Explore the code of ethics, CIA triad concepts, governance principles, roles and responsibilities, and security awareness to counter social engineering and apply personnel security policies.

Explore the ISC2 code of ethics and its four canons: protect society, act honorably, provide diligent service, and advance the profession, and how they apply in organizational security decisions.

Explore the CIA triad—confidentiality, integrity, and availability—and learn how authenticity and non-repudiation protect data through encryption, access controls, hashing, and change management in real-world information systems.

Align security with the organization through governance, acquisitions and divestitures, and a top-down program that supports business objectives while complying with laws and regulations.

Explore organizational roles and responsibilities from executive to system level, including CEO, CFO, CIO, CISO, ISSM, and data owners, custodians, and stewards, to align security with business objectives.

Establishes and maintains security awareness, education, and training to drive behavior change, supported by senior management, with evaluation to reduce risk and ensure PCI DSS, FISMA, HIPAA, ISO 27001 compliance.

Explore social engineering, including pretexting and quid pro quo, phishing variants (spear phishing, whaling, vishing, smishing, spim), and defenses via security awareness training and strict identification and authentication.

Explore personnel security policies, from candidate screening and background checks to onboarding and offboarding, including non-disclosure agreements and non-compete agreements, access control, and termination procedures.

Explore personnel safety and security for travel and offsite work, covering endpoint protection, remote access, duress procedures, emergency management, and training to ensure accountability and business continuity.

Explore security governance and compliance to align practices with GDPR, HIPAA, and laws, including due care and due diligence, licensing and property rights, export and import controls, and breach reporting.

Explain due care and due diligence as the legal foundations of information security governance, defining due care as prudent, reasonable protection and detailing the research, implementation, and continuous monitoring flow.

Explore key privacy laws and regulations, including the FTC Act, GLBA, ECPA, HIPAA, HITECH, GDPR controller and processor roles, and PCI DSS, with emphasis on GDPR rights.

Explore intellectual property protection, due care and due diligence, and licensing, covering patents, trademarks, copyrights, trade secrets, and confidentiality, integrity, and availability as security tenets.

Explore export and import controls and transborder data flow, focusing on the Wassenaar Arrangement category 5 parts 1 and 2 (telecommunications and information security), cryptography, and data localization.

Explore cyber crimes and data breaches, including legal issues, CFAA, NIIPA, and FISMA, and distinguish disruption and destruction crimes, hacktivism, and attack types like active, passive, and zero-day.

Determine compliance requirements for information systems and apply protection levels to meet laws, regulations, and industry standards, including privacy obligations and potential penalties. Demonstrate compliance with plans, policies, and procedures.

Learn how security compliance artifacts—policies, standards, procedures, baselines, and guidelines—define roles, enable HIPAA-compliant security, and govern change, review, and exceptions.

Develop and implement risk management by identifying threats and vulnerabilities, assessing and mitigating risk, applying controls, and continuously monitoring risks in the supply chain for CISSP readiness.

Explore risk management concepts by identifying threats and vulnerabilities, framing risk, assessing risks, responding to them, and monitoring outcomes to protect assets and ensure compliance.

Decide and implement risk responses based on assessment findings, including mitigation and avoidance. Monitor control effectiveness, compliance, and continuous improvement with risk maturity models and heat maps.

Implement defense in depth by selecting administrative, technical, and physical controls that balance cost with asset value, using deterrent, preventative, detective, corrective, compensating, directive, and recovery controls.

Learn how continuous monitoring maintains ongoing awareness of organizational risks and security posture by evaluating administrative, logical, technical, and physical controls using NIST SP 800-137 guidance.

Learn to identify and manage supply chain risks across hardware, software, and services using key frameworks (NIST IR 7622, CNSSD 505, ISO 28000), assessments, SLAs, and due diligence.

Examine risk frameworks and their role in identifying, assessing, and responding to threats, including NIST CSF’s five core functions (identify, protect, detect, respond, recover) and ISO/IEC 27001, PCI DSS, SABSA.

