users and
authenticating the access they request can preserve confidentiality and authenticity of
information, while properly implemented controls reduce the risk of lost or corrupted
data, thereby preserving availability and integrity. Logging the actions taken by identified
users or accounts supports nonrepudiation by verifiably demonstrating which user or pro-
cess performed took a particular action.
The Identity and Access Management (IAM) domain introduces important concepts
related to identifying subjects and controlling their access to objects. Subjects can be
users, processes, or other systems, and objects are typically systems or data that a subject
is trying to access. IAM requirements are presented through four fundamental aspects,
including identification, authentication, authorization, and accountability (IAAA). The
domain also presents important concepts for managing identities and access, including
federation and the use of third-party identity service providers.
Security Assessment and Testing
It is necessary to evaluate the effectiveness of security controls to determine if they are
providing sufficient risk mitigation. Assessment, testing, and auditing are methods pre-
sented in this domain that allow a security practitioner to identify deficiencies in the
security program and prioritize remedial activities.
Loading page 27...
Introduction xxv
Assessment and testing can be performed as an internal or external function; while
both are appropriate for monitoring security program status, there are situations that
require external evaluations. For instance, third-party audits are common in situations
where an assessment must be conducted that is free of any conflict of interest. External
audit reports, such as the Service Organization Control or SOC 2, can be useful for orga-
nizations to communicate details of their security practices to external parties like vendors
or business partners. In this case, the auditor’s independence from the audited organiza-
tion provides additional assurance to consumers of the report.
Ethical penetration testing and related technical testing topics are presented in this
domain, including test coverage and breach attack simulations. These types of tests can
be conducted against a range of targets from individual information systems to entire
organizations and are a valuable tool to identify deficiencies in security controls. The dis-
closure and handling of any findings from such testing is also discussed, including legal
and ethical implications of information that might be discovered.
An ongoing assessment and testing program is also useful for establishing continuous
monitoring and supporting compliance needs. Properly designed and implemented strat-
egies for testing security controls, vulnerabilities, and attack simulations measure the
effectiveness of the organization’s existing control program. Any identified deficiencies
must be addressed to ensure adequate risk management.
Security Operations
Security Operations (SecOps) is a companion to the other domains in the CBK, and this
chapter deals with implementing, operating, and maintaining infrastructure needed to
enable the organization’s security program. Security practitioners must first perform a risk
assessment and then design and operate security controls spanning technology, people,
and process to mitigate those risks. SecOps is a key integration point between security
teams and other parts of the organization such as Human Resources (HR) for key tasks
like designing job rotations or segregation of duties, or a network engineering team that
is responsible for implementing and maintaining firewalls and intrusion detection sys-
tems (IDSs).
Logical security aspects of SecOps include running and maintaining a security
operations center (SOC), which is becoming an increasingly crucial part of a security
program. The SOC centralizes information like threat intelligence, incident response,
and security alerts, permitting information sharing, more efficient response, and oversight
for the security program and functions. Planning for and exercising crucial business plans
like business continuity and disaster recovery (BCDR) are also an important element
of SecOps.
SecOps also encompasses important physical security concepts like facility design
and environmental controls, which are often completely new concepts for security
Assessment and testing can be performed as an internal or external function; while
both are appropriate for monitoring security program status, there are situations that
require external evaluations. For instance, third-party audits are common in situations
where an assessment must be conducted that is free of any conflict of interest. External
audit reports, such as the Service Organization Control or SOC 2, can be useful for orga-
nizations to communicate details of their security practices to external parties like vendors
or business partners. In this case, the auditor’s independence from the audited organiza-
tion provides additional assurance to consumers of the report.
Ethical penetration testing and related technical testing topics are presented in this
domain, including test coverage and breach attack simulations. These types of tests can
be conducted against a range of targets from individual information systems to entire
organizations and are a valuable tool to identify deficiencies in security controls. The dis-
closure and handling of any findings from such testing is also discussed, including legal
and ethical implications of information that might be discovered.
An ongoing assessment and testing program is also useful for establishing continuous
monitoring and supporting compliance needs. Properly designed and implemented strat-
egies for testing security controls, vulnerabilities, and attack simulations measure the
effectiveness of the organization’s existing control program. Any identified deficiencies
must be addressed to ensure adequate risk management.
Security Operations
Security Operations (SecOps) is a companion to the other domains in the CBK, and this
chapter deals with implementing, operating, and maintaining infrastructure needed to
enable the organization’s security program. Security practitioners must first perform a risk
assessment and then design and operate security controls spanning technology, people,
and process to mitigate those risks. SecOps is a key integration point between security
teams and other parts of the organization such as Human Resources (HR) for key tasks
like designing job rotations or segregation of duties, or a network engineering team that
is responsible for implementing and maintaining firewalls and intrusion detection sys-
tems (IDSs).
