Transcription
CISSPExam Study GuideBrian SvidergolRHEL3, VCP, NCIE-SAN, MCT, MCSE1
Table of ContentsIntroduction . . 6Domain 1. Security and Risk Management . . 81.1 Understand and apply concepts of confidentiality, integrity and availability . . . . 81.2 Evaluate and apply security governance principles . . . . 81.3 Determine compliance requirements . . . 101.4 Understand legal and regulatory issues that pertain to information security in a global context . 101.5 Understand, adhere to, and promote professional ethics . . . 111.6 Develop, document, and implement security policy, standards, procedures and guidelines . . . . 121.7 Identify, analyze, and prioritize Business Continuity (BC) requirements . . . 121.8 Contribute to and enforce personnel security policies and procedures . . . . 131.9 Understand and apply risk management concepts . . . 141.10 Understand and apply threat modeling concepts and methodologies . . 171.11 Apply risk-based management concepts to the supply chain . . . 181.12 Establish and maintain a security awareness, education, and training program . . . . 19Domain 1 Review Questions . . . . 20Answers to Domain 1 Review Questions . . . 21Domain 2. Asset Security . . . . 222.1 Identify and classify information and assets . . . . 222.2 Determine and maintain information and asset ownership . . . 232.3 Protect privacy . . . . 232.4 Ensure appropriate asset retention . . . 242.5 Determine data security controls . . . . 242.6 Establish information and asset handling requirements . . . 25Domain 2 Review Questions . . . . 27Answers to Domain 2 Review Questions . . . . 282
Domain 3. Security Architecture and Engineering . . . . . 293.1 Implement and manage engineering processes using secure design principles . . . 293.2 Understand the fundamental concepts of security models . . . 303.3 Select controls based upon systems security requirements . . . 303.4 Understand the security capabilities of information systems . . . 313.5 Assess and mitigate the vulnerabilities of security architectures, designs and solution elements 323.6 Assess and mitigate vulnerabilities in web-based systems . . . 343.7 Assess and mitigate vulnerabilities in mobile systems . . 343.8 Assess and mitigate vulnerabilities in embedded devices . . 353.9 Apply cryptography . . . . 353.10 Apply security principles to site and facility design . . 393.11 Implement site and facility security controls . . . . 39Domain 3 Review Questions . . . . 42Answers to Domain 3 Review Questions . . . . 43Domain 4. Communication and Network Security . . . . . 444.1 Implement secure design principles in network architecture . . . 444.2 Secure network components . . . . 464.3 Implement secure communication channels according to design . . . 48Domain 4 Review Questions . . . . 49Answers to Domain 4 Review Questions . . . . 50Domain 5. Identity and Access Management (IAM) . . . 515.1 Control physical and logical access to assets . . . . 515.2 Manage identification and authentication of people, devices and services . . 525.3 Integrate identity as a third-party service . . . . . 545.4 Implement and manage authorization mechanisms . . . 565.5 Manage the identity and access provisioning lifecycle . . . 57Domain 5 Review Questions . . . . 593
Answers to Domain 5 Review Questions . . . . 60Domain 6. Security Assessment and Testing . . . . 616.1 Design and validate assessment, test and audit strategies . . 616.2 Conduct security control testing . . . . 616.3 Collect security process data . . . . 636.4 Analyze test output and generate reports . . . . 646.5 Conduct or facilitate security audits . . . . 64Domain 6 Review Questions . . . . 65Answers to Domain 6 Review Questions . . . . 66Domain 7. Security Operations . . . 677.1 Understand and support investigations . . . . 677.2 Understand the requirements for different types of investigations . . . 687.3 Conduct logging and monitoring activities . . . . 697.4 Securely provision resources . . . . 707.5 Understand and apply foundational security operations concepts . . 707.6 Apply resource protection techniques . . . . . 727.7 Conduct incident management . . . . 737.8 Operate and maintain detective and preventative measures . . 747.9 Implement and support patch and vulnerability management . . 757.10 Understand and participate in change management processes . . 767.11 Implement recovery strategies . . . . 777.12 Implement disaster recovery (DR) processes . . . . . 787.13 Test disaster recovery plans (DRP) . . . . . 797.14 Participate in business continuity (BC) planning and exercises . 807.15 Implement and manage physical security . . . . 817.16 Address personnel safety and security concerns . . . . 81Domain 7 Review Questions . . . . 834
Answers to Domain 7 Review Questions . . . . 84Domain 8. Software Development Security . . . . 858.1 Understand and apply security in the software development lifecycle . . . 858.2 Enforce security controls in development environments . . . 878.3 Assess the effectiveness of software security . . . . 888.4 Assess security impact of acquired software . . . . 888.5 Define and apply secure coding guidelines and standards . . . . 88Domain 8 Review Questions . . . . 90Answers to Domain 8 Review Questions . . . . 91Useful References . . . . 92About the Author . . . . . 93About Netwrix . . . . 935
