WIXLIB

CISSP For Dummies , 5th EditionPublished by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ07030-5774, www.wiley.comCopyright 2016 by John Wiley & Sons, Inc., Hoboken, New JerseyMedia and software compilation copyright 2016 by John Wiley & Sons,Inc. All rights reserved.Published simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system ortransmitted in any form or by any means, electronic, mechanical,photocopying, recording, scanning or otherwise, except as permitted underSections 107 or 108 of the 1976 United States Copyright Act, without theprior written permission of the Publisher. Requests to the Publisher forpermission should be addressed to the Permissions Department, John Wiley& Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax(201) 748-6008, or online at http://www.wiley.com/go/permissions.Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com,Making Everything Easier, and related trade dress are trademarks orregistered trademarks of John Wiley & Sons, Inc. and may not be usedwithout written permission. All trademarks are the property of theirrespective owners. John Wiley & Sons, Inc. is not associated with anyproduct or vendor mentioned in this book.LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THEPUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONSOR WARRANTIES WITH RESPECT TO THE ACCURACY ORCOMPLETENESS OF THE CONTENTS OF THIS WORK ANDSPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDINGWITHOUT LIMITATION WARRANTIES OF FITNESS FOR APARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OREXTENDED BY SALES OR PROMOTIONAL MATERIALS. THEADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BESUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITHTHE UNDERSTANDING THAT THE PUBLISHER IS NOTENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHERPROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS

REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONALPERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NORTHE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISINGHEREFROM. THE FACT THAT AN ORGANIZATION ORWEBSITE IS REFERRED TO IN THIS WORK AS A CITATIONAND/OR A POTENTIAL SOURCE OF FURTHER INFORMATIONDOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHERENDORSES THE INFORMATION THE ORGANIZATION ORWEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAYMAKE. FURTHER, READERS SHOULD BE AWARE THATINTERNET WEBSITES LISTED IN THIS WORK MAY HAVECHANGED OR DISAPPEARED BETWEEN WHEN THIS WORKWAS WRITTEN AND WHEN IT IS READ.For general information on our other products and services, please contactour Customer Care Department within the U.S. at 877-762-2974, outside theU.S. at 317-572-3993, or fax 317-572-4002. For technical support, pleasevisit www.wiley.com/techsupport.Wiley publishes in a variety of print and electronic formats and by print-ondemand. Some material included with standard print versions of this bookmay not be included in e-books or in print-on-demand. If this book refers tomedia such as a CD or DVD that is not included in the version youpurchased, you may download this material athttp://booksupport.wiley.com. For more information about Wileyproducts, visit www.wiley.com.Library of Congress Control Number: 2016931711ISBN 978-1-119-21023-8 (pbk); 978-1-119-21025-2 (epub); 978-1-11921024-5 (epdf)

CISSP For Dummies Visit www.dummies.com/cheatsheet/cissp to view thisbook's cheat sheet.Table of ContentsCoverForewordIntroductionAbout This BookHow This Book Is OrganizedIcons Used in This BookBeyond the BookGetting StartedPart I: Getting Started With CISSP CertificationChapter 1: (ISC)2 and the CISSP CertificationAbout (ISC)2 and the CISSP CertificationYou Must Be This Tall to Ride This Ride (and Other Requirements)Preparing for the ExamRegistering for the ExamAbout the CISSP ExaminationAfter the ExaminationChapter 2: Putting Your Certification to Good UseBeing an Active (ISC)2 MemberConsidering (ISC)2 Volunteer OpportunitiesBecoming an Active Member of Your Local Security ChapterSpreading the Good Word about CISSP CertificationUsing Your CISSP Certification to Be an Agent of ChangeEarning Other Certifications

Pursue Security ExcellencePart II: Certification DomainsChapter 3: Security and Risk ManagementUnderstand and Apply Concepts of Confidentiality, Integrity, andAvailabilityApply Security Governance PrinciplesComplianceUnderstand Legal and Regulatory Issues that Pertain to InformationSecurity in a Global ContextUnderstand Professional EthicsDevelop and Implement Documented Security Policies, Standards,Procedures, and GuidelinesUnderstand Business Continuity RequirementsContribute to Personnel Security PoliciesUnderstand and Apply Risk Management ConceptsUnderstand and Apply Threat ModelingIntegrate Security Risk Considerations into Acquisition Strategy andPracticeEstablish and Manage Information Security Education, Training, andAwarenessChapter 4: Asset SecurityClassify Information and Supporting AssetsDetermine and Maintain OwnershipProtect PrivacyEnsure Appropriate RetentionDetermine Data Security ControlsEstablish Handling RequirementsChapter 5: Security EngineeringImplement and Manage Engineering Processes Using Secure DesignPrinciplesUnderstand the Fundamental Concepts of Security ModelsSelect Controls and Countermeasures based upon Systems SecurityEvaluation ModelsUnderstand Security Capabilities of Information SystemsAssess and Mitigate the Vulnerabilities of Security Architectures,Designs, and Solution Elements