Logical security aspects of SecOps include running and maintaining a security
operations center (SOC), which is becoming an increasingly crucial part of a security
program. The SOC centralizes information like threat intelligence, incident response,
and security alerts, permitting information sharing, more efficient response, and oversight
for the security program and functions. Planning for and exercising crucial business plans
like business continuity and disaster recovery (BCDR) are also an important element
of SecOps.
SecOps also encompasses important physical security concepts like facility design
and environmental controls, which are often completely new concepts for security
Loading page 28...
Introductionxxvi
practitioners who have experience in cybersecurity or information technology (IT). How-
ever, the physical security of information systems and the data they contain is an impor-
tant element of maintaining all aspects of security. In some cases, physical limitations like
existing or shared buildings are drivers for additional logical controls to compensate for
potential unauthorized physical access.
Software Development Security
Information systems rely on software, so proper security is essential for the tools and
processes used to develop software. This includes both custom-built software as well as
purchased system components that are integrated into information systems. Cloud com-
puting is changing the paradigm of software development, so this domain also includes
security requirements for computing resources that are consumed as a service like soft-
ware as a service (SaaS), platform as a service (PaaS), and emerging architectures like
containerization and microservices.
Software can be both a target for attackers and the attack vector. The increasingly
complex software environment makes use of open-source software, prebuilt modules and
libraries, and distributed applications to provide greater speed for developers and fun-
ctionality for users. These business advantages, however, introduce risks like the potential
for untrustworthy third-party code to be included in an application or attackers targeting
remote access features.
Adequate security in the software development lifecycle (SDLC) requires a combined
approach addressing people, process, and technology. This domain revisits the critical
personnel security concept of training, with a specific focus on developer security
training. Well-documented software development methodologies, guidelines, and pro-
cedures are essential process controls covered in the domain. Technology controls
encompassing both the software development environment and software security testing
are presented, as well as testing approaches for application security (AppSec) including
static and dynamic testing.
practitioners who have experience in cybersecurity or information technology (IT). How-
ever, the physical security of information systems and the data they contain is an impor-
tant element of maintaining all aspects of security. In some cases, physical limitations like
existing or shared buildings are drivers for additional logical controls to compensate for
potential unauthorized physical access.
Software Development Security
Information systems rely on software, so proper security is essential for the tools and
processes used to develop software. This includes both custom-built software as well as
purchased system components that are integrated into information systems. Cloud com-
puting is changing the paradigm of software development, so this domain also includes
security requirements for computing resources that are consumed as a service like soft-
ware as a service (SaaS), platform as a service (PaaS), and emerging architectures like
containerization and microservices.
Software can be both a target for attackers and the attack vector. The increasingly
complex software environment makes use of open-source software, prebuilt modules and
libraries, and distributed applications to provide greater speed for developers and fun-
ctionality for users. These business advantages, however, introduce risks like the potential
for untrustworthy third-party code to be included in an application or attackers targeting
remote access features.
Adequate security in the software development lifecycle (SDLC) requires a combined
approach addressing people, process, and technology. This domain revisits the critical
personnel security concept of training, with a specific focus on developer security
training. Well-documented software development methodologies, guidelines, and pro-
cedures are essential process controls covered in the domain. Technology controls
encompassing both the software development environment and software security testing
are presented, as well as testing approaches for application security (AppSec) including
static and dynamic testing.
Loading page 29...
1
Security and Risk
Management
DOMAIN 1 OF THE CISSP Common Body of Knowledge (CBK) covers the founda-
tional topics of building and managing a risk-based information security program.
This domain covers a wide variety of concepts upon which the remainder of the
CBK builds.
Before diving into the heart of security and risk management concepts, this
chapter begins with coverage of professional ethics and how they apply in the
field of information security. Understanding your responsibilities as a security
professional is equally as important as knowing how to apply the security con-
cepts. We then move on to topics related to understanding your organization’s
mission, strategy, goals, and business objectives, and evaluating how to properly
satisfy your organization’s business needs securely.
Understanding risk management, and how its concepts apply to information
security, is one of the most important things you should take away from this
chapter. We describe risk management concepts and explain how to apply them
within your organization’s security program. In addition, understanding relevant
legal, regulatory, and compliance requirements is a critical component of every
information security program. Domain 1 includes coverage of concepts such as
DOMAIN 1 CISSP ®
Security and Risk
Management
DOMAIN 1 OF THE CISSP Common Body of Knowledge (CBK) covers the founda-
tional topics of building and managing a risk-based information security program.
