Transcription
CISSPExam Study GuideBrian SvidergolRHEL3, VCP, NCIE-SAN, MCT, MCSE
Table of ContentsIntroduction . . 6Domain 1. Security and Risk Management . . 81.1 Understand and apply concepts of confidentiality, integrity and availability . . . 81.2 Apply security governance principles . . . 81.3 Compliance . . . 101.4 Understand legal and regulatory issues that pertain to information security in a global context . 111.5 Understand professional ethics . . 111.6 Develop and implement documented security policies, standards, procedures and guidelines . . . 121.7 Understand business continuity requirements . . . 121.8 Contribute to personnel security policies . . . 131.9 Understand and apply risk management concepts . . . 141.10 Understand and apply threat modeling . . . . 161.11 Integrate security risk considerations into acquisition strategy and practice . . . 181.12 Establish and manage information security education, training, and awareness . . . 19Domain 1 Review Questions . . . . 20Answers to Domain 1 Review Questions . . . 21Domain 2. Asset Security . . . . 222.1 Classify information and supporting assets . . . 222.2 Determine and maintain ownership . . . 222.3 Protect privacy . . . . 232.4 Ensure appropriate data, hardware and personnel retention . . 232.5 Determine data security controls . . . . 242.6 Establish handling requirements . . . . 25Domain 2 Review Questions . . . . 26Answers to Domain 2 Review Questions . . . . 272
Domain 3. Security Engineering . . . . . 283.1 Implement and manage engineering processes using secure design principles . . . 283.2 Understand the fundamental concepts of security models . . . 293.3 Select controls and countermeasures based upon systems security evaluation models . . 293.4 Understand the security capabilities of information systems . . 303.5 Assess and mitigate the vulnerabilities of security architectures, designs and solution elements 313.6 Assess and mitigate vulnerabilities in web-based systems . . . 323.7 Assess and mitigate vulnerabilities in mobile systems . . 333.8 Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems . 333.9 Apply cryptography . . . . 343.10 Apply secure principles to site and facility design . . 373.11 Design and implement physical security . . . . 38Domain 3 Review Questions . . . . 40Answers to Domain 3 Review Questions . . . . 41Domain 4. Communications and Network Security . . . . 424.1 Apply secure design principles to network architecture . . . 424.2 Secure network components . . . . 444.3 Design and establish secure communication channels . . 464.4 Prevent or mitigate network attacks . . . . 47Domain 4 Review Questions . . . . 48Answers to Domain 4 Review Questions . . . . 493
Domain 5. Identity and Access Management . . . 505.1 Control physical and logical access to assets . . . . 515.2 Manage identification and authentication of people and devices . . 515.3 Integrate identity as a service . . . . 535.4 Integrate third-party identity services . . . . 545.5 Implement and manage authorization mechanisms . . . 555.6 Prevent or mitigate access control attacks . . . . 565.7 Manage the identity and access provisioning lifecycle . . . 56Domain 5 Review Questions . . . . 58Answers to Domain 5 Review Questions . . . . 59Domain 6. Security Assessment and Testing . . . . 606.1 Design and validate assessment and test strategies . . . 606.2 Conduct security control testing . . . . 606.3 Collect security process data . . . . 626.4 Analyze and report test outputs . . . 636.5 Conduct or facilitate internal and third-party audits . . . 63Domain 6 Review Questions . . . . 64Answers to Domain 6 Review Questions . . . . 65Domain 7. Security Operations . . . 667.1 Understand and support investigations . . . . 667.2 Understand requirements for investigation types . . . 677.3 Conduct logging and monitoring activities . . . . 687.4 Secure the provisioning of resources . . . . 697.5 Understand and apply foundational security operations concepts . . 707.6 Employ resource protection techniques . . . . 717.7 Conduct incident management . . . . 737.8 Operate and maintain preventative measures . . . 744
7.9 Implement and support patch and vulnerability management . . 757.10 Participate in and understand change management processes . . 767.11 Implement recovery strategies . . . . 777.12 Implement disaster recovery processes . . . . 787.13 Test disaster recovery plans . . . . 797.14 Participate in business continuity planning and exercises . . 807.15 Implement and manage physical security . . . . 817.16 Participate in addressing personnel safety concerns . . . 81Domain 7 Review Questions . . . . 83Answers to Domain 7 Review Questions . . . . 84Domain 8. Software Development Security . . . . 858.1 Understand and apply security in the software development lifecycle . . . 858.2 Enforce security controls in development environments . . . 878.3 Assess the effectiveness of software security . . . . 888.4 Assess security impact of acquired software . . . . 88Domain 8 Review Questions . . . . 89Answers to Domain 8 Review Questions . . . . 90Useful References . . . . 91About the Author . . . . . 92About Netwrix . . . . 925
