Transcription
CISSP Certified Information Systems SecurityProfessional Study GuideSeventh EditionJames Michael StewartMike ChappleDarril Gibson
Development Editor: Alexa MurphyBook Designers: Judy Fung and Bill GibsonTechnical Editors: David Seidl, Brian O'Hara, Paul Calatayud Proofreaders: Josh Chase, Sarah Kaikini and LouiseWatson, Word One New Y orkProduction Editor: Rebecca AndersonCopy Editors: Elizabeth Welch, Linda RecktenwaldIndexer: J & J IndexingEditorial Manager: Mary Beth WakefieldProject Coordinator, Cover: Brent SavageProduction Manager: Kathleen WisorCover Designer: WileyAssociate Publisher: Jim MinatelCover Image: Getty Images Inc./Jeremy WoodhouseMedia Supervising Producer: Richard GravesCopyright 2015 by John Wiley & Sons, Inc., Indianapolis, IndianaPublished simultaneously in CanadaISBN: 978-1-119-04271-6ISBN: 978-1-119-04272-3 (ebk.)ISBN: 978-1-119-04275-4 (ebk.)No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 ofthe 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorizationthrough payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to thePermissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 7486008, or online at http://www.wiley.com/go/permissions.Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties withrespect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, includingwithout limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales orpromotional materials. The advice and strategies contained herein may not be suitable for every situation. This work issold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professionalservices. If professional assistance is required, the services of a competent professional person should be sought. Neitherthe publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site isreferred to in this work as a citation and/or a potential source of further information does not mean that the author orthe publisher endorses the information the organization or Web site may provide or recommendations it may make.Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared betweenwhen this work was written and when it is read.For general information on our other products and services or to obtain technical support, please contact our CustomerCare Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included withstandard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to mediasuch as a CD or DVD that is not included in the version you purchased, you may download this material athttp://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com.Library of Congress Control Number: 2015948797TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission.CISSP is a registered certification mark of (ISC)², Inc. All other trademarks are the property of their respective owners.John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.Disclaimer: John Wiley and Sons, Inc., in association with (ISC)2, has prepared this study guide for general informationand for use as training for the Official (ISC)2 CISSP CBK and not as legal or operational advice. This is a study guideonly, and does not imply that any questions or topics from this study guide will appear on the actual (ISC)2 CISSP certification examination. The study guide was not prepared with writers or editors associated with developing the (ISC)2CISSP certification examination. The study guide may contain errors and omissions. (ISC)2 does not guarantee a passingscore on the exam or provide any assurance or guarantee relating to the use of this study guide and preparing for the
(ISC)2 CISSP certification examination.The users of the Official CISSP: Certified Information Systems Security Professional Study Guide, Seventh Edition agreethat John Wiley and Sons, Inc. and (ISC)2 are not liable for any indirect, special, incidental, or consequential damagesup to and including negligence that may arise from use of these materials. Under no circumstances, includingnegligence, shall John Wiley and Sons, Inc.or (ISC)2, its officers, directors, agents, author or anyone else involved increating, producing or distributing these materials be liable for any direct, indirect, incidental, special or consequentialdamages that may result from the use of this study guide.