Explore risk frameworks for the CISSP exam, focusing on the NIST RMF seven-step process—preparations, categorizing, selecting, implementing, assessing, authorizing, monitoring—and comparing ISO 31000 and COSO.

Learn the NIST Cybersecurity Framework, a voluntary risk-management framework with core functions: identify, protect, detect, respond, and recover. Understand how tiers and profiles align risk goals with controls.

Explore ISO/IEC 27001's information security management system framework, covering context, leadership, planning, support, operation, and performance evaluation, with emphasis on the CIA triad and 27002 controls for exam readiness.

Explore PCI DSS, the card industry standard, focusing on protecting cardholder data and sensitive authentication data within the cardholder data environment, and outline the 12 high-level requirements and exam emphasis.

Learn how Sabsa enables business-driven, risk-led security architectures that align with business objectives, integrate with major standards, and map from strategy to operations across six layers and viewpoints.

Explore risk management concepts and threat modeling to identify vulnerabilities, assess impacts, and prepare for the CISSP exam through risk assessments and control evaluations.

Explore risk assessment and analysis to identify threats and vulnerabilities, assess likelihood, and inform organizational risk decisions per NIST 800-30, then report results and maintain oversight.

Learn to conduct quantitative and qualitative risk assessments, calculating asset value, exposure, single-loss expectancy, and annualized loss expectancy, then evaluate safeguards and hybrid analysis using the Delphi technique.

Discover how control assessments verify the effectiveness of security and privacy controls, plan and perform security control and privacy impact assessments, monitor production, and report findings with risks.

Explore privacy control assessments and how PTA and PIA guide protecting PII under privacy regulations like GDPR and HIPAA, using NIST SP 800-53A to implement PDCA.

Master PCI DSS assessment by applying the ARRM cycle—assess, remediate, report, monitor—mapping the cardholder data environment and using examine, observe, and interview tests for ROC and SAQ reporting.

Learn threat modeling concepts as a proactive risk assessment from attacker and asset perspectives. Use threat intelligence, attack surface analysis, and TTPs to strengthen defenses.

Explore threat modeling methodologies including STRIDE, NIST SP 800-154, PASTA, OCTAVE, TRIKE, and VAST; learn threat categories, data flows, attack vectors, and risk analysis.

Master asset security by classifying data and assets, defining handling requirements, and provisioning assets securely across their lifecycle and information system lifecycle, including roles such as data owners and custodians.

Identify and classify data and assets across the organization, map data flows in-use, in-transit, and at-rest, build inventory and data policy, and apply protections for PII, PHI, and proprietary data.

Explore information and asset handling through policies, processes, and data owner responsibilities. Understand marking versus labeling and data states in use, in transit, and at rest with secure storage guidance.

Provision and manage system assets securely throughout their lifecycle, assign asset and data ownership, build an accurate inventory, and enforce change control and configuration management.

Identify data roles: owners, custodians, stewards, processors, subjects, and users, and their accountability for access, use, and protection, including GDPR controllers and processors.

Navigate the data lifecycle as a conceptual model from creation to destruction, protecting cradle-to-grave data through classification, storage, use, archiving, and privacy-law-driven destruction.

Explore the information system lifecycle from initiation to disposal, with security embedded at every phase, guided by stakeholder requirements, architectural design, and cloud integration, per NIST SP 800-64 Rev. 2.

Explore the information system lifecycle from verification and validation through transition and deployment, to operations, maintenance, and disposal, guided by NIST SP 800-64 rev. 2 and security controls.

Learn how data security controls protect information systems by safeguarding data at rest, in transit, and in use, using frameworks and methods like DRM, DLP, and CASB.

Explain data states—data in use is most volatile, data in transit is at risk, and data at rest becomes a target—along with security measures like authentication, encryption, and TPM.

Explore security control frameworks like COBIT, ISO/IEC 27002, and NIST SP 800-53 to align governance, policies, and controls with compliance, audits, and SOX 404.

Learn to determine and tailor security controls, administrative, physical, and technical, to protect data, meet regulatory requirements, and drive the baseline based on data types like PII and PHI.

