
Addresses framework and policies, concepts and standards to establish criteria for protection of information assets
Governance and business behaviors
Administrative, technical and physical controls
Protects confidentiality, integrity and availability
Policies, procedures, standards, baselines and guidelines
Risk assessment, risk analysis, data classification and security awareness
Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) include preparing, process and practices to mitigate damages and restore operations
Concepts of confidentiality, integrity and availability
Security governance principles and Compliance
Legal and regulatory issues
Documented security policy, standards, procedures and guidelines
Business continuity requirements
Personnel security policies
Risk management concepts
Threat modeling
Integrating security risk and considerations into acquisitions strategy
Security education, training and awareness
Concepts, principles, structures and standards to monitor and secure assets and controls for confidentiality, integrity and availability
Operations security concerned with protection and control of information processing assets
Information security management foundation of comprehensive and proactive security program to protect assets through policies, procedures, standards, baselines and guidelines
Security management includes administrative, technical and physical controls for confidentiality, integrity, availability
Classify information and supporting assets
Sensitivity and criticality
Determine and maintain ownership
Data, system, business and mission owners
Protect privacy
Data owners, processes and remanence
Ensure appropriate retention
Media, hardware and personnel
Determine data security controls
Data at rest and in transit, baselines, scoping and tailoring, standards selection and cryptography
Establish handling requirements
Markings, labels, storage and destruction of sensitive information
Concepts, principles, structures and standards to design, implement, monitor and secure operating systems, equipment, networks, applications and those controls to enforce confidentiality, integrity and availability
Covers practice of applying comprehensive current and/or future structure to align practice and process with core goals and strategic direction
Cryptography examines principles, means and methods of mathematical algorithms and data transformations to ensure integrity, confidentiality and authenticity
Physical security focusses on threats, vulnerabilities and countermeasures to physically protect enterprise resources and sensitive information
Implement and manage an engineering lifecycle using security design principles
Fundamental concepts of security models
Control and countermeasures based on information systems security standards
Security capabilities of information systems
Assess and mitigate vulnerabilities of security architectures, designs and solution elements
Client-based (applets, local caches)
Server- based (data flow control)
Database security
Large scale parallel data systems
Distributed systems (cloud computing, peer to peer)
Cryptographic systems
Vulnerabilities in Web-based systems
Vulnerabilities in mobile systems
Vulnerabilities in embedded devices and cyber-physical systems (network-enabled devices)
Cryptography
Cryptographic lifecycle
Cryptographic types (symmetric, asymmetric, elliptical curve)
Public key infrastructure (PKI)
Digital signatures
Digital rights management (DRM)
Non-repudiation
Integrity (hashing and salting)
Methods of cryptographic attacks (brute force, cipher-text only, known plaintext)
Apply secure principles to site and facility design
Facility security
Wiring closets
Server room
Media and storage facilities
Evidence storage
Restricted and work area security (operations center)
Data center security
Utilities and HVAC considerations
Water issues (leakage and flooding)
Fire prevention, detection and suppression
Communication and Network Security domain encompasses structures, transmission methods, transport formats, security measures used for confidentiality, integrity, availability for transmissions over private/public communications networks media
Network is a central asset in most IT environments
Loss of network assurance have devastating consequences, while control of network provides an easy and consistent venue of attack
Well-architected and well-protected network will stop many attacks
Domain focuses on Open System Interconnect (OSI) model as a point of reference
Secure design principles
OSI and TCP/IP models and IP networking
Implications of multilayer protocols
Converged protocols (FCoE, MPLS, VoIP, iSCI)
Software-defined networks
Wireless networks
Cryptography to maintain communications security
Securing network components
Operation of hardware – Switches, Routers, Wireless access points
Transmission media – Wired, Wireless, Fiber
Network access control devices – Firewalls, Proxies
Endpoint security, Content distribution networks, Physical devices
Secure communication channels
Voice
Multimedia collaboration – Remote meeting technology, Instant messaging
Remote access
VPN
Screen scraper
Virtual application/Desktop
Telecommuting
Data communication (e.g., VLAN, TLS/SSL)
Virtualized networks (e.g., SDN, virtual SAN, guest OS’s, PVLAN)
Prevent or mitigate network attacks (e.g., DDoS, spoofing)
Access Control
Process allowing authorized users, programs, computer systems (i.e., networks) to observe, modify, take possession of resources of computer system