Whenever we look toward the future, we have to first look back and think about where wecame from. Back in 1989, (ISC)2 was established by a handful of passionate volunteerswho wanted to create a set of standards for a new concept, not yet a full-fledged careerfield, called information security. In the minds of those volunteers, having the initial 500applicants sign up to take the Certified Information Systems Security Professional(CISSP ) exam was considered quite a success. Little did they imagine that 26 years later,not only would those 500 applicants grow to a cadre of 100,000 CISSP credential holdersacross more than 160 countries, the CISSP would also become recognized as the standardcertification for the information security industry.Advancements in technology bring about the need for updates, and we work tirelessly toensure that our content is always relevant to the industry. As the information securityindustry continues to transition, and cybersecurity becomes a global focus, the CISSPCommon Body of Knowledge (CBK) is even more relevant to today's challenges.The new (ISC)² CISSP Study Guide is part of a concerted effort to enhance and increaseour education and training offerings. The CISSP Study Guide reflects the most relevanttopics in our ever-changing field and is a learning tool for (ISC)² certification examcandidates. It provides a comprehensive study guide to the eight CISSP domains and themost current topics in the industry.If you are on the path to getting certified, you have no doubt heard of the (ISC)2 OfficialGuides to the CBK. While our Official Guides to the CBK are the authoritative referencesto the Common Body of Knowledge, the new study guides are learning tools focused oneducating the reader in preparation for exams. As an ANSI accredited certification bodyunder the ISO/IEC 17024 standard, (ISC)² does not teach the CISSP exam. Rather, westrive to generate or endorse content that teaches the CISSP's CBK. Candidates who havea strong understanding of the CBK are best prepared for success with the exam andwithin the profession.(ISC)2 is also breaking new ground by partnering with Wiley, a recognized industryleading brand. Developing a partnership with renowned content provider Wiley allows(ISC)2 to grow its offerings on the scale required to keep our content fresh and alignedwith the constantly changing environment. The power of combining the expertise of ourtwo organizations benefits certification candidates and the industry alike.I look forward to your feedback on the (ISC)2 CISSP Study Guide. Congratulations on
taking the first step toward earning the certification that SC Magazine named “BestProfessional Certification Program.” Good luck with your studies!Best Regards,David P. Shearer, CISSP, PMPCEO(ISC)2
To Cathy, your perspective on the world and life often surprises me, challenges me, andmakes me love you even more.—James Michael StewartTo Dewitt Latimer, my mentor, friend, and colleague. I miss you dearly.—Mike ChappleTo Nimfa: Thanks for sharing your life with me for the past 23 years and letting meshare mine with you.—Darril Gibson
AcknowledgmentsI’d like to express my thanks to Sybex for continuing to support this project. Thanks toMike Chapple and Darril Gibson for continuing to contribute to this project. Thanks alsoto all my CISSP course students who have provided their insight and input to improve mytraining courseware and ultimately this tome. Extra thanks to the seventh editiondevelopmental editor, Alexa Murphy, and technical editor, David Seidl, who performedamazing feats in guiding us to improve this book. Thanks as well to my agent, CaroleJelen, for continuing to assist in nailing down these projects.To my adoring wife, Cathy: Building a life and a family together has been more wonderfulthan I could have ever imagined. To Slayde and Remi: You are growing up so fast andlearning at an outstanding pace, and you continue to delight and impress me daily. Youare both growing into amazing individuals. To my mom, Johnnie: It is wonderful to haveyou close by. To Mark: No matter how much time has passed or how little we see eachother, I have been and always will be your friend. And finally, as always, to Elvis: Youwere way ahead of the current bacon obsession, with your peanut butter-banana-baconsandwich; I think that’s proof you traveled through time!—James Michael StewartSpecial thanks go to the information security team at the University of Notre Dame, whoprovided hours of interesting conversation and debate on security issues that inspired andinformed much of the material in this book.I would like to thank the team at Wiley who provided invaluable assistance throughoutthe book development process. I also owe a debt of gratitude to my literary agent, CaroleJelen of Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson,were great collaborators. David Seidl, our diligent and knowledgeable technical editor,provided valuable insight as we brought this edition to press.I’d also like to thank the many people who participated in the production of this book butwhom I never had the chance to meet: the graphics team, the production staff, and all ofthose involved in bringing this book to press.—Mike ChappleThanks to Carol Long and Carole Jelen for helping get this update in place before (ISC)2released the objectives. This helped us get a head start on this new edition and weappreciate your efforts. It’s been a pleasure working with talented people like JamesMichael Stewart and Mike Chapple. Thanks to both of you for all your work andcollaborative efforts on this project. The technical editor, Dave Seidl, provided us withsome outstanding feedback and this book is better because of his efforts. Thanks again,David. Last, thanks to the team at Sybex (including project managers, editors, and
graphics artists) for all the work you did helping us get this book to print.—Darril Gibson
About the AuthorsJames Michael Stewart, CISSP, has been writing and training for more than 20 years,with a current focus on security. He has been teaching CISSP training courses since 2002,not to mention other courses on Internet security and ethical hacking/penetrationtesting. He is the author of and contributor to more than 75 books and numerouscourseware sets on security certification, Microsoft topics, and network administration.More information about Michael can be found at his website:www.impactonline.com.Mike Chapple, CISSP, Ph.D., is Senior Director for IT Service Delivery at the Universityof Notre Dame. In the past, he was chief information officer of Brand Institute and aninformation security researcher with the National Security Agency and the U.S. Air Force.His primary areas of expertise include network intrusion detection and access controls.Mike is a frequent contributor to TechTarget’s SearchSecurity site and the author of morethan 25 books including CompTIA Security Training Kit and Information SecurityIlluminated. Mike can be found on Twitter @mchapple.Darril Gibson, CISSP, is the CEO of YCDA, LLC (short for You Can Do Anything) and hehas authored or coauthored more than 35 books. Darril regularly writes, consults, andteaches on a wide variety of technical and security topics and holds several certifications.He regularly posts blog articles at http://blogs.getcertifiedgetahead.com/ aboutcertification topics and uses that site to help people stay abreast of changes incertification exams. He loves hearing from readers, especially when they pass an examafter using one of his books, and you can contact him through the blogging site.
