Introduction 1 About This Book 2 Foolish Assumptions 3 Icons Used in This Book 3 Beyond the Book 4 Where to Go from Here 5 Part 1: Getting Started with CISSP Certification 7 Chapter 1: (ISC)2 and the CISSP Certification 9 About (ISC)2 and the CISSP Certification 9 You Must Be This Tall to Ride This Ride (And Other Requirements) 10 Preparing for the Exam 12 Studying on your own 13 Getting hands-on experience 14 Getting official (ISC)2 CISSP training 14 Attending other training courses or study groups 15 Taking practice exams 15 Are you ready for the exam? 16 Registering for the Exam 16 About the CISSP Examination 17 After the Examination 20 Chapter 2: Putting Your Certification to Good Use 23 Networking with Other Security Professionals 24 Being an Active (ISC)2 Member 25 Considering (ISC)2 Volunteer Opportunities 26 Writing certification exam questions 27 Speaking at events 27 Helping at (ISC)2 conferences 27 Reading and contributing to (ISC)2 publications 27 Supporting the (ISC)2 Center for Cyber Safety and Education 28 Participating in bug-bounty programs 28 Participating in (ISC)2 focus groups 28 Joining the (ISC)2 community 28 Getting involved with a CISSP study group 28 Helping others learn more about data security 29 Becoming an Active Member of Your Local Security Chapter 30 Spreading the Good Word about CISSP Certification 31 Leading by example 32 Using Your CISSP Certification to Be an Agent of Change 32 Earning Other Certifications 33 Other (ISC)2 certifications 33 CISSP concentrations 34 Non-(ISC)2 certifications 34 Choosing the right certifications 38 Finding a mentor, being a mentor 39 Building your professional brand 39 Pursuing Security Excellence 40 Part 2: Certification Domains 43 Chapter 3: Security and Risk Management 45 Understand, Adhere to, and Promote Professional Ethics 45 (ISC)2 Code of Professional Ethics 46 Organizational code of ethics 47 Understand and Apply Security Concepts 49 Confidentiality 50 Integrity 51 Availability 51 Authenticity 52 Nonrepudiation 52 Evaluate and Apply Security Governance Principles 53 Alignment of security function to business strategy, goals, mission, and objectives 53 Organizational processes 54 Organizational roles and responsibilities 56 Security control frameworks 57 Due care and due diligence 60 Determine Compliance and Other Requirements 61 Contractual, legal, industry standards, and regulatory requirements 61 Privacy requirements 66 Understand Legal and Regulatory Issues That Pertain to Information Security 67 Cybercrimes and data breaches 67 Licensing and intellectual property requirements 82 Import/export controls 85 Transborder data flow 85 Privacy 86 Understand Requirements for Investigation Types 93 Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines 94 Policies 95 Standards (and baselines) 95 Procedures 96 Guidelines 96 Identify, Analyze, and Prioritize Business Continuity (BC) Requirements 96 Business impact analysis 99 Develop and document the scope and the plan 107 Contribute to and Enforce Personnel Security Policies and Procedures 120 Candidate screening and hiring 120 Employment agreements and policies 123 Onboarding, transfers, and termination processes 123 Vendor, consultant, and contractor agreements and controls 124 Compliance policy requirements 125 Privacy policy requirements 125 Understand and Apply Risk Management Concepts 125 Identify threats and vulnerabilities 126 Risk assessment/analysis 126 Risk appetite and risk tolerance 132 Risk treatment 133 Countermeasure selection and implementation 133 Applicable types of controls 135 Control assessments (security and privacy) 137 Monitoring and measurement 139 Reporting 140 Continuous improvement 141 Risk frameworks 141 Understand and Apply Threat Modeling Concepts and Methodologies 143 Identifying threats 143 Determining and diagramming potential attacks 144 Performing reduction analysis 145 Remediating threats 145 Apply Supply Chain Risk Management (SCRM) Concepts 146 Risks associated with hardware, software, and services 147 Third-party assessment and monitoring 