CISSP Certification: Domains 1, 2, 3 & 4 Video Training-2021

Explore domain one overview of CISSP, covering ethics, confidentiality, integrity, availability, authenticity and non-repudiation, governance, risk management, policies, regulatory frameworks, business continuity, and supply chain security.

The ISC2 code of ethics emphasizes safety, welfare, and the common good, guiding professionals to act legally and honorably to protect society, infrastructure, and user privacy.

Review your organization's ethics with cybersecurity by collaborating with HR and compliance to integrate privacy, GDPR, and PIPL, and terms of use into policy, and uphold fair information practices.

Protect data confidentiality by enforcing encryption at rest and in transit, using tls tunnels, ipsec, and access controls. Store passwords in secure vaults to prevent unauthorized access.

Explore how confidentiality can be compromised through plain text data, unprotected storage, and shared credentials, and how audits, data ownership, and access controls protect sensitive data.

Protect data integrity by safeguarding confidentiality and ensuring accuracy and completeness from creation to destruction. Use encryption at transit and at rest, and maintain audit trail to prevent unauthorized modification.

Examples show how data integrity suffers when data is unencrypted in transit or at rest and emphasize encryption, proper authentication, and robust logging to ensure availability, accuracy, accountability, and non-repudiation.

Explore availability in the CIA triad, focusing on high availability, uninterrupted access, and protection against denial of service. Learn how UPS, generators, and business continuity keep critical systems online.

Explore how availability is compromised by denial of service, such as syn floods, and learn how recovery point and recovery time objectives, usability, and quick restart enable rapid service restoration.

Identify and authenticate users, grant access through authorization, and audit activities to ensure accountability; use logs to detect unauthorized activity and uphold access control.

Apply defense in depth with network and system layering, logging, and repudiation to track attackers and secure industrial control systems through mindful obfuscation and encryption practices.

Explore the D&D triad: disclosure, alteration, destruction, and how each failure undermines confidentiality, integrity, and availability in the CIA triad.

Ensure data authenticity and integrity by confirming origin and lack of tampering, and enforce non-repudiation through identification, authentication, authorization, accountability, and auditing with digital certificates, session identifiers, and transaction logs.

Define security governance principles to guide strategic direction, risk mitigation, and audit-driven accountability across enterprise resources, aligning with ISO 27001 and Cmmc frameworks under board oversight.

Security control frameworks provide voluntary standards and guidelines to guide security programs around the cybersecurity framework for critical infrastructure, and are not a universal checklist or liability shield.

Map security controls across frameworks like HIPAA, ISO 27001, and NIST SP 853 to build compliant cybersecurity programs; IDM1 physical devices inventory maps to HIPAA 45 CFR and COSO.

Explore governance-driven organizational roles for security programs, from senior managers and data owners to data custodians and auditors, and learn how roles vary and guide classifications and protection.

Implement proactive security through due care and due diligence by fostering a culture where all employees own security, maintain systematic protections, and address issues promptly.

Explore how compliance and security intersect within governance programs, covering PCI DSS requirements like firewall configurations, avoiding default passwords, and encrypting transmissions, plus GDPR and PIPL privacy laws.

Explore the evolution of electronic privacy laws from the Electronic Communications Privacy Act of 1986 to HIPAA and HITECH, and examine wiretaps, law enforcement access, and electronic health records.

Explore the HIPAA and HITECH regulatory landscape, including privacy and security protections, breach notification rules, penalties, and related acts like COPPA, Gramm-Leach-Bliley Act, FERPA, and the Patriot Act.

Understand the legal and regulatory issues in information security within the US framework, covering criminal, civil, administrative law, and computer crime, and learn why legal counsel should protect your network.

Analyze the computer fraud and abuse act, including Nipa and Fisma, and how criminal and civil actions address illegal access, malicious code, and interstate infrastructure attacks.

Explore licensing and intellectual property, including copyrights, trademarks, patents, and trade secrets, and how cross-border protection and the dmca govern digital works and service-provider liability.