ContentsIntroductionAssessment TestChapter 1 Security Governance Through Principles and PoliciesUnderstand and Apply Concepts of Confidentiality, Integrity, and AvailabilityApply Security Governance PrinciplesDevelop and Implement Documented Security Policy, Standards, Procedures,and GuidelinesUnderstand and Apply Threat ModelingIntegrate Security Risk Considerations into Acquisition Strategy and PracticeSummaryExam EssentialsWritten LabReview QuestionsChapter 2 Personnel Security and Risk Management ConceptsContribute to Personnel Security PoliciesSecurity GovernanceUnderstand and Apply Risk Management ConceptsEstablish and Manage Information Security Education, Training, and AwarenessManage the Security FunctionSummaryExam EssentialsWritten LabReview QuestionsChapter 3 Business Continuity PlanningPlanning for Business ContinuityProject Scope and PlanningBusiness Impact AssessmentContinuity PlanningBCP DocumentationSummaryExam EssentialsWritten LabReview Questions
Chapter 4 Laws, Regulations, and ComplianceCategories of LawsLawsComplianceContracting and ProcurementSummaryExam EssentialsWritten LabReview QuestionsChapter 5 Protecting Security of AssetsClassifying and Labeling AssetsIdentifying Data RolesProtecting PrivacySummaryExam EssentialsWritten LabReview QuestionsChapter 6 Cryptography and Symmetric Key AlgorithmsHistorical Milestones in CryptographyCryptographic BasicsModern CryptographySymmetric CryptographyCryptographic Life CycleSummaryExam EssentialsWritten LabReview QuestionsChapter 7 PKI and Cryptographic ApplicationsAsymmetric CryptographyHash FunctionsDigital SignaturesPublic Key InfrastructureAsymmetric Key ManagementApplied CryptographyCryptographic Attacks
SummaryExam EssentialsWritten LabReview QuestionsChapter 8 Principles of Security Models, Design, and CapabilitiesImplement and Manage Engineering Processes Using Secure Design PrinciplesUnderstand the Fundamental Concepts of Security ModelsSelect Controls and Countermeasures Based on Systems Security EvaluationModelsUnderstand Security Capabilities of Information SystemsSummaryExam EssentialsWritten LabReview QuestionsChapter 9 Security Vulnerabilities, Threats, and CountermeasuresAssess and Mitigate Security VulnerabilitiesClient-BasedServer-BasedDatabase SecurityDistributed SystemsIndustrial Control SystemsAssess and Mitigate Vulnerabilities in Web-Based SystemsAssess and Mitigate Vulnerabilities in Mobile SystemsAssess and Mitigate Vulnerabilities in Embedded Devices and Cyber-PhysicalSystemsEssential Security Protection MechanismsCommon Architecture Flaws and Security IssuesSummaryExam EssentialsWritten LabReview QuestionsChapter 10 Physical Security RequirementsApply Secure Principles to Site and Facility DesignDesign and Implement Physical SecurityImplement and Manage Physical Security
SummaryExam EssentialsWritten LabReview QuestionsChapter 11 Secure Network Architecture and Securing Network ComponentsOSI ModelTCP/IP ModelConverged ProtocolsWireless NetworksGeneral Wi-Fi Security ProcedureCabling, Wireless, Topology, and Communications TechnologySummaryExam EssentialsWritten LabReview QuestionsChapter 12 Secure Communications and Network AttacksNetwork and Protocol Security MechanismsSecure Voice CommunicationsMultimedia CollaborationManage Email SecurityRemote Access Security ManagementVirtual Private NetworkVirtualizationNetwork Address TranslationSwitching TechnologiesWAN TechnologiesMiscellaneous Security Control CharacteristicsSecurity BoundariesPrevent or Mitigate Network AttacksSummaryExam EssentialsWritten LabReview QuestionsChapter 13 Managing Identity and AuthenticationControlling Access to Assets
Comparing Identification and AuthenticationImplementing Identity ManagementManaging the Identity and Access Provisioning Life CycleSummaryExam EssentialsWritten LabReview QuestionsChapter 14 Controlling and Monitoring AccessComparing Access Control ModelsUnderstanding Access Control AttacksSummaryExam EssentialsWritten LabReview QuestionsChapter 15 Security Assessment and TestingBuilding a Security Assessment and Testing ProgramPerforming Vulnerability AssessmentsTesting Your SoftwareImplementing Security Management ProcessesSummaryExam EssentialsWritten LabReview QuestionsChapter 16 Managing Security OperationsApplying Security Operations ConceptsProvisioning and Managing ResourcesManaging ConfigurationManaging ChangeManaging Patches and Reducing VulnerabilitiesSummaryExam EssentialsWritten LabReview QuestionsChapter 17 Preventing and Responding to IncidentsManaging Incident Response
