
Analyze student feedback to enhance CISSP exam preparation and understanding of core security concepts. Apply insights to improve study strategies and learner engagement.
Bookmark the National Institute of Standards and Technology site to access cybersecurity standards for risk management, backup, and business continuity, including SP publications for governance and risk assessment.
Explain the CIA triad and its use in securing devices and business, showing how passwords, backups, encryption, and risk-based controls protect confidentiality, integrity, and availability.
Security governance requires a top-down approach with senior management and board support to align security with business strategy, manage risk, and measure outcomes with key performance indicators.
Explore how NIST SP 800-100 shapes security governance by outlining organizational structure and senior management roles, focusing on risk management, business continuity, and incident management.
Align security governance with business objectives, ensure regulatory compliance, mitigate risk to an acceptable level, cultivate an information security culture around information assets, and implement policies and KPIs.
Understand how a clear organization structure assigns information security roles and escalation channels, covering technical, physical, and administrative security, with policy, compliance, and staff awareness.
Explore how due diligence, due care, and the prudent person standard define an information security officer's legal responsibilities, including vulnerability assessment, action, and standards comparison in a bank context.
Explore how due diligence and due care differ, and learn exam strategies to apply real-world implementation concepts in security, including elimination of wrong answers to identify due care.
Identify and align with business compliance by consulting legal requirements such as PCI DSS and HIPAA, assess regulations, and develop policies to protect privacy and personal information.
Explore key US information privacy laws, including the Privacy Act of 1974, HIPAA, and SOX, and compare local and international rules like GDPR to navigate global privacy compliance.
Master exam readiness by memorizing key US privacy and copyright laws, focusing on the Digital Millennium Copyright Act as the law that criminalizes copyright violations.
Learn about major computer crime laws, federal and international privacy and licensing rules, and how data breaches and licensing impact cybersecurity practice.
Learn how information security professionals follow a code of ethics to protect society, avoid conflicts of interest, and sign to obtain and maintain certification with I.S. Square.
Build a security policy framework with high level policies, standards, guidelines, and procedures, using templates and documentation. Understand how policy types guide governance and protect information assets.
Utilize the Center for Internet Security website to identify standards for operating systems, network devices, and applications, and use its checklists to prepare audits.
Learn tips for distinguishing mandatory versus optional security documents, including policy, standards, and guidelines. Use available templates, procedures, and common standards sources to prepare for exam questions and real-world practice.
Anchor security document creation in law and regulation, then derive policy, procedures, guidelines, and standards for compliance, guided by PCI-DSS or HIPA requirements.
Identify business continuity requirements by outlining how to keep critical services available during incidents, covering DRP, high availability, redundancy, backup, and clear responsibilities.
examine the phases of business continuity planning, from initiation and project scope to a rigorous business impact analysis, testing, and ongoing maintenance with cross-functional collaboration.
Identify and prioritize business functions through a practical business impact analysis to build a realistic business continuity plan focused on availability and recovery time objective and recovery point objective.
Memorize the NIST SP 800-34 publication numbers 874 and 834, and apply the seven-phase business continuity framework: policy statement, BIA, preventive controls, recovery strategy, IT dependency mapping, testing, and maintenance.
Learn how to define the maximum tolerable downtime (MTD), recovery time objective (RTO), and recovery point objective (RPO) with management sign-off, and balance cost against realistic recovery plans.
Explore mean time to failure and mean time to repair, and relate MTD, RPO, and R2 to business continuity and disaster recovery, with Sunflower document guidance for CISSP prep.
Identify single points of failure and perform SPF analysis. Apply redundancy with clusters and redundant firewalls, plan capacity, generators, and trained technical staff.
Explore high availability and fault tolerance, comparing failover and load balancing, and detailing raid storage strategies (zero, one, five, ten) to protect power and data.
Review exam tips for business continuity, focusing on definitions and differences among rate levels (rate 0, rate 1, rate 5, rate 10) and the distinction between fault tolerance and backup.
Enforce personal security through clear policies and annual awareness training to reduce insider threats and social engineering, clarify consequences for policy violations, and teach employees to follow procedures.