Learn to select security controls using the NIST RMF and 800-53 baselines, tailoring based on data type, risk, and incidents, and applying the PDCA cycle for continual improvement.

Explore digital rights management, data loss prevention, and cloud access security broker usage, including DLP labeling, network and endpoint deployments, and real-time cloud risk analysis.

Explain data retention requirements across the data lifecycle, aligning policy with regulations such as HIPAA, GDPR, and PCI DSS, and managing end-of-life assets with encryption, access controls, and timely destruction.

Learn how to manage data remanence by destroying data across the lifecycle, applying declassification, anonymization, and sanitization techniques such as deidentification, pseudonymization, tokenization, and obfuscation.

Master secure design principles and security engineering to build resilient systems that protect sensitive data, covering Zero Trust, authorization, privacy by design, and security models like Bell-LaPadula, Biba, Clark-Wilson.

Learn secure design by selecting security controls, applying defense in depth, and managing objects and subjects with transitive trust, sandboxing, bounds, isolation, and virtualization.

Explore Saltzer and Schroeder's design principles for secure architectures, including economy of mechanism, complete mediation, open design, separation of duties, and least privilege, plus work factor and compromise recording.

Explore zero trust architecture with per-session, per-request real-time authentication and authorization, guided by NIST SP 800-207. Understand shared responsibility and inherited controls in cloud and on-prem environments.

Explore the seven privacy by design principles—proactive thinking, default privacy, privacy embedded in design, end-to-end security, and visibility—protecting PII/PHI across the data lifecycle.

Explore system security capabilities that enforce controls through memory protection, virtualization, restricted interfaces, and trusted hardware like TPM, HSM, and smart cards, with examples from cloud, Clark-Wilson, and Kibana dashboards.

Explore core security models and key concepts like the trusted computing base, security perimeter, reference monitor, finite state machines, and lattices for access control.

Explore core security models for designing policy enforcement, including noninterference (Goguen-Meseguer), information flow with Bell-LaPadula and Biba, and the take-grant and access control matrix concepts.

Study Clark-Wilson data integrity with CDI, UDI, TP, and IVP, plus separation of duties. Compare Brewer-Nash ethical walls and Graham-Denning access rights, with LDAP-style matrices and Sutherland state-machine flows.

Develop secure architectures by assessing vulnerabilities in system designs, databases, and emerging models like SASE, IoT, and microservices, aligned with CISSP exam objective 3.5.

Assess vulnerabilities in distributed and client-based architectures, secure endpoints and network communications, disable unused accounts and change passwords, and enforce defense in depth with https and ssh, monitoring and patching.

Explore how database systems interface via SQL to manage data, assess architecture vulnerabilities, understand schema, tables, keys, aggregation and inference attacks, and apply ACID and security best practices.

Explore the Common Criteria, ISO/IEC 15408 standard, covering the target of evaluation, protection profile, security target, conformance (strict and demonstrable), plus EAL 1–7 and drawbacks.

Explore how control systems use plc, dcs, and scada to automate processes and monitor operations, while highlighting vulnerabilities from aging software and denial of service risks.

Learn how the secure access service edge (SASE) unifies SD-WAN and security as a service, including FWaaS, SWG, CASB, and ZTNA, at the cloud edge to centralize control.

Explore how internet of things devices connect and merge operational and information technologies, creating security risks. Learn threat modeling, standards, and practices to secure IoT, update firmware, and isolate traffic.

Understand microservices architecture, including API gateways and service meshes, to isolate, monitor, and secure distributed endpoints, APIs, and traffic across cloud and container environments.

Identify vulnerabilities in embedded systems and strengthen security with threat modeling, attack surface analysis, and defense in depth that protects safety and critical operations.

Explore high-performance computing systems and GPUs in data centers for big data and research, and learn how to secure HPCs with threat modeling, data isolation, MFA, and governance.

Explore edge computing systems that deploy compute near the data source to enable real-time access, while managing edge devices, fog computing, and security risks.