Implementing Preventive MeasuresLogging, Monitoring, and AuditingSummaryExam EssentialsWritten LabReview QuestionsChapter 18 Disaster Recovery PlanningThe Nature of DisasterUnderstand System Resilience and Fault ToleranceRecovery StrategyRecovery Plan DevelopmentTraining, Awareness, and DocumentationTesting and MaintenanceSummaryExam EssentialsWritten LabReview QuestionsChapter 19 Incidents and EthicsInvestigationsMajor Categories of Computer CrimeIncident HandlingEthicsSummaryExam EssentialsWritten LabReview QuestionsChapter 20 Software Development SecurityIntroducing Systems Development ControlsEstablishing Databases and Data WarehousingStoring Data and InformationUnderstanding Knowledge-Based SystemsSummaryExam EssentialsWritten LabReview Questions
Chapter 21 Malicious Code and Application AttacksMalicious CodePassword AttacksApplication AttacksWeb Application SecurityReconnaissance AttacksMasquerading AttacksSummaryExam EssentialsWritten LabReview QuestionsAppendix A Answers to Review QuestionsChapter 1: Security Governance Through Principles and PoliciesChapter 2: Personnel Security and Risk Management ConceptsChapter 3: Business Continuity PlanningChapter 4: Laws, Regulations, and ComplianceChapter 5: Protecting Security of AssetsChapter 6: Cryptography and Symmetric Key AlgorithmsChapter 7: PKI and Cryptographic ApplicationsChapter 8: Principles of Security Models, Design, and CapabilitiesChapter 9: Security Vulnerabilities, Threats, and CountermeasuresChapter 10: Physical Security RequirementsChapter 11: Secure Network Architecture and Securing Network ComponentsChapter 12: Secure Communications and Network AttacksChapter 13: Managing Identity and AuthenticationChapter 14: Controlling and Monitoring AccessChapter 15: Security Assessment and TestingChapter 16: Managing Security OperationsChapter 17: Preventing and Responding to IncidentsChapter 18: Disaster Recovery PlanningChapter 19: Incidents and EthicsChapter 20: Software Development SecurityChapter 21: Malicious Code and Application AttacksAppendix B Answers to Written LabsChapter 1: Security Governance Through Principles and Policies
Chapter 2: Personnel Security and Risk Management ConceptsChapter 3: Business Continuity PlanningChapter 4: Laws, Regulations, and ComplianceChapter 5: Protecting Security of AssetsChapter 6: Cryptography and Symmetric Key AlgorithmsChapter 7: PKI and Cryptographic ApplicationsChapter 8: Principles of Security Models, Design, and CapabilitiesChapter 9: Security Vulnerabilities, Threats, and CountermeasuresChapter 10: Physical Security RequirementsChapter 11: Secure Network Architecture and Securing Network ComponentsChapter 12: Secure Communications and Network AttacksChapter 13: Managing Identity and AuthenticationChapter 14: Controlling and Monitoring AccessChapter 15: Security Assessment and TestingChapter 16: Managing Security OperationsChapter 17: Preventing and Responding to IncidentsChapter 18: Disaster Recovery PlanningChapter 19: Incidents and EthicsChapter 20: Software Development SecurityChapter 21: Malicious Code and Application AttacksAppendix C About the Additional Study ToolsAdditional Study ToolsSystem RequirementsUsing the Study ToolsTroubleshootingComprehensive Online Learning EnvironmentEULAList of TablesChapter 2Table 2.1Table 2.2Chapter 5Table 5.1
Table 5.2Chapter 6Table 6.1Table 6.2Chapter 7Table 7.1Chapter 8Table 8.1Table 8.2Table 8.3Table 8.4Chapter 9Table 9.1Chapter 10Table 10.1Table 10.2Chapter 11Table 11.1Table 11.2Table 11.3Table 11.4Table 11.5Table 11.6Table 11.7Table 11.8Table 11.9Chapter 12Table 12.1Table 12.2Table 12.3Chapter 18
