
Explore the eight CISSP domains—security and risk management, security architecture and engineering, and communications and network security—and the computer-adaptive exam format for effective prep.
Define security through the CIA triad: confidentiality, integrity, and availability, explaining how information should stay secret, trusted, and accessible to the right people at the right time.
Define security and governance to protect assets and deliver organizational value. Align security with the mission, goals, and stakeholders while reducing risk to an acceptable level.
Understand how organizational processes and governance drive consistent security results, guiding acquisitions, divestitures, and committee decisions with stakeholder input to protect mission.
Define security roles and responsibilities within a governance framework. Clarify reporting lines to the chief information security officer and executives, and communicate risk with financial context.
Learn how information security strategies unfold across strategic, tactical, and operational planning, and how aligned goals and stepwise execution drive governance success.
Establish a security program guided by an oversight council with representation across divisions, prioritizing security initiatives, reviewing policies, auditing compliance, and embedding security with end users, executives, and IT staff.
Explore how control frameworks guide security programs with standardized, modular guidance and mappings between standards and frameworks like NIST 853 and the cybersecurity framework to build a mission-aligned program.
Apply due care and due diligence to security programs, using preventive measures, policies, and frameworks to prevent harm and reduce legal liability.
Explore governance, risk management, and compliance as a triad that links laws, regulations, and industry standards such as GDPR, HIPAA, and PCI to protect data and reduce risk.
Identify regulatory requirements your organization must meet, including HIPAA, PCI DSS, GDPR, and FISMA, and seek legal counsel to ensure compliance with Privacy Shield or Safe Harbor guidance.
Explain how privacy compliance protects personally identifiable information (PII) and guides lawful processing, sharing, and consent under GDPR and the data protection directive, to prevent exposure and liability.
Define computer crime and cybercrime, explain ransomware, cryptojacking, and fake antivirus scams, and show how governance and security policies reduce costs and protect data.
Define patent, trademark, and copyright protections for ideas, brands, and artistic works. Explain licensing and trade secrets as longer-term protections and note 20-year patent terms and 80-year copyright terms.
Navigate cross-border data flow and international import/export laws like ITAR and the Wassenaar Arrangement, and assess dual-use and military-grade goods for information security practice.
Navigate global privacy laws and OECD guidelines, protect PII with limited collection and transparent purposes, and safeguard data as custodians upholding individuals' rights.
Identify an incident as a negative event that may compromise security. Use standardized vocabulary for event recording and incident sharing to distinguish breach from data disclosure, as highlighted by Verizon.
Identify and apply relevant laws and regulations across jurisdictions, including GLBA and HIPAA, and recognize penalties for noncompliance while tailoring security policies to your industry and country.
Explore professional and computer ethics and how ethics programs, transparency, and compliance affect organizations. Learn about Sarbanes-Oxley, privacy and anonymity, intellectual property, globalization, and common ethical fallacies in computing.
Explore the CISSP code of ethics, focusing on the four canons—protect society, act honorably, provide diligent service, and advance the profession—and how to apply them in real-world decisions.
Explain how to answer CISSP questions using the umbrella method and define security documentation, including policy, standards, procedures, baselines, and guidelines under legal jurisdiction.
Initiate a business continuity and disaster recovery project with senior leadership buy-in, justify costs via risk assessment, and prioritize critical elements using business impact analysis to define maximum tolerable downtime.
Explore how outages threaten business continuity, examining external and internal threats, MTBF, MTD, and backup strategies to meet RTO and RPO within budget.
Explore how organizations screen job candidates to protect people and assets, using background checks, credit and criminal history, drug tests, education and licenses verification, driving records, and social media reviews.
Explore employment agreements and policies that enforce secure practices, including non-compete and confidentiality clauses, job rotation, separation of duties, least privilege, and mandatory vacations.
Securely manage terminations, including unfriendly exits, by removing access, disabling accounts, reclaiming equipment from employees and contractors, escorting when needed, and logging activities while enforcing privacy policies.
Define organizational risk management by threat sources, threat events, and vulnerabilities, then apply security controls to reduce likelihood and impact, reaching an acceptable residual risk.
Define risk as likelihood times impact, identify threats and vulnerabilities, and apply security controls guided by ISO, COSO, and NIST frameworks.
Rank likelihood and impact using qualitative scales and charts to prioritize risks, apply the rule that risk equals likelihood times impact, and allocate resources before exploring quantitative methods.
Quantify risk by converting likelihoods to percentages and computing annual loss expectancy using single loss expectancy and exposure factors to prioritize security investments.
Explore the four traditional risk responses—avoid, transfer, mitigate, and accept—plus the newer fifth approach of risk rejection, with practical examples like insurance, encryption, and cloud considerations.
Map risk to seven control categories—directive, deterrent, preventive, compensating, detective, corrective, and recovery—through the roles of architect, practitioner, and security professional, before, during, and after incidents.
Define administrative, logical, and physical controls and map the seven categories to real-world examples like policy, least privilege, audits, cameras, and firewalls.
Assess, monitor, and measure security controls through vulnerability assessments, pen testing, sast/dast, social engineering, wireless testing, and continuous improvement of asset valuation.