147 Fourth-party risk 147 Minimum security requirements 147 Service-level agreement requirements 147 Establish and Maintain a Security Awareness, Education, and Training Program 148 Methods and techniques to present awareness and training 148 Periodic content reviews 151 Program effectiveness evaluation 151 Chapter 4: Asset Security 153 Identify and Classify Information and Assets 153 Data classification 157 Asset classification 161 Establish Information and Asset Handling Requirements 162 Provision Resources Securely 164 Information and asset ownership 164 Asset inventory 165 Asset management 166 Manage Data Life Cycle 167 Data roles 168 Data collection 168 Data location 169 Data maintenance 169 Data retention 169 Data remanence 170 Data destruction 171 Ensure Appropriate Asset Retention 171 End of life 171 End of support 172 Determine Data Security Controls and Compliance Requirements 172 Data states 173 Scoping and tailoring 174 Standards selection 175 Data protection methods 176 Chapter 5: Security Architecture and Engineering 179 Research, Implement, and Manage Engineering Processes Using Secure Design Principles 180 Threat modeling 182 Least privilege (and need to know) 186 Defense in depth 187 Secure defaults 188 Fail securely 188 Separation of duties 189 Keep it simple 189 Zero trust 189 Privacy by design 191 Trust but verify 192 Shared responsibility 194 Understand the Fundamental Concepts of Security Models 196 Select Controls Based Upon Systems Security Requirements 199 Evaluation criteria 200 System certification and accreditation 205 Understand Security Capabilities of Information Systems 208 Trusted Computing Base 208 Trusted Platform Module 209 Secure modes of operation 209 Open and closed systems 210 Memory protection 210 Encryption and decryption 210 Protection rings 211 Security modes 211 Recovery procedures 212 Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 213 Client-based systems 214 Server-based systems 215 Database systems 215 Cryptographic systems 216 Industrial control systems 217 Cloud-based systems 218 Distributed systems 220 Internet of Things 221 Microservices 221 Containerization 222 Serverless 223 Embedded systems 224 High-performance computing systems 225 Edge computing systems 225 Virtualized systems 226 Web-based systems 226 Mobile systems 228 Select and Determine Cryptographic Solutions 228 Plaintext and ciphertext 230 Encryption and decryption 230 End-to-end encryption 230 Link encryption 231 Putting it all together: The cryptosystem 232 Classes of ciphers 233 Types of ciphers 234 Cryptographic life cycle 237 Cryptographic methods 238 Public key infrastructure 248 Key management practices 248 Digital signatures and digital certificates 250 Nonrepudiation 250 Integrity (hashing) 251 Understand Methods of Cryptanalytic Attacks 253 Brute force 254 Ciphertext only 254 Known plaintext 255 Frequency analysis 255 Chosen ciphertext 255 Implementation attacks 255 Side channel 255 Fault injection 256 Timing 256 Man in the middle 256 Pass the hash 257 Kerberos exploitation 257 Ransomware 257 Apply Security Principles to Site and Facility Design 259 Design Site and Facility Security Controls 261 Wiring closets, server rooms, and more 264 Restricted and work area security 265 Utilities and heating, ventilation, and air conditioning 266 Environmental issues 267 Fire prevention, detection, and suppression 268 Power 272 Chapter 6: Communication and Network Security 275 Assess and Implement Secure Design Principles in Network Architectures 275 OSI and TCP/IP models 277 The OSI Reference Model 278 The TCP/IP Model 315 Secure Network Components 316 Operation of hardware 316 Transmission media 317 Network access control devices 318 Endpoint security 328 Implement Secure Communication Channels According to Design 331 Voice 331 Multimedia collaboration 332 Remote access 332 Data communications 336 Virtualized networks 336 Third-party connectivity 338 Chapter 7: Identity and Access Management 339 Control Physical and Logical Access to Assets 340 Information 340 Systems and devices 340