Explore how trademarks protect logos and slogans, and how intent to use and due diligence prevent conflicts, then examine patents, 20-year terms, and the rise of patent trolls.

Learn how trade secrets protect business processes and data, and how licensing, non-disclosure agreements, end user license agreements, click-through agreements, and cloud services agreements govern software use and data ownership.

Navigate export controls for high computing devices and encryption, including BIS bans and 256-bit rules, with a 30-day review, and explore transborder data flows under US, EU, and China regulations.

Explore how privacy evolves from the Fourth Amendment to cyber data protection, comparing EU, US, and China approaches and acts such as the Privacy Act of 1974 and ECPA 1986.

Review privacy laws from HIPAA to the EU GDPR and China's personal information protection law, focusing on breach notification, data subject rights, and roles of data custodians and processors.

Explore how state privacy laws, especially CCPA, align with GDPR; cover breach notification and the rights to be forgotten, to opt out of personal data sale, and documented incident response.

Navigate administrative, criminal, civil, and regulatory investigations, maintain formal procedures and documentation, and perform root-cause analysis on incidents like misrouted emails or data breaches.

Explore civil investigations versus criminal investigations, highlighting beyond a reasonable doubt vs preponderance of evidence, evidence collection standards, the role of law enforcement, internal teams, and country differences.

Learn regulatory investigations by agencies such as the EPA and OSHA, plus industry and country variations, and master the electronic discovery lifecycle: identification, preservation, collection, processing, review, production, and presentation.

Explore what constitutes admissible evidence, including artifacts, real and demonstrative evidence, and the six IOC principles for digital forensics, emphasizing lawful seizure, preservation, and documented handling to protect data.

Explore media, memory, network, software, and hardware analysis for digital forensics, including write-blocked data acquisition, volatile memory handling, pcaps, code review for backdoors, and IoT device risks.

Explore how security policies, standards, and guidelines form a top-down, hierarchical governance framework; define policy scope, draft requirements, and apply rare exceptions with compensating controls, password policies and remote access.

Explore three types of security policies: organizational, issue-specific, and advisory, with examples like varying password lengths by unit and strict money transfer controls to prevent email fraud.

Explore the hierarchical relationship of policies, procedures, standards, and guidelines, and learn how procedures provide step-by-step implementation and require updates as environments change.

Define security minimums and publish accessible policies and standards via a governance platform, but avoid one oversized document; keep procedures selective and simple.

Identify, analyze, and prioritize business continuity requirements via a unit-focused business impact assessment, using a risk-based approach. Involve leaders, choose on-prem vs cloud, and consider turnkey products or contractors.

Develop and document a continuity plan that identifies the affected unit, defines activation and decision rights, and tests with tabletop exercises and hot, warm, or cold backup sites.

Define critical versus non-critical functions through a business impact analysis, and implement recovery point and recovery time objectives while evaluating hot, warm, and cold site options.

Align with HR and compliance to write and enforce personal security policies, job descriptions, separation of duties, and background checks; practice least privilege and rotate roles to mitigate insider threats.

Explore personnel security policies, hiring, onboarding, and termination, with emphasis on background checks, compliance, and privacy. Learn role-based access, separation of duties, rotation of roles, and contractor management.

Understand how to set up employment agreements and security policies, including ITAR-based hiring restrictions, non-disclosure agreements, non-compete clauses, and acceptable use controls.

Examine vendor, consultant, and contractor agreements to limit data breach exposure, specify breach notification and incident response, and align with regulatory requirements like PCI DSS and GDPR.

Onboarding, transfers, and terminations require coordinated HR and security policies, remote access, and role-based access, with credential revocation and NDA considerations to protect sensitive data.

Terminate the employee, disable all network accounts, and remove access before onboarding them as a contractor; document exceptions and monitor activity around sensitive information, keeping emails for 90 days.

Explore how compliance and privacy integrate with security governance in the CISSP framework, balancing individual rights with organizational needs, and meeting PCI and privacy policy requirements.