Discover major risk management frameworks from ISACA, ISO, and the N'EST risk management framework, and follow the framework lifecycle—from categorizing systems to selecting controls, authorizing, and ongoing monitoring.
Develop threat modeling by identifying threats, threat agents, and vulnerabilities; prioritize risks by likelihood and impact, then implement countermeasures and awareness training to reduce attack surfaces.
Develop an acquisition security strategy with baseline cybersecurity standards, vet vendors and OEMs, and align cloud services (IaaS, PaaS, SaaS) with risk, SLAs, and third-party certifications.
Incorporate formal security awareness training within the security program, teaching policy, role-based topics like phishing prevention, and building a culture where everyone treats security as part of their job.
Define data ownership and custodian roles, and establish a policy that governs privacy, liability, and regulatory compliance. Guide secure storage, controlled access, and data classification to ensure consistent governance.
Assign roles and responsibilities for data management and hold individuals accountable for their tasks. Establish data ownership and metadata standards, disposal procedures, and quality metrics to protect information.
Data owners determine access, classify data, and set retention and destruction policies. They understand data creation or acquisition, assess impact, and ensure data accuracy and cleanup.
Learn what data custodianship means: custodians implement owner requirements, develop and maintain data, grant access, and ensure handling per classification. Explore roles like IT staff and database administrators.
Keep data fit for use by enforcing input validation, quality control, and quality assurance. Manage data quality by balancing accuracy and value, and guarding against errors of commission and omission.
Organize data with clear naming schemes, file titles, and a taxonomy, then document metadata to enable easy search, ownership tracking, and accurate interpretation of fields.
Data has a lifecycle from creation to archiving and secure disposal; specify data formats, audit regularly, and weave security into every phase.
Explore data specification and modeling to turn stakeholder requirements into a robust data model, with relational databases, tables, relationships, and integrated security from the start.
Maintain and migrate databases to keep data healthy and available as technology evolves, applying threat analysis and controls to reduce data loss risk.
Conduct data audits to verify data meets standards, learn from findings, and improve practices through internal checks and neutral third-party assessments, including data retention and compliance with FOIA and FISMA.
Implement secure storage and archiving that preserve confidentiality, integrity, and availability, plan cloud or offsite backups, ensure format and backward compatibility, and define recovery time objective and recovery point objective.
Protect data inside computers by securing hardware, software, and databases with permissions, separation of duties, and encryption. Use defense in depth and the Deming Cycle to monitor and improve controls.
Apply the need-to-know principle to control data access, ensuring confidentiality, integrity, and availability by managing permissions, user accounts, and encryption keys for relevant stakeholders.
Publish data securely by applying handling requirements, data marking, and access controls for the right people. Enforce storage encryption and destruction, plus crypto shredding to remove data remnants.
Learn how data and assets are classified and labeled to define protection requirements and handling rules. See how global classification practices guide secure data handling and prevent unauthorized access.
A data classification policy defines access rights, security requirements, retention and destruction rules, and encryption needs to protect sensitive information while ensuring regulatory compliance.
Manage assets by tracking inventory and relationships as configuration items in a centralized configuration management database. Track software licenses and hardware through their lifecycle from acquisition to disposal.
Protect user privacy by safeguarding personal data and complying with laws, including fair collection of PII, purpose limitation, data minimization, accuracy, accessibility, secure destruction, GDPR, Privacy Shield, and Safe Harbor.
Learn how retention secures data across media, hardware, and personnel by classifying information, defining retention policies, archiving through its lifecycle, and auditing compliance.
Establish and follow a data retention policy that dictates how data is stored, retained, and disposed of; train staff to implement secure handling and disposal practices.
Secure data at rest by applying encryption, backups, access controls, and media labeling to protect stored information from risks.
Understand data in transit and the encryption methods protecting it, from link and end-to-end encryption (https, tls) to securing email, vpn, and wireless networks with ipsec, ssh, and wpa2.
Understand baselines from ISO, Nice, and NIST, plus payment card industry standards, to secure data in use, at rest, and in transit; implement prevent, detect, respond, and recover.
Define scoping to ensure adequate coverage of security controls and tailor them to fit your business needs using guidance as a checklist, delivering value while managing risk through supplementation.
Explore how U.S. standards shape security practices, from DoD 8510 risk management to the NIST cybersecurity framework, and access free federal guidance on asset vulnerabilities.
Examine international cybersecurity standards and guidance from ISO, ENISA, ITU, and UK and US resources. Learn about ISO 27001 and the 27000 family and options for certification and attestation.
Explore the national cybersecurity framework manual from NATO's Cooperative Cyber Defense Center of Excellence, outlining national security focus, political aims, strategic goals, stakeholders, organizational structures, and other guidance documents.
Explore the Nest cybersecurity framework for improving critical infrastructure cybersecurity, a non-prescriptive model built from existing guidelines with a common taxonomy, featuring identify, protect, detect, respond, and recover core functions.
Translate user needs into secure systems using the V model, covering requirements, design, implementation, and verification across the full lifecycle. Integrate technical and management concerns and security principles throughout.