Learn how to prevent insider threats by integrating HR with information security, enforcing background checks and ndas, implementing monitoring and data loss prevention, and managing access and exit processes.
Protect employee privacy by restricting access to personal data, applying need-to-know and data minimization, and using encryption and masking to keep information secure and compliant.
Examine social media security from employee usage to company accounts, highlighting the need for social media policies, safeguarding confidential information, and implementing two-factor authentication to prevent account compromise.
Explore risk management concepts and implement risk assessment methods, using risk registers, heatmaps, standards, and qualitative/quantitative approaches to identify, rank, and manage threats and vulnerabilities.
Compare qualitative and quantitative risk assessments in information security, using word-based likelihood and impact versus numeric scores, and apply risk registers and heatmaps to prioritize high, medium, and low risks.
Master quantitative risk assessment by calculating asset value, exposure factor, single loss expectancy, and annual loss expectancy with examples like fire and downtime to evaluate cost-effective safeguards.
Rank risks after qualitative or quantitative analysis, then apply four actions: mitigation, acceptance, transfer, and avoidance—led by the risk owner, with a risk register and a risk acceptance list.
Explore defense in depth by categorizing security controls into preventive, detective, corrective, and deterrence, and learn how layers like firewalls, ids, and backups work together.
Explore the NIST SP 800-37 risk management framework, detailing six phases from information gathering to evaluating and updating security controls in a continuous process.
Risk management is a continuous process of risk assessment, identifying risks, and scoring them by likelihood and impact, while maintaining a risk register that is reviewed annually.
Focus on risk management essentials for the CISSP exam, covering terminology, qualitative and quantitative analysis, risk strategies, formulas, controls, and the risk register across six phases.
Identify and prioritize daily threats using threat intelligence and risk management as a continuous process. Apply asset-focused, threat-focused, and service-focused threat modeling to map threats to assets and services.
Explore the STRIDE model's six attack categories—spoofing, tampering, repetition, information disclosure, denial of service, and elevation of privilege—and use reduction analysis to map weaknesses in data flow.
Explore free and paid threat intelligence sources and feeds, from Internet Storm Center to government portals and IBM X-Force, and learn to integrate APIs to monitor and block malicious IPs.
Apply risk-based vendor management by enforcing vendor security policies, conducting awareness sessions, and following a vendor management lifecycle to mitigate third-party breaches and cloud risks.
Explore the vendor management lifecycle from selection to offboarding, embedding security in RFPs, evaluating proposals, managing onboarding data access, monitoring with audits, and ensuring secure offboarding.
Establish a security awareness program that treats people as the weakest link, delivering role-based training on policies and phishing risks to sustain a strong security culture.
Learn to tailor security awareness programs using free resources from sans sense, customize templates to your policy and business needs, and evaluate effectiveness through online surveys and phishing simulations.
Learn key information security policies for awareness programs, including enforcing complex passwords with 90-day expiry, incident management and reporting, clean desk practices, and data classification.
Identify information assets across departments, assign owners and custodians, classify assets, and maintain an up-to-date information asset register to safeguard confidentiality, integrity, and availability.
Identify information assets and build an asset register with owners and custodians, then classify and label data from public to restricted to protect confidentiality.
Explore military and commercial classification schemes, from unclassified to top secret. Learn to label, own, value, and protect information assets with defined ownership, custodian roles, and privacy considerations.
Enforce data classification to label and protect documents, automatically applying metadata and confidentiality across email, cloud storage, shared drives, and mobile devices, enabling a proactive, data-centric security posture.
Empower end users to classify sensitive information across documents, emails, and data formats, applying visual labels, watermarks, and metadata to strengthen data loss prevention and overall information security.
Explore how data classification and labeling enable data loss prevention, and how a DLP system enforces policies to prevent leakage through email, USB drives, or website uploads.
Compare endpoint and network data loss prevention to protect sensitive data with data-in-motion enforcement, with endpoint agents offering visibility and controls for copy, print, and USB transfers.
Identify the asset owner and custodian, since ownership rests with the entity or department, and keep custodian records up to date as personnel change.