This domain covers a wide variety of concepts upon which the remainder of the
CBK builds.
Before diving into the heart of security and risk management concepts, this
chapter begins with coverage of professional ethics and how they apply in the
field of information security. Understanding your responsibilities as a security
professional is equally as important as knowing how to apply the security con-
cepts. We then move on to topics related to understanding your organization’s
mission, strategy, goals, and business objectives, and evaluating how to properly
satisfy your organization’s business needs securely.
Understanding risk management, and how its concepts apply to information
security, is one of the most important things you should take away from this
chapter. We describe risk management concepts and explain how to apply them
within your organization’s security program. In addition, understanding relevant
legal, regulatory, and compliance requirements is a critical component of every
information security program. Domain 1 includes coverage of concepts such as
DOMAIN 1 CISSP ®
Loading page 30...
DOMAIN 1 Security and Risk Management2
cybercrimes and data breaches, import/export controls, and requirements for con-
ducting various types of investigations.
This chapter introduces the human element of security and includes coverage
of methods for educating your organization’s employees on key security concepts.
We cover the structure of a security awareness program and discuss how to eval-
uate the effectiveness of your education and training methods.
UNDERSTAND, ADHERE TO, AND PROMOTE
PROFESSIONAL ETHICS
Understanding and following a strict code of ethics should be a top priority for any secu-
rity professional. As a CISSP (or any information security professional who is certified by
(ISC)2 ), you are required to understand and fully commit to supporting the (ISC)2 Code
of Ethics. Any (ISC) 2 member who knowingly violates the (ISC)2 Code of Ethics will
be subject to peer review and potential penalties, which may include revocation of the
member’s (ISC) 2 certification(s).
(ISC)2 Code of Professional Ethics
The (ISC)2 Code of Ethics Preamble is as follows:
■ The safety and welfare of society and the common good, duty to our principals,
and to each other, requires that we adhere, and be seen to adhere, to the highest
ethical standards of behavior.
■ Therefore, strict adherence to this Code of Ethics is a condition of certification.
In short, the Code of Ethics Preamble states that it is required that every CISSP certi-
fied member not only follows the Code of Ethics but must be visibly seen as following the
Code of Ethics. Even the perception of impropriety or ethical deviation may bring into
question a member’s standing. As such, CISSP certified members must serve as visible
ethical leaders within their organizations and industry, at all times.
The (ISC)2 Code of Ethics includes four canons that are intended to serve as high-
level guidelines to augment, not replace, members’ professional judgment. The (ISC)2
Code of Ethics Canons are as follows:
■ Canon I: Protect society, the common good, necessary public trust and
confidence, and the infrastructure.
■ Canon II: Act honorably, honestly, justly, responsibly, and legally.
cybercrimes and data breaches, import/export controls, and requirements for con-
ducting various types of investigations.
This chapter introduces the human element of security and includes coverage
of methods for educating your organization’s employees on key security concepts.
We cover the structure of a security awareness program and discuss how to eval-
uate the effectiveness of your education and training methods.
UNDERSTAND, ADHERE TO, AND PROMOTE
PROFESSIONAL ETHICS
Understanding and following a strict code of ethics should be a top priority for any secu-
rity professional. As a CISSP (or any information security professional who is certified by
(ISC)2 ), you are required to understand and fully commit to supporting the (ISC)2 Code
of Ethics. Any (ISC) 2 member who knowingly violates the (ISC)2 Code of Ethics will
be subject to peer review and potential penalties, which may include revocation of the
member’s (ISC) 2 certification(s).
(ISC)2 Code of Professional Ethics
The (ISC)2 Code of Ethics Preamble is as follows:
■ The safety and welfare of society and the common good, duty to our principals,
and to each other, requires that we adhere, and be seen to adhere, to the highest
ethical standards of behavior.
■ Therefore, strict adherence to this Code of Ethics is a condition of certification.
In short, the Code of Ethics Preamble states that it is required that every CISSP certi-
fied member not only follows the Code of Ethics but must be visibly seen as following the
Code of Ethics. Even the perception of impropriety or ethical deviation may bring into
question a member’s standing. As such, CISSP certified members must serve as visible
ethical leaders within their organizations and industry, at all times.
The (ISC)2 Code of Ethics includes four canons that are intended to serve as high-
level guidelines to augment, not replace, members’ professional judgment. The (ISC)2
Code of Ethics Canons are as follows:
■ Canon I: Protect society, the common good, necessary public trust and
confidence, and the infrastructure.
■ Canon II: Act honorably, honestly, justly, responsibly, and legally.
Loading page 31...
28 more pages available. Scroll down to load them.
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
AI Assistant
Document Details
Subject
Certified Information Systems Security Professional