Explore core computer system components, including the processor, ram, primary and secondary storage, virtual memory, firmware, and peripherals. See how the operating system, drivers, and security measures coordinate data.
Align enterprise security architecture with the organization's mission and assets, balancing boundary control, access control by need-to-know, integrity, cryptographic services, and audit and monitoring to protect value.
Learn how common enterprise architecture frameworks, such as Zameen, Zach and Zach, SABSA, Subsea, TOGAF, and ITIL, guide security architecture and reduce trial-and-error learning.
Explore fundamental security models as conceptual representations, including state machine, lattice, non interference, matrix based, and information flow models, with Bel LaPadula and Biba as core examples.
Bell-LaPadula confidentiality model uses a lattice of levels such as public, secret, and top secret to govern reading and writing, with simple, star, and strong star properties.
The lecture explains the Biba integrity model, a lattice-based approach to trust, with reading at your level or higher and no write up, illustrated by newsroom analogies.
Explore the Clark-Wilson integrity model, detailing three goals to prevent unauthorized changes, unauthorized alterations by authorized users, and typos, by placing a program between subjects and objects.
Explore Lipner, Breuer Nash, Graham Denning, and Harris and Roosa Ullman models, emphasizing integrity and confidentiality, Chinese firewall for conflicts of interest, and domain-based access control.
Capture and analyze requirements to design secure, functional systems. Distinguish functional vs non-functional requirements, emphasize security, backup, and recoverability in security architecture.
Design and document security architecture from multiple perspectives—contextual, conceptual, logical, physical, component, and operational—using the and model to ensure comprehensive security.
Explore common formal security models and the common criteria used to assess third-party products. Learn how certification and accreditation ensure a product meets security requirements for government and enterprise use.
Examine how the trusted computer system evaluation criteria emerged in the early 1980s to standardize government mainframe security, introducing the trusted computing base and a seven-level grading scale.
Compare europe's information technology security evaluation criteria with tse sek, highlighting security targets, targets of evaluation, and levels of assurance from e0 to e6 for hardware and software.
The common criteria establish an international evaluation system for security products, rooted in tc seq and i.t seq, standardized by ISO/IEC, with protection profiles and seven EAL levels.
Explore how ISO 27001 and ISO 27002, COBIT, and PCI DSS provide certification and controls covering 114 controls across 14 groups to verify vendor security and protect payment data.
Explore access control mechanisms that protect confidentiality, integrity, and availability by using permissions and locks, and master vocabulary like subject, object, and the reference monitor, such as the security kernel.
Secure memory by enforcing processor states and memory isolation through layering, process isolation, abstraction, and cryptographic protections, then protect keys with a trusted platform module and virtualization.
Learn how security engineering identifies vulnerabilities and designs controls to strengthen subsystems, covering emanations, tempest protections, race conditions, time of check, time of use, and covert channels.
Address vulnerabilities as computing moves to cloud and mobile, while mobile device management, antivirus, encryption, app controls, and remote lock and wipe help secure enterprise devices per SP 800-124.
Combat single points of failure by implementing redundancy across data connectivity, storage, servers, and power. Use failover, backups, and clustering (active-active or active-passive) to maintain availability.
Understand client-based vulnerabilities across desktops and mobile devices, enforce baseline security, minimize admin rights, and implement automatic updates, change management, and mobile device management to protect corporate data.
Secure server-based vulnerabilities by securing remote access with multi-factor authentication and encryption, enforcing network separation, patching and monitoring, ensuring business continuity, and using data flow diagrams to protect data.
Explore database concepts such as data warehousing, data inference, data aggregation, and data mining, and learn how large scale parallel data systems handle big data and privacy implications.
Explore large scale parallel data systems and why one machine cannot handle big data, as data growth drives insights, mining, cloud computing, and evolving databases.
Explore distributed systems and cloud computing, featuring grid computing and broad network access. Demonstrate how on-demand self-service and resource pooling reduce costs in cloud environments.
Learn rapid elasticity in cloud computing, where demand drives on-the-fly resource scaling and pay-for-use. Grasp SaaS, PaaS, IaaS, and deployment models like private, public, community, and hybrid.
Explore cryptographic systems and core concepts like hash functions, digital signatures, asymmetric encryption, and certificate authorities, emphasizing key management, encryption, decryption, and non repudiation.
Explore stream-based ciphers and how exclusive or uses a key stream to encrypt data bit by bit in symmetric encryption, emphasizing unpredictability and RC4 as the notable example.
Block ciphers encrypt data in fixed blocks, use initialization vectors and padding to prevent patterns, and depend on key length and modes like electronic code book mode and block chaining.
Define symmetric algorithms and show that encryption and decryption use the same key, with stream and block ciphers as examples, while acknowledging upcoming topics on asymmetric encryption and hashing.
Explore the evolution of symmetric cryptography from DES to AES, detailing 56-bit versus 256-bit keys, 64-bit blocks, and the move to secure block modes including ECB and the AES standard.