Table 18.1List of IllustrationsChapter 1Figure 1.1 The CIA TriadFigure 1.2 The five elements of AAA servicesFigure 1.3 Strategic, tactical, and operational plan timeline comparisonFigure 1.4 Levels of government/military classificationFigure 1.5 Commercial business/private sector classification levelsFigure 1.6 The comparative relationships of security policy componentsFigure 1.7 An example of diagramming to reveal threat concernsChapter 2Figure 2.1 An example of separation of duties related to five admin tasks andseven administratorsFigure 2.2 An example of job rotation among management positionsFigure 2.3 Ex-employees must return all company property.Figure 2.4 The elements of riskFigure 2.5 The six major elements of quantitative risk analysisFigure 2.6 The categories of security controls in a defense-in-depthimplementationFigure 2.7 The six steps of the risk management frameworkChapter 3Figure 3.1 Earthquake hazard map of the United StatesChapter 5Figure 5.1 Data classificationsFigure 5.2 Clearing a hard driveChapter 6Figure 6.1 Challenge-response authentication protocolFigure 6.2 The magic doorFigure 6.3 Symmetric key cryptographyFigure 6.4 Asymmetric key cryptography
Chapter 7Figure 7.1 Asymmetric key cryptographyFigure 7.2 Steganography toolFigure 7.3 Image with embedded messageChapter 8Figure 8.1 The TCB, security perimeter, and reference monitorFigure 8.2 The Take Grant model’s directed graphFigure 8.3 The Bell-LaPadula modelFigure 8.4 The Biba modelFigure 8.5 The Clark-Wilson modelFigure 8.6 The levels of TCSECChapter 9Figure 9.1 In the commonly used four-ring model, protection rings segregatethe operating system into kernel, components, and drivers in rings 0 through 2and applications and programs run at ring 3.Figure 9.2 The process schedulerChapter 10Figure 10.1 A typical wiring closetFigure 10.2 The fire triangleFigure 10.3 The four primary stages of fireFigure 10.4 A secure physical boundary with a mantrap and a turnstileChapter 11Figure 11.1 Representation of the OSI modelFigure 11.2 Representation of OSI model encapsulationFigure 11.3 Representation of the OSI model peer layer logical channelsFigure 11.4 OSI model data namesFigure 11.5 Comparing the OSI model with the TCP/IP modelFigure 11.6 The four layers of TCP/IP and its component protocolsFigure 11.7 The TCP three-way handshakeFigure 11.8 Single-, two-, and three-tier firewall deployment architecturesFigure 11.9 A ring topology
Figure 11.10 A linear bus topology and a tree bus topologyFigure 11.11 A star topologyFigure 11.12 A mesh topologyChapter 13Figure 13.1 Graph of FRR and FAR errors indicating the CER pointChapter 14Figure 14.1 Defense in depth with layered securityFigure 14.2 Role-based access controlsFigure 14.3 A representation of the boundaries provided by lattice-based accesscontrolsFigure 14.4 Wireshark captureChapter 15Figure 15.1 Nmap scan of a web server run from a Linux systemFigure 15.2 Default Apache server page running on the server scanned inFigure 15.1Figure 15.3 Nmap scan of a large network run from a Mac system using theTerminal utilityFigure 15.4 Network vulnerability scan of the same web server that was portscanned in Figure 15.1Figure 15.5 Web application vulnerability scan of the same web server that wasport scanned in Figure 15.1 and network vulnerability scanned in Figure 15.4Figure 15.6 The Metasploit automated system exploitation tool allows attackersto quickly execute common attacks against target systems.Figure 15.7 Fagan inspections follow a rigid formal process, with defined entryand exit criteria that must be met before transitioning between stages.Figure 15.8 Prefuzzing input file containing a series of 1sFigure 15.9 :The input file from Figure 15.8 after being run through the zzufmutation fuzzing toolChapter 16Figure 16.1 A segregation of duties control matrixFigure 16.2 Creating and deploying imagesFigure 16.3 Web server and database serverChapter 17
Figure 17.1 Incident responseFigure 17.2 SYN flood attackFigure 17.3 A man-in-the-middle attackFigure 17.4 Intrusion prevention systemFigure 17.5 Viewing a log entryChapter 18Figure 18.1 Flood hazard map for Miami–Dade County, FloridaFigure 18.2 Failover cluster with network load balancingChapter 20Figure 20.1 Security vs. user-friendliness vs. functionalityFigure 20.2 The waterfall life cycle modelFigure 20.3 The spiral life cycle modelFigure 20.4 The IDEAL modelFigure 20.5 Gantt chartFigure 20.6 The DevOps modelFigure 20.7 Hierarchical data modelFigure 20.8 Customers table from a relational databaseFigure 20.9 ODBC as the interface between applications and a backenddatabase systemChapter 21Figure 21.1 Typical database-driven website architecture