Assess and Mitigate Vulnerabilities in Web-Based SystemsAssess and Mitigate Vulnerabilities in Mobile SystemsAssess and Mitigate Vulnerabilities in Embedded Devices and CyberPhysical SystemsApply CryptographyApply Secure Principles to Site and Facility DesignDesign and Implement Physical SecurityChapter 6: Communication and Network SecurityApply Secure Design Principles to Network ArchitectureSecure Network ComponentsDesign and Establish Secure Communication ChannelsPrevent or Mitigate Network AttacksChapter 7: Identity and Access ManagementControl Physical and Logical Access to AssetsManage Identification and Authentication of People and DevicesIntegrate Identity-as-a-ServiceIntegrate Third-Party Identity ServicesImplement and Manage Authorization MechanismsPrevent or Mitigate Access Control AttacksManage the Identity and Access Provisioning LifecycleChapter 8: Security Assessment and TestingDesign and Validate Assessment and Test StrategiesConduct Security Control TestingCollect Security Process DataAnalyze and Report Test OutputsConduct or Facilitate Internal and Third Party AuditsChapter 9: Security OperationsUnderstand and Support InvestigationsUnderstand Requirements for Investigation TypesConduct Logging and Monitoring ActivitiesSecure the Provisioning of ResourcesUnderstand and Apply Foundational Security Operations ConceptsEmploy Resource Protection TechniquesConduct Incident Management

Operate and Maintain Preventative MeasuresImplement and Support Patch and Vulnerability ManagementParticipate in and Understand Change Management ProcessesImplement Recovery StrategiesImplement Disaster Recovery ProcessesTest Disaster Recovery PlansParticipate in Business Continuity Planning and ExercisesImplement and Manage Physical SecurityParticipate in Addressing Personnel Safety ConcernsChapter 10: Software Development SecurityUnderstand and Apply Security in the Software Development LifecycleEnforce Security Controls in Development EnvironmentsAssess the Effectiveness of Software SecurityAssess Security Impact of Acquired SoftwarePart III: The Part of TensChapter 11: Ten (Okay, Nine) Test-Planning TipsKnow Your Learning StyleGet a Networking Certification FirstRegister NOW!Make a 60-Day Study PlanGet Organized and READ!Join a Study GroupTake Practice ExamsTake a CISSP Review SeminarTake a BreatherChapter 12: Ten Test-Day TipsGet a Good Night’s RestDress ComfortablyEat a Good BreakfastArrive EarlyBring a Photo IDBring Snacks and DrinksBring Prescription and Over-the-Counter MedicationsLeave Your Electronic Devices Behind

Take Frequent BreaksGuess — as a Last ResortGlossaryAbout the AuthorsCheat SheetAdvertisement PageConnect with DummiesEnd User License Agreement

ForewordLet’s face it, those of us who have prepared for the (ISC)2 CertifiedInformation Systems Security Professional (CISSP ) exam know it can be adaunting task. Some candidates spread their preparation out over the courseof a year; others take months, and others prepare in a matter of weeks. Thenthere are those who schedule and take the exam with little to no preparation.There’s really no wrong way to prepare, if your approach leads to theachievement of your professional goals. That said, I am frequently asked"What is the best book to use to prepare for the CISSP exam?" There’s aplethora of choices: the thick official guide book, the CISSP study guide, orindependent books written by those in the industry. Suffice it to say, there isno shortage of books available to prepare for the CISSP exam. Which leadsme to CISSP For Dummies.The Wiley For Dummies series has become a wildly successful approach tolearning about a broad range of popular topics. With so many topics coveredby the popular series, most of us have a For Dummies book on at least onetopic. The series presents popular topics in a lighter, more digestible way thathopefully facilitates learning. At (ISC)2, we are proud that our CISSP hasbecome such a popular topic and professional certification that it has earnedits own CISSP For Dummies, which we are pleased to endorse.As you prepare for the CISSP exam, we hope you find the tools that workbest for your study methods and maintaining your skills. I wish you the bestof luck as you prepare for the (ISC)2 CISSP exam and work toward achievingyour professional goals.Best regards,David P. ShearerCEO(ISC)2, Inc.