Explore counter mode algorithms, how a counter encrypts data, and compare it with electronic codebook and cipher feedback mode while reviewing des, 3des, aes, and key lengths.
Explore how asymmetric cryptography uses a public key for encryption and a private key for decryption, contrasting it with symmetric cryptography, and noting how keys enable confidentiality and integrity.
Explore key asymmetric algorithms such as RSA, Diffie-Hellman, and El-Gamal, and show how HTTPS with TLS 1.2 uses elliptical curve cryptography to share a symmetric key for secure web traffic.
Explain hashing and hybrid cryptography by linking hash functions and message digests with symmetric and asymmetric encryption, using MD5 and SHA, digital signatures, and MAC for data integrity.
Analyze software vulnerabilities and threats to engineer secure web systems, using XML and JSON for data exchange, and apply SAML and WASP guidance on top ten web application risks.
Explore the risks of remote computing and virtual private network access to internal networks, including device health checks, multifactor authentication, network segmentation, and policy controls to enable secure remote work.
Assess the risks of mobile devices and platform proliferation across Android and iOS, and how data sync creates attack surfaces via text, email, camera, microphone, GPS, and social media.
Explores cyber-physical systems across transportation, health care, energy, and industry, highlighting embedded computers as attack vectors and weaving in risks, vulnerabilities, and threats for secure engineering.
Explore the history of cryptography from ancient Greek encryption days and leather-strip ciphers to the Enigma machine and Navajo code talkers, and note modern encryption based on ones and zeros.
explores the future of encryption, including quantum computing and quantum cryptography with entanglement, and introduces homomorphic encryption that keeps data encrypted during use, though not fully realized yet.
Explore how encryption supports the CIA triad by enhancing confidentiality, safeguarding integrity with hash verification, and highlighting key management risks that can impact availability.
Explore how cryptography enables non repudiation, authentication, and access control with public and private keys, encrypted passwords, and hashing, while protecting data at rest and in transit through link encryption.
Follow the cryptographic life cycle from algorithm creation to replacement, learn why standard, well-vetted algorithms beat homemade ones, and explore export controls and law enforcement debates.
Learn how public key infrastructure verifies that public keys truly belong to their owners, enabling secure key exchange, digital certificates, and trusted certificate authorities, and revocation when certificates are compromised.
Explore key management in encryption systems and XML key management specification, explain the Kirchhoff principle, and show how dual control and split knowledge protect keys.
Explore how to create and securely distribute keys, ensuring true randomness, appropriate key length, secure storage, and recovery options, including escrow and dual control.
Digital signatures encrypt a hash of a document with a private key and verify with a public key, confirming integrity, signer identity, and standards like DSA.
Protect data beyond its containment with digital rights management (DRM), applying the concept to music, software, and corporate information across its lifecycle using keys, connectivity checks, usb keys, and watermarks.
Non repudiation means a person cannot deny involvement in something. Verify non repudiation by confirming involvement according to the official definition.
Generate a fixed-size, one-way digital fingerprint to verify data integrity without decryption, enabling password storage as hashes and detecting tampering with collision-resistant, deterministic outputs.
Explore hash functions, especially MD5 and SHA variants, and how salting combats rainbow table attacks. Understand the birthday paradox and collision risks in hashing for authentication.
Explore common cryptanalytic attacks such as ciphertext-only, known and chosen plaintext, differential and linear cryptanalysis, replay attacks, dictionary and brute-force methods, and social engineering.
Strengthen physical security by designing site roadways that limit entrances, slow traffic, and deter unauthorized vehicle access through barriers, serpentine layouts, and strategically placed bollards.
Design spaces to prevent crime through environmental design by using beautiful lighting, thorny shrubs, and open, well-lit areas that encourage gathering while deterring criminals.
Compare window glass options for security planning, including plate, tempered, wired, laminated, and bullet resistant glass, and explain detection with glass break sensors in alarm systems.
Secure parking garages manage one way in and one way out, monitor access with cameras and guards, post signs about valuables, and ensure safe exits during emergencies.
Identify location threats for data centers by weighing natural hazards like hurricanes and earthquakes and manmade risks, then design fire prevention, suppression, and essential utilities into site planning.
Understand how FEMA risk management services publications guide physical site and facility security, offering credible disaster readiness guidance and threat resistance for the CISSP exam.
Secure the data center by protecting cables to prevent eavesdropping and securing the facility entrances and server racks with multi-factor access and locked cabinets.
Explore restricted and work area security by implementing visual and acoustic access controls, detecting eavesdropping and emanations, and securing physical and technical access with locks, alarms, and guards.
Learn data center security essentials, securing power with UPS and generators, HVAC cooling, water management, air contamination controls, and fire detection and suppression strategies.
Understand the OSI model's seven layers from application to physical—and how data travels up and down the stack, with IP addresses, MAC addresses, and routing guiding delivery.
Explore the OSI lower layers from the physical layer and Ethernet to data link MAC addressing with ARP, then cover layer three routing with IP, routers, and default routes.
Explore the transport to application layers of the OSI model, comparing TCP and UDP behaviors, the three way handshake, and protocol roles from HTTP and DNS to DHCP and LDAP.