IntroductionThe CISSP: Certified Information Systems Security Professional Study Guide, SeventhEdition, offers you a solid foundation for the Certified Information Systems SecurityProfessional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learnand a desire to develop the skills you need to achieve this certification. This introductionprovides you with a basic overview of this book and the CISSP exam.This book is designed for readers and students who want to study for the CISSPcertification exam. If your goal is to become a certified security professional, then theCISSP certification and this study guide are for you. The purpose of this book is toadequately prepare you to take the CISSP exam.Before you dive into this book, you need to have accomplished a few tasks on your own.You need to have a general understanding of IT and of security. You should have thenecessary five years of full-time paid work experience (or four years if you have a collegedegree) in two or more of the eight domains covered by the CISSP exam. If you arequalified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared touse this book to study for it. For more information on (ISC)2, see the next section.(ISC)2The CISSP exam is governed by the International Information Systems SecurityCertification Consortium (ISC)2. (ISC)2 is a global not-for-profit organization. It has fourprimary mission goals:Maintain the Common Body of Knowledge (CBK) for the field of informationsystems security.Provide certification for information systems security professionals andpractitioners.Conduct certification training and administer the certification exams.Oversee the ongoing accreditation of qualified certification candidates throughcontinued education.The (ISC)2 is operated by a board of directors elected from the ranks of its certifiedpractitioners.(ISC)2 supports and provides a wide variety of certifications, including CISSP, SSCP, CAP,CSSLP, CCFP, HCISPP, and CCSP. These certifications are designed to verify theknowledge and skills of IT security professionals across all industries. You can obtainmore information about (ISC)2 and its other certifications from its website atwww.isc2.org.The Certified Information Systems Security Professional (CISSP) credential is for securityprofessionals responsible for designing and maintaining security infrastructure within an
organization.Topical DomainsThe CISSP certification covers material from the eight topical domains. These eightdomains are as follows:Security and Risk ManagementAsset SecuritySecurity EngineeringCommunication and Network SecurityIdentity and Access ManagementSecurity Assessment and TestingSecurity OperationsSoftware Development SecurityThese eight domains provide a vendor-independent overview of a common securityframework. This framework is the basis for a discussion on security practices that can besupported in all type of organizations worldwide.The topical domains underwent a major revision as of April 2015. The domains werereduced from ten to eight, and many topics and concepts were re-organized. For acomplete view of the breadth of topics covered on the CISSP exam from these eight newdomain groupings, visit the (ISC)2 website at www.isc2.org to request a copy of theCandidate Information Bulletin. This document includes a complete exam outline as wellas other relevant facts about the certification.Prequalifications(ISC)2 has defined the qualification requirements you must meet to become a CISSP.First, you must be a practicing security professional with at least five years’ full-time paidwork experience or with four years’ experience and a recent IT or IS degree. Professionalexperience is defined as security work performed for salary or commission within two ormore of the eight CBK domains.Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is aset of guidelines the (ISC)2 wants all CISSP candidates to follow to maintainprofessionalism in t
Jul 01, 2016 · The new (ISC)² CISSP Study Guide is part of a concerted effort to enhance and increase our education and training offerings. The CISSP Study Guide reflects the most relevant topics in our ever-changing field and is a learning tool for (ISC)² certification exam candidates. It provides a comprehensive study