Protect privacy by enforcing collection limitations for PII, securing databases with logging and access controls, and aligning retention, disposal, and cross-border processing with GDPR and other regulations.
Understand how to retain and securely dispose information assets—media, hard and soft copies, hardware, software, and people—via clear retention and asset management policies, classification, and compliant disposal.
Select data security controls based on data classification, standards, and scoping, choosing out-of-the-box or tailored solutions to protect data at rest and in transit with encryption.
encryption scrambles data to keep it unreadable, ensuring only authorized readers can access it. it protects data at rest and in transit with software or hardware options, sometimes mandatory.
Explore security architecture and engineering, covering security models, controls and countermeasures, vulnerability mitigation, mobile and web security, and cryptography basics with exam-focused guidance on measuring computer security.
Learn the security engineering lifecycle, from initiation, development and acquisition, implementation, operation and maintenance, and disposal, focusing on security architecture, models, and patch management to protect integrity, confidentiality, and availability.
Examine Nest special publications 814 and 827 to understand security foundations, risk management, and engineering principles guiding the security lifecycle. Learn about risk acceptance, external system risk, and vulnerability management.
Explore the trusted computing base (TCB), the hardware, the framework, and the operating system, and how to evaluate them for system security.
Explore vulnerabilities and attacks across domains, including backdoors, maintenance hooks, tamper data, buffer overflow, and covert channels within the trusted computer base, for CISSP exam readiness.
Explain core security models and their focus on confidentiality or integrity, including Bell-LaPadula, Biba, Clark-Wilson, and Brewer’s conflict-of-interest (Chinese Wall) concepts, with practical implementation notes.
Explore tcsec (orange book) framework for evaluating trusted computer bases, including Nest's rainbow security books, and the d-to-a categories, with emphasis on access control, labeling, and isolation.
Examine how ITSEC evaluates functionality and assurance, compare it with common criteria ISO, and learn about protection profiles, security targets, and the target of evaluation.
Practice security architecture questions to distinguish truth from false statements about Bell-LaPadula and Clark-Wilson models, apply confidentiality and integrity rules, and sharpen I.S. squared thinking for access control.
Design enterprise security architecture by implementing boundary control, access control, integrity, cryptography, and auditing and monitoring to safeguard information as it moves across systems.
Understand virtualization basics, including virtual machines, host isolation, and the cost and security benefits of consolidating systems, along with resource, backup, and availability considerations.
Identify single points of failure and implement redundant, automatically failing over components such as power, switches, and storage to minimize downtime, guided by acceptable downtime from management.
Explore server fault-tolerance techniques like clustering, where several machines act as one with the same IP for SQL Server reliability, plus network load balancing, virtualization with redundancy, and RAID storage.
Explore how new technologies like IoT, AI, embedded systems, and mobile devices boost business efficiency while raising security challenges, including remote access, DMZs, and mobile device vulnerabilities.
Master the basics of cryptography, including algorithms, keys, and the public protocol principle. Practice with the Crip tool and Caesar cipher to understand confidentiality and integrity.
Explore steganography as an alternative cipher, demonstrating hiding data in images with a manual method, and using a hex editor to detect, extract, and analyze hidden files and metadata.
Learn symmetric encryption, using one key for both encryption and decryption, and address out-of-band key distribution; distinguish block and stream ciphers, block size, key size, rounds, and initialization vectors.
Explore asymmetric encryption, where public and private keys enable encryption, decryption, and non repudiation. Learn about digital certificates, certificate authorities, and PKI for securing websites and messages.
Discover how hashing verifies file integrity using algorithms like MD5 and SHA; a one-way process that changes with any content modification, not the file name, enabling integrity checks with hashes.
Identify power issues, fire types, and data center placement to protect critical facilities. Differentiate deterrents, detectors, delays, and responses to secure people, data, and premises.
Examine fences, doors, and access control options to secure facilities, using guards, intrusion detection, logs, and alarms, while considering design and power factors.
Learn the six power problems, including spikes versus surges, full loss versus blackouts, and sag versus brownouts, plus protective devices like surge protectors and UPS.