Mechanism for limiting use of some resources to authorized users Collection of mechanisms, processes, techniques that work together to protect assets of organization
Protect against threats and mitigate vulnerabilities by reducing exposure to unauthorized activities and providing access to authorized people, processes, or systems
Identity and access management a single domain within CISSP Common Body of Knowledge (CBK) most pervasive and omnipresent aspect of information security
Access controls encompass all operational levels of organization:
Facilities –Access controls protect entry to movement around organization physical locations to protect personnel, equipment, information, assets inside that facility
Support Systems –Access to support systems (power, heating, ventilation, air conditioning (HVAC), water and fire suppression controls) must be controlled
Information Systems –Multiple layers of access controls present in modern information systems and networks to protect systems and information
Personnel –Management, end‐users, customers, business partners subject to access control to ensure right people can interface and not interfere with people do not have any legitimate business with
Physical and logical entry points to organization and information systems need some type of access control
Four key attributes of access control for good security management
Specify which users can access system or facility
Specify what resources those users can access
Specify what operations those users can perform
Enforce accountability for those user actions
Four areas represents an established approach effective access control strategy
The C‐I‐A triad: Common thread among information security objectives address at least one of core security principles: confidentiality, integrity, availability
Confidentiality – Efforts made to prevent unauthorized disclosure of information to
those with no need, or right, to see it
Integrity – Efforts made to prevent unauthorized or improper modification of
systems and information
Availability – Efforts made to prevent disruption of service and productivity
Includes both physical assets (buildings, equipment, people) and information assets (company data and information systems)
Managing access to physical and information assets is fundamental to preventing exposure of data by controlling who can see, use, modify, destroy those assets
Key factor for many organizations required to protect personal information for compliance with appropriate legislation and industry compliance requirements
Access controls and records of access activity offer visibility into determining who or what altered data or system information potentially affecting integrity of assets
Access controls used to match an entity (person or computer system) with actions that entity takes against valuable assets allowing organizations to have better understanding of state of security posture
This is why most organizations only allow employees and other trusted individuals into facilities or onto corporate networks
Restricting access to those who need to use resources reduces likelihood malicious agents can gain access and cause damage to asset or that nonmalicious individuals with unnecessary access can cause accidental damage
Physical and logical access to assets
Information, Systems, Devices, Facilities
Identification and authentication of people and devices
Identity management implementation (e.g., SSP, LDAP) , Single/ multi‐factor authentication (e.g., factors, strength, errors), Accountability and Session management (e.g., timeouts, screensavers), Registration and proofing of identity, Federated identity management (e.g., SAML), Credential management system
Identity as a Service
Third‐party identity services
Authorization mechanisms
Role‐based access control (RBAC) methods, Rule‐based access control methods, Mandatory access control (MAC), Discretionary access control (DAC)
Access control attacks
The identity and access provisioning lifecycle
The CISSP certification is an elite way to demonstrate your knowledge, advance your career and become a member of a community of cybersecurity leaders. It shows you have all it takes to design, engineer, implement and run an information security program.
This course is the most comprehensive review of information security concepts and industry best practices, and covers the eight domains of the official CISSP CBK (Common Body of Knowledge). You will gain knowledge in information security that will increase your ability to successfully implement and manage security programs in any organization or government entity. You will learn how to determine who or what may have altered data or system information, potentially affecting the integrity of those asset and match an entity, such as a person or a computer system, with the actions that entity takes against valuable assets, allowing organizations to have a better understanding of the state of their security posture. Policies, concepts, principles, structures, and standards used to establish criteria for the protection of information assets are also covered in this course.
In‐depth coverage of the eight domains required to pass the CISSP exam:
Security and Risk Management
Asset Security
Security Engineering
Communications and Network Security
Identity and Access Management
Security Assessment and Testing
Security Operations
Software Development Security