WIXLIB

CISSPCert GuideSecond EditionRobin AbernathyTroy McMillian800 East 96th StreetIndianapolis, Indiana 46240 USA

CISSP Cert Guide, Second EditionCopyright 2016 by Pearson Education, Inc.All rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permission fromthe publisher. No patent liability is assumed with respect to the use of theinformation contained herein. Although every precaution has been taken inthe preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damagesresulting from the use of the information contained herein.ISBN-13: 978-0-7897-5518-6ISBN-10: 0-7897-5518-1Library of Congress Control Number: 2016940246Printed in the United States of AmericaFirst Printing: June 2016TrademarksAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certificationcannot attest to the accuracy of this information. Use of a term in this bookshould not be regarded as affecting the validity of any trademark or servicemark.Warning and DisclaimerEvery effort has been made to make this book as complete and as accurateas possible, but no warranty or fitness is implied. The information providedis on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss ordamages arising from the information contained in this book or from theuse of the CD or programs accompanying it.Special SalesFor information about buying this title in bulk quantities, or for specialsales opportunities (which may include electronic versions; custom coverdesigns; and content particular to your business, training goals, marketingfocus, or branding interests), please contact our corporate sales departmentat corpsales@pearsoned.com or (800) 382-3419.For government sales inquiries, please contact governmentsales@pearsoned.com.For questions about sales outside the United States please contactintlcs@pearson.com.Editor in ChiefMark TaubAcquisitions EditorMichelle NewcombSenior DevelopmentEditorChristopher ClevelandManaging EditorSandra SchroederProject EditorMandie FrankCopy EditorKitty WilsonIndexerLarry SweazyProofreaderThe Wordsmithery LLCTechnical ReviewersChris CraytonTroy McMillanPublishing CoordinatorVanessa EvansCover DesignerChuti PrasertsithCompositorBronkella Publishing

Contents at a GlanceIntroduction3Chapter 1Security and Risk ManagementChapter 2Asset SecurityChapter 3Security EngineeringChapter 4Communication and Network SecurityChapter 5Identity and Access Management409Chapter 6Security Assessment and Testing455Chapter 7Security OperationsChapter 8Software Development SecurityGlossary113157480613Appendix AMemory TablesAppendix BMemory Tables Answer KeyIndex14782671683565293

Table of ContentsIntroduction3The Goals of the CISSP CertificationSponsoring BodiesStated Goals334The Value of the CISSP CertificationTo the Security ProfessionalTo the Enterprise445The Common Body of Knowledge5Security and Risk Management (e.g. Security, Risk, Compliance, Law,Regulations, Business Continuity) 5Asset Security (Protecting Security of Assets)6Security Engineering (Engineering and Management of Security)6Communication and Network Security (Designing and ProtectingNetwork Security) 7Identity and Access Management (Controlling Access and ManagingIdentity) 7Security Assessment and Testing (Designing, Performing, and AnalyzingSecurity Testing) 7Security Operations (e.g. Foundational Concepts, Investigations, IncidentManagement, Disaster Recovery) 8Software Development Security (Understanding, Applying, andEnforcing Software Security) 8Steps to Becoming a CISSPQualifying for the ExamSigning Up for the ExamAbout the CISSP ExamChapter 199910Security and Risk ManagementSecurity ty16Default Stance16Defense in DepthJob Rotation1617Separation of Duties1714

Security Governance Principles17Security Function Alignment18Organizational Strategy and Goals19Organizational Mission and ObjectivesBusiness Case1919Security Budget, Metrics, and EffectivenessResources20Organizational ProcessesAcquisitions and DivestituresGovernance Committees212123Security Roles and ResponsibilitiesBoard of DirectorsManagementData Owner242525Data CustodianSystem Owner2525System Administrator25Security AdministratorSecurity Analyst2626Application OwnerSupervisor2323Audit CommitteeUser20262626Auditor26Control Frameworks27ISO/IEC 27000 Series27Zachman Framework30The Open Group Architecture Framework (TOGAF)31Department of Defense Architecture Framework (DoDAF)31British Ministry of Defence Architecture Framework (MODAF)Sherwood Applied Business Security Architecture (SABSA)3131Control Objectives for Information and Related Technology (CobiT)32National Institute of Standards and Technology (NIST) Special Publication(SP) 33Committee of Sponsoring Organizations (COSO) of the Treadway CommissionFramework 34Operationally Critical Threat, Asset and Vulnerability Evaluation(OCTAVE) 34

viCISSP Cert GuideInformation Technology Infrastructure Library (ITIL)Six Sigma3436Capability Maturity Model Integration (CMMI)37CCTA Risk Analysis and Management Method (CRAMM)Top-Down Versus Bottom-Up ApproachSecurity Program Life CycleDue Care3839Due DiligenceCompliance383940Legislative and Regulatory CompliancePrivacy Requirements ComplianceLegal and Regulatory Issues42Computer Crime ConceptsComputer-Assisted Crime4243Computer-Targeted Crime43Incidental Computer Crime43Computer Prevalence Crime43Hackers Versus Crackers44Computer Crime ExamplesMajor Legal SystemsCivil Code Law444545Common Law46Criminal Law46Civil/Tort Law46Administrative/Regulatory LawCustomary LawReligious LawMixed Law46474747Licensing and Intellectual PropertyPatent424747Trade SecretTrademarkCopyright484949Software Piracy and Licensing IssuesInternal Protection5051Digital Rights Management (DRM)514137

