Introduction xxxvii Assessment Test lix Chapter 1 Security Governance Through Principles and Policies 1 Security 101 3 Understand and Apply Security Concepts 4 Confidentiality 5 Integrity 6 Availability 7 DAD, Overprotection, Authenticity, Non-repudiation, and AAA Services 7 Protection Mechanisms 11 Security Boundaries 13 Evaluate and Apply Security Governance Principles 14 Third-Party Governance 15 Documentation Review 15 Manage the Security Function 16 Alignment of Security Function to Business Strategy, Goals, Mission, and Objectives 17 Organizational Processes 19 Organizational Roles and Responsibilities 21 Security Control Frameworks 22 Due Diligence and Due Care 23 Security Policy, Standards, Procedures, and Guidelines 23 Security Policies 24 Security Standards, Baselines, and Guidelines 24 Security Procedures 25 Threat Modeling 26 Identifying Threats 26 Determining and Diagramming Potential Attacks 28 Performing Reduction Analysis 28 Prioritization and Response 30 Supply Chain Risk Management 31 Summary 33 Exam Essentials 33 Written Lab 36 Review Questions 37 Chapter 2 Personnel Security and Risk Management Concepts 43 Personnel Security Policies and Procedures 45 Job Descriptions and Responsibilities 45 Candidate Screening and Hiring 46 Onboarding: Employment Agreements and Policies 47 Employee Oversight 48 Offboarding, Transfers, and Termination Processes 49 Vendor, Consultant, and Contractor Agreements and Controls 52 Compliance Policy Requirements 53 Privacy Policy Requirements 54 Understand and Apply Risk Management Concepts 55 Risk Terminology and Concepts 56 Asset Valuation 58 Identify Threats and Vulnerabilities 60 Risk Assessment/Analysis 60 Risk Responses 66 Cost vs. Benefit of Security Controls 69 Countermeasure Selection and Implementation 72 Applicable Types of Controls 74 Security Control Assessment 76 Monitoring and Measurement 76 Risk Reporting and Documentation 77 Continuous Improvement 77 Risk Frameworks 79 Social Engineering 81 Social Engineering Principles 83 Eliciting Information 85 Prepending 85 Phishing 85 Spear Phishing 87 Whaling 87 Smishing 88 Vishing 88 Spam 89 Shoulder Surfing 90 Invoice Scams 90 Hoax 90 Impersonation and Masquerading 91 Tailgating and Piggybacking 91 Dumpster Diving 92 Identity Fraud 93 Typo Squatting 94 Influence Campaigns 94 Establish and Maintain a Security Awareness, Education, and Training Program 96 Awareness 97 Training 97 Education 98 Improvements 98 Effectiveness Evaluation 99 Summary 100 Exam Essentials 101 Written Lab 106 Review Questions 107 Chapter 3 Business Continuity Planning 113 Planning for Business Continuity 114 Project Scope and Planning 115 Organizational Review 116 BCP Team Selection 117 Resource Requirements 119 Legal and Regulatory Requirements 120 Business Impact Analysis 121 Identifying Priorities 122 Risk Identification 123 Likelihood Assessment 125 Impact Analysis 126 Resource Prioritization 128 Continuity Planning 128 Strategy Development 129 Provisions and Processes 129 Plan Approval and Implementation 131 Plan Approval 131 Plan Implementation 132 Training and Education 132 BCP Documentation 132 Summary 136 Exam Essentials 137 Written Lab 138 Review Questions 139 Chapter 4 Laws, Regulations, and Compliance 143 Categories of Laws 144 Criminal Law 144 Civil Law 146 Administrative Law 146 Laws 147 Computer Crime 147 Intellectual Property (IP) 152 Licensing 158 Import/Export 158 Privacy 160 State Privacy Laws 168 Compliance 169 Contracting and Procurement 171 Summary 171 Exam Essentials 172 Written Lab 173 Review Questions 174 Chapter 5 Protecting Security of Assets 179 Identifying and Classifying Information and Assets 180 Defining Sensitive Data 180 Defining Data Classifications 182 Defining Asset Classifications 185 Understanding Data States 185 Determining Compliance Requirements 186 Determining Data Security Controls 186 Establishing Information and Asset Handling