Map tcp/ip to the osi model and review ipv4 addressing, subnet masks, and cidr notation, including class a, b, and c ranges and the shift toward ipv6.
Explore IPv6's expanded addressing and built-in security, including quality of service. Review tcp/ip concepts, port numbers, and protocols such as http, https, smtp, and ftp.
Explore how dns, ldap, netbios, nis, and smb enable name resolution and cross-platform file sharing, and learn essential ports 53, 25, 21, 80, and 443.
Explore scada as industrial networking that enables control of field devices, from valves to conveyors, across diverse protocols and osi layers, while highlighting historical security gaps and exam-focused concerns.
Demonstrate converged protocols by pairing standard with specialty protocols, enabling quality of service traffic for streaming video and storage via fibre channel over ethernet, iSCSI, and multi protocol label switching.
Voice over IP converts spoken words into data packets and delivers them over the internet, enabling IP telephony and communications with SIP, while packet loss, jitter, and sequencing affect quality.
Explore wireless technologies like Wi-Fi, Bluetooth, and WiMAX, and learn how collision avoidance, ad hoc mode, and spread spectrum enable local and wide area networks across devices.
Identify common wireless security issues, including open system authentication, shared key risks, and ad hoc mode, and secure with infrastructure mode and WPA2 and AES to prevent eavesdropping.
Protect data in transit with public key cryptography, session keys, and https; use digital signatures and certificates to verify identity and guard against eavesdropping, tampering, and impersonation.
Explore how boundary routers, dual-homed hosts, and a demilitarized zone fortify networks with firewall rules and access control lists, defending against spoofing and man-in-the-middle attacks.
Analyze how hardware like modems, concentrators, front end processors, multiplexers, hubs, bridges, switches, and routers impacts network security and traffic, using MAC and IP addressing and default routes.
Explore wired transmission media, including twisted pair (unshielded and shielded), coaxial cables, patch panels, and fiber optic types, highlighting shielding, twists, and single- vs multi-mode performance.
Explore how network access control devices and firewalls filter traffic by IP and port to protect networks. Learn about NAT, port address translation, static and stateful inspection, and proxies.
Protect endpoints by enforcing up-to-date antivirus, host-based firewalls, full-device encryption, OS patches, and hardened configurations, while using mobile device management and strong policies to safeguard corporate data.
Define content distribution network (cdn) and explain how distributed servers near users speed content delivery. Learn how cdn providers host content to reduce bandwidth and isp concerns.
Explore securing voice communications across analog and digital channels, compare circuit switching with packet switching, and understand how encryption protects modern phone calls.
Explore multimedia collaboration and secure communication channels, from peer-to-peer sharing and Napster piracy to remote meetings, instant messaging, encryption, and Zoom vulnerability lessons.
Explore open protocols and applications such as jabber for presence and irc channels, and learn how tunneling, proxies, and firewall restrictions interact with region-based access.
Discover how remote access uses VPN tunneling with PPTP or L2TP, IPsec for confidentiality, and RADIUS authentication, while replacing Telnet with Secure Shell.
Compare analog and digital data communications, including modems and dsl, and one-zero signaling. Explore bus, tree, ring, mesh, and star topologies with unicast, multicast, and broadcast definitions.
Explore software defined networking and cloud-based on-demand provisioning of virtual networks. Understand the three layers—application, control, and infrastructure—and how PVLANs enable secure isolation.
Understand how networks open attack vectors by linking devices like cameras, smart TVs, and IoT sensors. Learn to apply security thinking and architecture to defend doorways into your castle.
Design and monitor security domains to make the network a bastion of defense. Prepare containment, eradication, and backups for mission critical systems.
Apply defense in depth with layered defenses to protect confidentiality, integrity, and availability, and avoid open mail relay by dropping misrouted emails to prevent spam.
Explore scanning techniques to identify live hosts and open ports, including ping sweeps and fin or christmas tree scans, and how intrusion detection systems respond.
Use a security event and incident management tool to centralize logs, perform vulnerability and discovery scanning (Nessus, Nmap), and guide rapid detection and response.
Explore IP fragmentation attacks and crafted packets, including teardrop, overlapping fragments, and source routing, plus Smurf and fraggle denial-of-service techniques, and legacy protocol flaws in NTP and finger.
Examine denial of service and distributed denial of service attacks, including SYN flood and ping of death, and see how botnets overwhelm targets to compromise availability.
Learn how spoofing deceives users and networks by forging identities, covering IP spoofing, SYN floods, DNS manipulation, phishing, host file attacks, split DNS, and training.
Learn how session hijacking takes over active user sessions by becoming a man-in-the-middle, using techniques like IP spoofing and syn scanning to gain unauthorized access.
Manage who gains access to assets by enforcing physical and logical access controls, using locks, badges, and permissions (read, write, execute) to regulate space, files, and systems.
Identify how unique identities, authentication, and authorization govern access, using IDs like user IDs, emails, account numbers, and badges, while noting RFID, MAC addresses, IP addresses, and privacy risks.
Learn identity management implementation with password management, authentication, and user education, plus account, profile, and directory management using replication and organizational units.