IntroductionExam OverviewPreparing to take the Certified Information Systems Security Professional (CISSP) exam requires a great deal of time andeffort. The exam covers eight domains:1.Security and Risk Management2.Asset Security3.Security Architecture and Engineering4.Communication and Network Security5.Identity and Access Management (IAM)6.Security Assessment and Testing7.Security Operations8.Software Development SecurityTo qualify to take the exam, you must generally have at least five years of cumulative, paid, full-time work experience in twoor more of the eight domains. However, you can satisfy the eligibility requirement with four years of experience in at leasttwo of the eight domains if you have either a four-year college degree or an approved credential or certification. quisite-Pathway for a complete list of approved credentials andcertifications.The exam is long, especially compared with other industry certifications. You can take it in English or another language: The English language exam is a computerized adaptive testing (CAT) exam, so it changes based on your answers.You get up to 3 hours to complete a minimum of 100 questions and a maximum of 150 questions. Exams in languages other than English remain in a linear format. You get up to 6 hours to complete a series of 250questions.You must score 700 points or more to pass the exam.6
How to Use this Study GuideUsing multiple study sources and methods improves your chances of passing the CISSP exam. For example, instead ofreading three or four books, you might read one book, watch a series of videos, take some practice test questions and reada study guide. Or you might take a class, take practice test questions and read a study guide. Or you might join a studygroup and read a book. The combination of reading, hearing and doing helps your brain process and retain information. Ifyour plan is to read this study guide and then drive over to the exam center, you should immediately rethink your plan!There are a couple of ways you can use this study guide: Use it before you do any other studying — Read it thoroughly. Assess your knowledge as you read. Do you alreadyknow everything being said? Or are you finding that you can’t follow some of the topics easily? Based on how yourreading of the study guide goes, you’ll know which exam domains to focus on and how much additional study timeyou need. Use it as the last thing you read prior to taking the exam — Maybe you’ve taken a class, read a book and gonethrough a thousand practice test questions, and now you’re wondering if you are ready. This study guide mighthelp you answer that question. At a minimum, everything in this study guide should be known to you, make senseto you and not confuse you.Note that a study guide like this doesn’t dive deep enough to teach you a complete topic if you are new to that topic. But itis a very useful preparation tool because it enables you to review a lot of material in a short amount of time. In this guide,we’ve tried to provide the most important points for each of the topics, but it cannot include the background and detailsyou might find in a 1,000-page book.Recent Changes to the ExamOn April 15, 2018, the agency that provides the CISSP exam, the International Info System Security CertificationConsortium, released an updated set of exam objectives (the exam blueprint). This blueprint is available hx.While most of the exam topics remain the same, there are some minor changes to reflect the latest industry trends andinformation. Most books for the new version of the exam will be released in May 2018 or later. This study guide has beenupdated to reflect the new blueprint. The updates are minor: A few small topics have been removed, a few new oneshave been added, and some items have been reworded.What does this mean for you if you are preparing to take the exam? If you have already spent a good amount of timepreparing, you might just need to supplement your study with some sources that explain the new and revised material.But if you are just starting to study, consider waiting until the updated guides are released.7
Domain 1. Security and Risk Management1.1 Understand and apply concepts of confidentiality, integrity andavailabilityConfidentiality, integrity and availability make up what’s known as the CIA triad. The CIA triad is a
How to Use this Study Guide Using multiple study sources and methods improves your chances of passing the CISSP exam. For example, instead of reading three or four books, you might read one book, watch a series of videos, take some practice test questions and read a study guide. Or you might take a class, take practice test questions and read a study guide. Or you might join a study