Requirements 188 Data Maintenance 189 Data Loss Prevention 189 Marking Sensitive Data and Assets 190 Handling Sensitive Information and Assets 192 Data Collection Limitation 192 Data Location 193 Storing Sensitive Data 193 Data Destruction 194 Ensuring Appropriate Data and Asset Retention 197 Data Protection Methods 199 Digital Rights Management 199 Cloud Access Security Broker 200 Pseudonymization 200 Tokenization 201 Anonymization 202 Understanding Data Roles 204 Data Owners 204 Asset Owners 205 Business/Mission Owners 206 Data Processors and Data Controllers 206 Data Custodians 207 Administrators 207 Users and Subjects 208 Using Security Baselines 208 Comparing Tailoring and Scoping 209 Standards Selection 210 Summary 211 Exam Essentials 211 Written Lab 213 Review Questions 214 Chapter 6 Cryptography and Symmetric Key Algorithms 219 Cryptographic Foundations 220 Goals of Cryptography 220 Cryptography Concepts 223 Cryptographic Mathematics 224 Ciphers 230 Modern Cryptography 238 Cryptographic Keys 238 Symmetric Key Algorithms 239 Asymmetric Key Algorithms 241 Hashing Algorithms 244 Symmetric Cryptography 244 Cryptographic Modes of Operation 245 Data Encryption Standard 247 Triple DES 247 International Data Encryption Algorithm 248 Blowfish 249 Skipjack 249 Rivest Ciphers 249 Advanced Encryption Standard 250 CAST 250 Comparison of Symmetric Encryption Algorithms 251 Symmetric Key Management 252 Cryptographic Lifecycle 255 Summary 255 Exam Essentials 256 Written Lab 257 Review Questions 258 Chapter 7 PKI and Cryptographic Applications 263 Asymmetric Cryptography 264 Public and Private Keys 264 RSA 265 ElGamal 267 Elliptic Curve 268 Diffie-Hellman Key Exchange 269 Quantum Cryptography 270 Hash Functions 271 SHA 272 MD5 273 RIPEMD 273 Comparison of Hash Algorithm Value Lengths 274 Digital Signatures 275 HMAC 276 Digital Signature Standard 277 Public Key Infrastructure 277 Certificates 278 Certificate Authorities 279 Certificate Lifecycle 280 Certificate Formats 283 Asymmetric Key Management 284 Hybrid Cryptography 285 Applied Cryptography 285 Portable Devices 285 Email 286 Web Applications 290 Steganography and Watermarking 292 Networking 294 Emerging Applications 295 Cryptographic Attacks 297 Summary 301 Exam Essentials 302 Written Lab 303 Review Questions 304 Chapter 8 Principles of Security Models, Design, and Capabilities 309 Secure Design Principles 310 Objects and Subjects 311 Closed and Open Systems 312 Secure Defaults 314 Fail Securely 314 Keep It Simple 316 Zero Trust 317 Privacy by Design 319 Trust but Verify 319 Techniques for Ensuring CIA 320 Confinement 320 Bounds 320 Isolation 321 Access Controls 321 Trust and Assurance 321 Understand the Fundamental Concepts of Security Models 322 Trusted Computing Base 323 State Machine Model 325 Information Flow Model 325 Noninterference Model 326 Take-Grant Model 326 Access Control Matrix 327 Bell-LaPadula Model 328 Biba Model 330 Clark-Wilson Model 333 Brewer and Nash Model 334 Goguen-Meseguer Model 335 Sutherland Model 335 Graham-Denning Model 335 Harrison-Ruzzo-Ullman Model 336 Select Controls Based on Systems Security Requirements 337 Common Criteria 337 Authorization to Operate 340 Understand Security Capabilities of Information Systems 341 Memory Protection 341 Virtualization 342 Trusted Platform Module 342 Interfaces 343 Fault Tolerance 343 Encryption/Decryption 343 Summary 343 Exam Essentials 344 Written Lab 347 Review Questions 348 Chapter 9 Security Vulnerabilities, Threats, and Countermeasures 353 Shared Responsibility 354 Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 355 Hardware 356 Firmware 370 Client-Based Systems 372 Mobile Code 372 Local Caches 375 Server-Based Systems 375 Large-Scale Parallel Data Systems 376 Grid Computing 377 Peer to Peer 378 Industrial Control Systems 378 Distributed Systems 380 High-Performance Computing (HPC) Systems 382 Internet of Things 383 Edge a.