Explore directory technologies like LDAP and Active Directory, including identity management, domain structures, single sign-on, Kerberos tickets, federation, and access controls.
Explain authentication by outlining three factors: something you know, something you have, and something you are. Show that true multi-factor authentication requires at least two factors, including biometrics when applicable.
Establish accountable identity management with unique IDs and strong authentication, then monitor, audit logs, and support independent audits to build an integrity-driven organizational culture.
Explore session management for identity access, covering desktop and web-based sessions, login processes, session IDs in cookies, timeouts, automatic logouts, and securing cookies with HTTPS.
Learn how identity management verifies who users claim to be through in-person checks, multi-form IDs (driver’s license, passport, birth certificate), and identity proofing standards.
Verify credentials with a credential management system, enforce strong passwords, generate and look up passwords, implement access control, hashing, and encryption, and audit logins to ensure always-on availability.
Explore identity as a service (IDaaS) in the cloud, enabling single sign-on, federation, granular permissions, and centralized administration while syncing with internal directories for accountability and reduced overhead.
Integrate third-party identity services with cloud providers by using cloud identity, on-premises directory synchronization, or federated identity, and align with service providers to grant employees access to resources.
Define authorization and role-based access control, showing how permissions flow from roles or groups to users. Explore non-rbac, hybrid, and full rbac models using examples like sales, trainer, and student.
Enforce rule-based access control with rules that work regardless of user role. Use timing, content, and network rules, building access hours and firewall blocks, and combine them with role-based controls.
Learn mandatory access control as label-based access where subject and object labels must match or exceed the object's label, with Bell-LaPadula implications in military contexts.
Discretionary access control lets the data owner determine access by granting read, write, modify, or execute permissions to users or groups via an access control list.
Enforce physical security, protect password files with encryption and hashing, deploy strong passwords and multifactor authentication, and regularly audit, disable stale accounts, and enforce account lockout and vulnerability scans.
Provision accounts and assign necessary permissions to manage identity and access. Continuously review and revoke unused permissions to prevent scope creep and disable terminated accounts.
Design security into every stage of the engineering lifecycle from early system and software design through deployment and retirement, incorporating security requirements and OWASP top ten.
Assess systems by reviewing centralized logs to detect breaches and inform response. Enforce policies, prioritize critical assets, and maintain a centralized logging infrastructure with clear accountability.
Define synthetic transactions as fake, scriptable traffic you test against web apps, databases, and networks to assess overload handling, detect deadlocks, and validate firewall and routing behavior.
Learn how code review and security testing prevent software vulnerabilities by validating inputs, applying static and dynamic testing, and using OWASP top ten guidance.
Practice negative testing by attempting misuse scenarios to break the software, validating data types, bounds, and session cookie security, using examples like shopping carts and input fields.
Practice interface testing and learn the top 25 common weaknesses, the CWE list, and its three categories—insecure interactions, risky resource management, and porous defenses—to design safer software.
Implement continuous monitoring of security data across the network to turn events into insights via a risk-based strategy and program. Adjust the plan and update the playbook as findings arise.
Clarify SOC reporting by differentiating SOC 1 financial audits from SOC 2 and SOC 3 security-focused assessments. Show how cloud service providers use independent CPA audits to prove secure operations.
Identify and protect the crime scene, collect and forensically analyze digital evidence using hashes and forensic copies, and maintain chain of custody for admissibility in court or internal reviews.
Define incident detection and response policies, assign qualified roles, and establish tools and procedures to detect, contain, and resolve incidents while protecting evidence and documenting lessons learned.
Triage incidents to assess real vs. false alarms, severity, and containment needs. Investigate by protecting evidence, bagging, tagging, and analyzing the impact on systems to track infection and data changes.
Explore how to protect and document evidence, maintain chain of custody, uphold the five rules of evidence, ensure admissibility, and analyze media, network, and hardware during investigations.
Assess jurisdictional concerns in digital evidence collection across local, cloud, and cross-border contexts. Use intrusion prevention systems and SIEM tools to log, correlate events, flag anomalies, and support investigations.
Explore continuous monitoring as a service for information system, and egress monitoring of outbound traffic to detect threats like trojans, rootkits, and APTs, enabling data loss prevention through DLP.
Identify and catalog sensitive data, monitor its movement across networks and devices, and enforce lifecycle policies to prevent data loss in all forms—at rest, in motion, and in use.
Learn how configuration management drives maturity by identifying configuration items, establishing baselines, tracking and controlling changes, and auditing configuration records to safeguard network assets.
Develop operational resilience to keep production running and deliver value. Protect assets by balancing usability and security, control system accounts, and manage security services with processes for consistent value delivery.
Enforce least privilege and need-to-know for all accounts to reduce risk. Separate day-to-day from administrator tasks using administrator, service, power user, normal, and guest accounts with appropriate access.
Implement separation of duties by dividing tasks among multiple parties. Enforce least privilege and job rotation across operators, security administrators, helpdesk, and ordinary users to detect fraud.