ContentsImport/Export Controls51Trans-Border Data Flow52Privacy52Personally Identifiable Information (PII)Laws and RegulationsData Breaches58Professional Ethics592(ISC) Code of Ethics59Computer Ethics Institute59Internet Architecture BoardOrganizational EthicsSecurity DocumentationPolicies525360606061Organizational Security Policy62System-Specific Security Policy63Issue-Specific Security PolicyPolicy ures64Business Continuity636364Business Continuity and Disaster Recovery ConceptsDisruptionsDisasters656566Disaster Recovery and the Disaster Recovery Plan (DRP)67Continuity Planning and the Business Continuity Plan (BCP)Business Impact Analysis (BIA)Contingency PlanAvailabilityReliability67676868Project Scope and PlanPersonnel ComponentsProject Scope686869Business Continuity Steps69Business Impact Analysis DevelopmentIdentify Critical Processes and Resources7071Identify Outage Impacts, and Estimate Downtime7167vii

viiiCISSP Cert GuideIdentify Resource RequirementsIdentify Recovery PrioritiesRecoverability727273Fault Tolerance73Personnel Security Policies73Employment Candidate Screening73Employment Agreement and PoliciesEmployment Termination Policies7575Vendor, Consultant, and Contractor ControlsCompliancePrivacy7676Risk Management ConceptsVulnerabilityThreat777777Threat AgentRisk767777Exposure77Countermeasure78Risk Management Policy78Risk Management TeamRisk Analysis TeamRisk Assessment797979Information and Asset (Tangible/Intangible) Value and CostsIdentify Threats and VulnerabilitiesRisk Assessment/Analysis8282Countermeasure (Safeguard) SelectionTotal Risk Versus Residual RiskHandling RiskImplementation86Access Control 1

ContentsAccess Control Types88Administrative (Management) ControlsLogical (Technical) ControlsPhysical Controls889091Control Assessment, Monitoring, and MeasurementReporting and Continuous ImprovementRisk FrameworksThreat Modeling9393Identifying ThreatsPotential Attacks9496Remediation Technologies and ProcessesSecurity Risks in AcquisitionsThird-Party GovernanceOnsite Assessment979798Document Exchange/ReviewProcess/Policy Review9898Other Third-Party Governance IssuesMinimum Security Requirements9898Minimum Service-Level RequirementsSecurity Education, Training, and AwarenessLevels Required100Periodic Review101Exam Preparation TasksReview All Key TopicsAnswers and Explanations107113Asset Security Concepts114114Roles and ResponsibilitiesData Owner115116Data CustodianData Quality102102103Data Policy100101Answer Review QuestionsAsset Security99101Complete the Tables and Lists from MemoryDefine Key Terms9697Hardware, Software, and ServicesChapter 292116116Data Documentation and Organization11792ix

xCISSP Cert GuideClassify Information and AssetsSensitivity and Criticality118119Commercial Business Classifications119Military and Government ClassificationsInformation Life CycleDatabases121122DBMS Architecture and ModelsDatabase Interface Languages122124Data Warehouses and Data MiningDatabase MaintenanceDatabase ThreatsData Audit126126127Asset Ownership128Data Owners128System Owners129Business/Mission OwnersAsset Management129129Redundancy and Fault ToleranceBackup and Recovery Systems130130Identity and Access ManagementRAID125130131SAN135NAS135HSM135Network and Resource ManagementAsset Privacy137Data Processors137Data Storage and ArchivingData Remanence138Collection LimitationData Retention139140Data Security and ControlsData SecurityData at Rest141141141Data in Transit141Data Access and SharingBaselines137142142136120

ContentsScoping and TailoringStandards SelectionCrytography143144146Link Encryption147End-to-End Encryption147Asset Handling Requirements147Marking, Labeling, and StoringDestruction148148Exam Preparation TasksReview All Key Topics148148Complete the Tables and Lists from MemoryDefine Key TermsAnswers and ExplanationsChapter 3Security Engineering152157Engineering Using Secure Design PrinciplesSecurity Model ConceptsSecurity Modes161Dedicated Security Mode162System High Security Mode162Compartmented Security ModeMultilevel Security Mode162162163Defense in Depth163Security Model TypesSecurity Model Types163163State Machine Models164Multilevel Lattice Models164Matrix-Based Models164Non-inference Models165Information Flow ModelsSecurity ModelsBiba Model165165Bell-LaPadula Model166167Clark-Wilson Integrity ModelLipner Model158161Confidentiality, Integrity, and AvailabilityAssurance149149168169Brewer-Nash (Chinese Wall) Model169161xi

xiiCISSP Cert GuideGraham-Denning Model169Harrison-Ruzzo-Ullman ModelSystem Architecture Steps170ISO/IEC 42010:2011170Computing Platforms171Mainframe/Thin ClientsDistributed SystemsMiddleware171171172Embedded Systems172Mobile Computing172Virtual ComputingSecurity Services172173Boundary Control ServicesAccess Control ServicesIntegrity Services173173174Cryptography Services174Auditing and Monitoring ServicesSystem ComponentsMemory and StorageMultitasking174175Input/Output DevicesOperating Systems177178179Memory Management180System Security Evaluation ModelsOrange BookITSEC180181Rainbow SeriesRed Book174174CPU and MultiprocessingTCSEC169181181184184Common Criteria186Security Implementation StandardsISO/IEC 27001188ISO/IEC 27002189187Payment Card Industry Data Security Standard (PCI-DSS)Controls and Countermeasures190190