Identify fire classes A, B, C, and D and match each with the proper extinguishing agents—water, CO2, gas, or dry powder—plus note fm2 hundred halon replacement and sprinkler types.
Master the OSI model's seven layers and map protocols to each layer, from TCP and UDP to IP, routing protocols, and MAC addressing, for reliable data transport.
Explore the four-layer tcp-ip model—application, host-to-host, network, and network access—and its OSI model alignment, identifying protocols on each layer and using Wireshark to observe packets.
Explore network architecture components by examining how switches build mac address tables, arp requests, and arp spoofing risks, then compare static and dynamic routing protocols like rip, ospf, and eigrp.
Explore how firewalls inspect inbound and outbound traffic, enforce rules, and compare stateless and stateful types, including application firewalls and dmz architecture with packet filtering between internal and external networks.
Explore network types (lan, wan, can, man, pan) and topologies (star, bus, ring, mesh) with focus on single points of failure and media like utp, stp, fiber, and 100-meter limits.
Explore remote access options for linking distant sites, including leased lines, internet-based VPNs, frame relay, MPLS, ATM, and dial-up, with cost and security trade-offs.
Understand wireless operation, SSID configuration, beacon broadcasting, and hidden access point security, and compare WEP, WPA, and WPA2 encryption to explain WPA2's stronger protection.
Explore common network attacks, from malware like viruses, worms, trojans and ransomware to man-in-the-middle and ARP spoofing, and denial-of-service methods, including ICMP floods and the three-way handshake.
Explore network security mechanisms such as firewalls, ids/ips, and event management solutions, and learn how caller id, spoofed numbers, and callback techniques help restrict access and deter attacks.
Understand the redundant array of independent disks (raid) to ensure availability and prevent a single point of failure with drives, including raid 0, raid 1, raid 5, and raid 10.
Explore backup best practices and compare full, differential, and incremental backups, with tape and remote media, and understand restore implications and single point of failure redundancy.
Explore network fundamentals: overlay networks, virtual private networks, and the roles of hub, switch, and bridge, with fiber optic resisting environmental tapping better than twisted pair.
Define security through the CIA triad—confidentiality, integrity, and availability—and introduce access control concepts, including subjects and objects and the default deny rule.
Explain how access control combines authentication, authorization, and accounting to identify and verify users, assign data-owner-determined permissions, and log activity across technical, physical, and administrative security.
Learn how identification and authentication establish access control, exploring something you know, something you have, and something you are, with passwords, tokens, and biometrics, including weakness and multi-factor benefits.
Explore how single sign on enables a user to log in once and access resources with Kerberos, using an authentication server, a ticket granting server, and TGTs and service tickets.
Explore central administration with RADIUS, a centralized authentication that provides a single account for VPN, wifi, dial-up, and remote access, while distinguishing RADIUS from single sign-on.
Learn how access control attack types impact security, including software attacks like dictionary, brute force, and rainbow table techniques, plus human based methods such as social engineering and spoofing.
Understanding intrusion detection systems as detective tools that sniff network traffic, alert on malicious activity without blocking it, differentiate network-based vs host-based ids, and explain signature-based, behavior-based, and baseline learning.
Explore access control essentials, including password types, time-based vs non-time-based and synchronous vs asynchronous authentication, Kerberos-based single sign-on, directory services, and key standards for penetration testing.
Practice domain quizzes with two 50-question sets to master tricky access control items, read explanations, and adopt the ISC2 mentality for CISSP exam success.
Explore security assessment and testing to verify effectiveness of technical and administrative controls, covering vulnerability assessment, penetration testing, auditing, patch management, and risk-based reporting.
Explore administrative and technical security assessment outputs, including management responses, documentation inventories, firewall configurations, patch management, vulnerability rankings, and user account and privilege controls.
Explore how to conduct a vulnerability assessment to identify and rank weaknesses by criticality, using free and paid tools, and learn when to perform scans after updates or breaches.
Identify vulnerabilities through the vulnerability assessment process as a core phase. Eliminate false positives, test exploitable status, and tailor Nessus reports readable for management by scope.