Conduct thorough background checks and validate accounts before assigning sensitive roles, then apply due diligence, job rotation, and mandatory vacations to audit activity, detect mishandling or fraud, and protect assets.
Secure information through its lifecycle by assigning owners, classifying data, managing access, retaining records, and destroying old data to prevent exposure and support e-discovery.
Explore service level agreements as measurable contracts that specify five nines uptime, availability, and indemnification, with third-party verification and renewal considerations.
Guard tangible and intangible assets through media management, removable media policies, cloud storage controls, crypto shredding, and secure disposal and data wiping.
Detect and respond to security incidents using signature or pattern matching and anomaly detection with centralized logs. Employ incident management and AI/ML insights for faster, coordinated responses.
Detect, contain, eradicate, and recover from security incidents, then perform remediation, review, and root-cause analysis. Use lessons learned and audits to prevent future incidents.
Prevent unauthorized disclosure by applying controls to protect information and resources in settings. It threatens confidentiality, availability, and integrity, including data destruction or improper modification (e.g., bank account balance).
Discover network and host intrusion detection systems, how sensors monitor traffic and logs, and how signature- and anomaly-based detection flags intrusions for rapid response.
Explain white list, black list, and grey list as access-control approaches. Describe third-party security services, sandboxing, honeypots, honey nets, and dynamic versus static application security testing.
Drive patch and vulnerability management by testing vendor patches in a controlled environment, coordinating patch scheduling and change management with centralized deployment, and using vulnerability scanners to remediate exposures.
Learn how change management prevents production disruption by formalizing requests, assessments, approvals, testing in a safe environment, after hours implementation, and documentation in a configuration management database.
Track configuration items and software assets across systems using configuration management databases, ensuring state, location, and changes are controlled under policies.
Explore recovery site strategies for outages, from dual data centers and hot, warm, and cold sites to internal, external, and mobile options, with processing agreements and outsourcing considerations.
Explore resilience and fault tolerance by prioritizing redundancies, such as hot, warm, and cold spares. Use multi-drive raid configurations and power backups to maintain operations during failures.
Document the disaster plan within event management to prioritize safety, triage incidents, escalate quickly, and assign clear ownership, training, and resources for effective stakeholder communication.
Assign emergency management and response teams to assess incidents, declare disasters when needed, and manage the disaster recovery plan while coordinating resources to minimize impact and restore operations.
Identify stakeholders and communicate with personnel during disasters using automated telephone systems, websites, social media, and calling trees, while protecting communications through clear roles and public relations.
Assess emergencies to decide whether to apply an incident response plan, an accelerated plan, or disaster recovery. Train staff and rehearse drills to ensure quick restoration and return to normal.
Maintain and update disaster recovery plans with exercises and testing, adapt to environment changes, identify and fix deficiencies, and use diverse test strategies with clear objectives, schedules, and escalation plans.
Conduct a tabletop exercise, or structured walkthrough, with key decision makers to review, verify, and refine disaster and business continuity plans, ensuring clear roles and regular, low-cost testing.
Demonstrate through walkthrough drills and simulation tests how to mobilize the crisis management team, validate disaster plans, and identify missing resources or steps before a real disaster.
Engage in a functional drill, a parallel test of the business continuity plan, involving all employees across primary and secondary sites to validate disaster recovery and resource mobilization.
This lecture explains full interruption and full-scale tests that shut down primary operations, mobilize the entire enterprise, and validate backups, disaster recovery plans, and external coordination under simulated disaster conditions.
Schedule regular reviews by the contingency planning group and the business continuity planner to ensure the plan evolves with changes and sustains operations during disasters.
Secure facilities with gates, fences, and six-foot deterrent barriers like bollards, then detect intrusions using infrared and motion sensors, video content analysis, and lighting for safe egress.
Describe how access control uses magnetic stripe, proximity, and smart cards to grant or deny facility entry, managed by an access control head end and its database.
Closed circuit television cameras detect access and monitor entry points, with indoor and outdoor suitability, lenses from telephoto to fisheye, and requirements for lighting, resolution, frame rate, and monitoring.
Identify interior intrusion detection systems, including magnetic sensors, motion-activated cameras, acoustic sensors, infrared sensors, and dual technology sensors. Implement administrative controls like visitor check-in and escorts to protect interior facilities.
Examine building inside security by reviewing door types, locks, and access controls from hollow doors to reinforced steel doors, man traps, electric and cipher locks, key cards, and key control.
Prioritize personnel safety by safeguarding health, privacy, and the confidentiality, integrity, and availability of assets; address travel considerations, duress training, and post-travel device checks.
Explore the software development lifecycle from requirements and design through development, testing, documentation, acceptance, production, and replacement, while baking security in at every phase.
Explore the five maturity levels of the capability maturity model (CMMI), from unmanaged to optimizing, and learn how defined, measurable processes drive predictable, improved software development outcomes.
Align dev and operations through an integrated product team and DevOps to manage changes, test in a production-like environment, deploy repeatably, and monitor with feedback loops.
Explore major software development methods, including waterfall, clean room, and iterative prototyping, and see how agile practices like scrum emphasize communication, refinement, and flexible requirements.