IntroductionExam OverviewPreparing to take the Certified Information Systems Security Professional (CISSP) exam requires a great deal of time andeffort. The exam covers eight domains:1.Security and Risk Management2.Asset Security3.Security Engineering4.Communications and Network Security5.Identity and Access Management6.Security and Assessment Testing7.Security Operations8.Software Development SecurityTo qualify to take the exam, you must generally have at least five years of cumulative, paid, full-time work experience in twoor more of the eight domains. However, you can satisfy the eligibility requirement with four years of experience in at leasttwo of the eight domains if you have either a four-year college degree or an approved credential or certification. quisite-Pathway for a complete list of approved credentials andcertifications.The exam itself is long, especially compared with other industry certifications. You can take it in English or another language: The English language exam is now a computerized adaptive testing (CAT) exam, so it changes based on youranswers. You get up to 3 hours to complete a maximum of 150 questions (and a minimum of 100 questions). Exams in languages other than English remain in the original linear format. You get up to 6 hours to complete aseries of 250 questions.You must score 700 points or more to pass the exam.6
How to Use this Study GuideUsing multiple study sources and methods improves your chances of passing the CISSP exam. For example, instead ofreading three or four books, you might read one book, watch a series of videos, take some practice test questions and reada study guide. Or you might take a class, take practice test questions and read a study guide. Or you might join a studygroup and read a book. Combine the mediums you use. Reading something, hearing something and doing something helpsyour brain process and retain information. If your plan is to read this study guide and then drive over to the exam center,you should immediately rethink your plan!There are a couple of ways you can use this study guide: Use it before you do any other studying. Read it thoroughly. Assess your knowledge as you read. Do you alreadyknow everything being said? Or are you finding that you can’t follow some of the topics easily? Based on how yourreading of the study guide goes, you’ll know which exam domains to focus on and how much additional study timeyou need. Use it as the last thing you read prior to taking the exam. Maybe you’ve taken a class, read a book or gone througha thousand practice test questions, and now you’re wondering if you are ready. This study guide might help youanswer that question. At a minimum, everything in this study guide should be known to you, make sense to youand not confuse you.Note that a study guide doesn’t dive deep enough to teach you a complete topic if you are new to that topic. But it is a veryuseful preparation tool because it enables you to review a lot of material in a short amount of time. In this guide, we’vetried to provide the most important points for each of the topics, but it cannot include the background and details youmight find in a 1,000-page book.Upcoming Changes to the ExamOn April 15, 2018, the agency that provides the CISSP exam, the International Info System Security Certification Consortium,is releasing an updated set of exam objectives (the exam blueprint). The draft of the updates is available SP-Detailed-Content-Outline.pdf. While most of the exam topics remainthe same in the new version, there are some minor changes to reflect the latest industry trends and information. Most ofthe books for the new version of the exam will be released in May 2018 or later.What does this mean for you if you are preparing to take the exam? If you have already spent a good amount of timepreparing and are toward the end of your journey, schedule the exam now and take it before the new exam objectives golive. On the other hand, if you are just starting and don’t think you’ll have enough time to fully prepare before the exam ischanged, consider either waiting to begin your studying, or begin your studying but know that you will need to supplementit with the new material once it is released.7
Domain 1. Security and Risk Management1.1 Understand and apply concepts of confidentiality, integrity andavailabilityConfidentiality, integrity and availability make up what’s known as the CIA triad. The CIA triad is a security model that ishelps organizations stay focused on the important a
On April 15, 2018, the agency that provides the CISSP exam, the International Info System Security Certification Consortium, is releasing an updated set of exam objectives (the exam blueprint). The draft of the updates is available at -Detailed-Content-Outline.pdf. While most of the exam topics remain