Learn to download and set up Nessus home edition, run vulnerability scans across networks, hosts, and cloud, compare reports from multiple tools, and interpret results for PCI compliance.
Organize and run Nessus vulnerability scans by network segments, set credentials, schedule scans after hours, and export remediation reports highlighting missing patches and critical findings.
Explore exporting Nessus vulnerability reports to csv and Excel, then filter for critical and high findings, identify missing patches, and generate actionable patch management reports for IT teams.
Explore a range of web application vulnerability assessment and penetration testing tools, learn to select suitable tools for your project, and use OWASP ZAP for top-ten vulnerability analysis.
Learn rapid7 nexpose vulnerability assessment setup, including post-install activation and login, and use the security console to identify assets, vulnerabilities, and generate management and auditing reports for different editions.
Learn the penetration testing process, differentiate it from vulnerability assessment, define scope and types (white box, black box, social engineering), and cover core phases like reconnaissance, scanning, exploitation, and reporting.
Explore Maltego, a powerful intelligence and reconnaissance tool for footprinting, and learn to gather domain, email, IP, and social network information from multiple sources.
Explore network discovery with Zenmap's graphical interface, performing intensive scans on a subnet to reveal open ports, services, OS, and topology, highlighting vulnerable hosts as starting points for assessment.
Demonstrate penetration testing workflows from information gathering and enumeration to exploitation using Metasploit and related tools, creating a network testing project and validating exploits with proof.
Centralize logs from multiple devices with a security information and event management solution to monitor, detect, and investigate security events, while using dashboards and automated analysis for audit and compliance.
Explore log management within the NIST framework, highlighting standards like NIST 800-92 and best practices for log architecture, archiving, log types, and regulatory compliance.
Discover how a sim centralizes security alerts from firewalls, ids, ips, antivirus, and directory services, enabling log aggregation, cross correlation, and compliance reporting for accurate threat detection.
Explore QRadar siem and security intelligence: predict vulnerabilities before an attack, detect active threats with analytics, and automate responses after, while scaling to billions of events with AppExchange integration.
review in-house code to uncover security weaknesses across application layers, emphasizing training and automated tools, and reference OWASP top ten vulnerabilities like SQL injection and cross-site scripting.
Define and track security KPIs to measure effectiveness beyond implementation and testing. Train employees annually to boost security awareness and reduce human-related incidents.
The CISSP Online Course provides a comprehensive review of the knowledge required to effectively design, engineer and manage the overall security posture of an organization. This training course will help students review and refresh their knowledge and identify areas they need to study for the CISSP exam.
Who Should Enroll
The training seminar is ideal for those working in positions such as but not limited to:
Security Consultant
Security Manager
IT Director/Manager
Security Auditor
Security Architect
Security Analyst
Security Systems Engineer
Chief Information Security Officer
Security Director
Network Architect
Course Objectives
After completing this course, the student will be able to:
Understand and apply fundamental concepts and methods related to the fields of information technology and security.
Align overall organizational operational goals with security functions and implementations.
Understand how to protect assets of the organization as they go through their lifecycle.
Understand the concepts, principles, structures and standards used to design, implement, monitor and secure operating systems, equipment, networks, applications and those controls used to enforce various levels of confidentiality, integrity and availability.
Implement system security through the application of security design principles and application of appropriate security control mitigations for vulnerabilities present in common information system types and architectures.
Understand the importance of cryptography and the security services it can provide in today’s digital and information age.
Understand the impact of physical security elements on information system security and apply secure design principles to evaluate or recommend appropriate physical security protections.
Understand the elements that comprise communication and network security coupled with a thorough description of how the communication and network systems function.
List the concepts and architecture that define the associated technology and implementation systems and protocols at Open Systems Interconnection (OSI) model layers 1-7.
Identify standard terms for applying physical and logical access controls to environments related to their security practice.
Appraise various access control models to meet business security requirements.
Name primary methods for designing and validating test and audit strategies that support business requirements.
Enhance and optimize an organization’s operational function and capacity by applying and utilizing appropriate security controls and countermeasures.
Recognize risks to an organization’s operational endeavors and assess specific threats, vulnerabilities and controls.