Explore how database management systems enable transaction persistence, fault tolerance, and multi-user access, and compare relational, hierarchical, and object-oriented models with primary and foreign keys, integrity constraints, and SQL views.
Explore common database vulnerabilities and threats, from aggregation and bypass attacks to view-based access control. Understand concurrency issues, data integrity risks, and denial of service with practical examples.
Explore acid transactions: atomic, consistent, isolated, durable, and how view-based security, grant and revoke, and metadata protect databases. Compare OLTP and OLAP, with data validation and data contamination controls.
Explore how data becomes information, knowledge, and wisdom, and how knowledge management captures expert insights; ensure secure web applications and APIs guided by OWASP.
Explore how applications run on an operating system that manages RAM and hardware, isolates apps, and guards against buffer overflows and zero-day attacks while comparing open source and proprietary software.
Trace programming from machine and assembly languages to high-level compiled and interpreted languages, with encapsulation and polymorphism. Learn how the Java virtual machine provides a sandbox for secure object-oriented programming.
Libraries and toolsets offer reusable code and prebuilt functionality, while the integrated development environment and Java Virtual Machine runtime support building, debugging, and running apps.
Explore security issues in source code, including buffer overflow, malformed input attacks, memory reuse, backdoors, and covert channels, and see how static application security testing detects them.
Distinguish between viruses and worms and identify common malware types, from boot sector and macro viruses to trojans, spyware, adware, and botnet-driven DDoS attacks.
Discover malware protection strategies, including antivirus scanners, heuristic analysis, activity monitoring, hashing with system file checker, reputation scoring, and protection against zero day attacks.
Explore protective mechanisms like security kernels, reference monitors, and the trusted computing base. Understand processor privilege states, memory protection, and defenses against buffer overflows and time-of-check to time-of-use.
Explore configuration management and change management, track configuration items in a configuration management database, and plan recovery strategies and alternate sites to ensure business continuity.
Secure code repositories by implementing physical and system protections, operational security processes, encryption in transit, backups, controlled access, and payment card industry data security standards.
Secure APIs by authenticating connections and verifying users, using TLS to encrypt basic authentication credentials and OAuth 1.0 and OAuth 2 flows, ensuring protected API interactions over the web.
Learn the definitions of certification and accreditation and how the risk management framework guides real-time risk management. Vet software by selecting, implementing, and assessing appropriate security controls within risk tolerance.
Record and review changes through auditing and logging to understand what happened and assess control effectiveness. Identify abnormal activity, support forensic analysis, ensure information integrity, and meet regulatory compliance.
Practice ongoing risk analysis and mitigation across the software life cycle, using change management, documentation, testing, backups, and code signing to safeguard systems.
Explore software assurance across the acquisition lifecycle, from planning and requirements to contracting, monitoring, and follow-on support, ensuring patches, changes, and vendor reliability.
emphasize wide domain coverage, weighted exam domains, and practice questions, and offer tips such as glossary study, keyword underlining, majority and umbrella reasoning, and timer tricks in the CISSP course recap.
CISSP is the gold standard for security certifications. It covers the breadth of information security’s deep technical and managerial concepts. Learning to effectively design, engineer, and manage the overall security posture of an organization.
This course covers Domain 1 - Security and Risk Management. This domain is one of the most important domains in the CISSP exam. It lays the foundation, covering security concepts that all the other domains build upon. Understanding exactly what security means and the core concepts around assessing and managing the wide array of risks we face is fundamental to every domain in the CISSP.
Domain 2 - Asset Security. An asset is anything we value. When we have highly valued assets, such as sensitive data, securing those assets throughout their lifecycle is paramount. We will learn about data standards, classification, regulations, retention, and controls to protect organizational value.
Domain 3 - Security Engineering. Engineering is about understanding and designing systems that work. Security is a fundamental part of any well-designed system. This domain will help you understand the engineering lifecycle and various models and security components required in data structures and physical facilities. We also learn how cryptography fits in to information security.
Domain 4 - Communication and Network Security. Information is not just stored; it is also transmitted and must be secured in transit. Understanding networking models, protocols, hardware components, and possible attack vectors is vital to information security. It is one of the most important domains on the CISSP exam.
Domain 5 - Identity and Access Management. Controlling who can access valuable resources can lead to proper confidentiality, integrity, and availability. A CISSP must understand mechanisms and techniques to verify a subject’s authenticity before authorizing access. They must be able to assure that only proper interactions have occurred and mitigate potential attacks.
Domain 6 - Security Assessment and Testing. Understanding the effectiveness of your security measures is vital. As you collect and review logs, verify software development security, and undergo security audits and certification you can have some assurance and insight into your security status and needs.
Domain 7- Security Operations. From incident response that involves investigation of evidence to facility access management and disaster recovery planning, testing, and implementation, this domain requires putting security principles and concepts into practice.
Domain 8 - Security in the Software Development Life Cycle. Many of the most publicized security issues have stemmed from flaws in the software code. While a CISSP does not have to be a software developer, they must understand and be able to communicate software development security needs. In this domain you will learn important terminology and concepts of software development.