+353-1-416-8900REST OF WORLD
+44-20-3973-8888REST OF WORLD
1-917-300-0470EAST COAST U.S
1-800-526-8630U.S. (TOLL FREE)

The Official (ISC)2 Guide to the CISSP CBK Reference. Edition No. 1

  • Book

  • 928 Pages
  • June 2019
  • John Wiley and Sons Ltd
  • ID: 5226567

The only official, comprehensive reference guide to the CISSP

All new for 2019 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)2 for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)2, the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.

This CBK covers the new eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Written by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:

  • Common and good practices for each objective
  • Common vocabulary and definitions
  • References to widely accepted computing standards
  • Highlights of successful approaches through case studies

Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.

Table of Contents

Foreword xxv

Introduction xxvii

Domain 1: Security and Risk Management 1

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2

Information Security 3

Evaluate and Apply Security Governance Principles 6

Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6

Vision, Mission, and Strategy 6

Governance 7

Due Care 10

Determine Compliance Requirements 11

Legal Compliance 12

Jurisdiction 12

Legal Tradition 12

Legal Compliance Expectations 13

Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13

Cyber Crimes and Data Breaches 14

Privacy 36

Understand, Adhere to, and Promote Professional Ethics 49

Ethical Decision-Making 49

Established Standards of Ethical Conduct 51

(ISC)² Ethical Practices 56

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57

Organizational Documents 58

Policy Development 61

Policy Review Process 61

Identify, Analyze, and Prioritize Business Continuity Requirements 62

Develop and Document Scope and Plan 62

Risk Assessment 70

Business Impact Analysis 71

Develop the Business Continuity Plan 73

Contribute to and Enforce Personnel Security Policies and Procedures 80

Key Control Principles 80

Candidate Screening and Hiring 82

Onboarding and Termination Processes 91

Vendor, Consultant, and Contractor Agreements and Controls 96

Privacy in the Workplace 97

Understand and Apply Risk Management Concepts 99

Risk 99

Risk Management Frameworks 99

Risk Assessment Methodologies 108

Understand and Apply Threat Modeling Concepts and Methodologies 111

Threat Modeling Concepts 111

Threat Modeling Methodologies 112

Apply Risk-Based Management Concepts to the Supply Chain 116

Supply Chain Risks 116

Supply Chain Risk Management 119

Establish and Maintain a Security Awareness, Education, and Training Program 121

Security Awareness Overview 122

Developing an Awareness Program 123

Training 127

Summary 128

Domain 2: Asset Security 131

Asset Security Concepts 131

Data Policy 132

Data Governance 132

Data Quality 133

Data Documentation 134

Data Organization 136

Identify and Classify Information and Assets 139

Asset Classification 141

Determine and Maintain Information and Asset Ownership 145

Asset Management Lifecycle 146

Software Asset Management 148

Protect Privacy 152

Cross-Border Privacy and Data Flow Protection 153

Data Owners 161

Data Controllers 162

Data Processors 163

Data Stewards 164

Data Custodians 164

Data Remanence 164

Data Sovereignty 168

Data Localization or Residency 169

Government and Law Enforcement Access to Data 171

Collection Limitation 172

Understanding Data States 173

Data Issues with Emerging Technologies 173

Ensure Appropriate Asset Retention 175

Retention of Records 178

Determining Appropriate Records Retention 178

Retention of Records in Data Lifecycle 179

Records Retention Best Practices 180

Determine Data Security Controls 181

Technical, Administrative, and Physical Controls 183

Establishing the Baseline Security 185

Scoping and Tailoring 186

Standards Selection 189

Data Protection Methods 198

Establish Information and Asset Handling Requirements 208

Marking and Labeling 208

Handling 209

Declassifying Data 210

Storage 211

Summary 212

Domain 3: Security Architecture and Engineering 213

Implement and Manage Engineering Processes Using Secure Design Principles 215

Saltzer and Schroeder’s Principles 216

ISO/IEC 19249 221

Defense in Depth 229

Using Security Principles 230

Understand the Fundamental Concepts of Security Models 230

Bell-LaPadula Model 232

The Biba Integrity Model 234

The Clark-Wilson Model 235

The Brewer-Nash Model 235

Select Controls Based upon Systems Security Requirements 237

Understand Security Capabilities of Information Systems 241

Memory Protection 241

Virtualization 244

Secure Cryptoprocessor 247

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 253

Client-Based Systems 254

Server-Based Systems 255

Database Systems 257

Cryptographic Systems 260

Industrial Control Systems 267

Cloud-Based Systems 271

Distributed Systems 274

Internet of Things 275

Assess and Mitigate Vulnerabilities in Web-Based Systems 278

Injection Vulnerabilities 279

Broken Authentication 280

Sensitive Data Exposure 283

XML External Entities 284

Broken Access Control 284

Security Misconfiguration 285

Cross-Site Scripting 285

Using Components with Known Vulnerabilities 286

Insufficient Logging and Monitoring 286

Cross-Site Request Forgery 287

Assess and Mitigate Vulnerabilities in Mobile Systems 287

Passwords 288

Multifactor Authentication 288

Session Lifetime 289

Wireless Vulnerabilities 290

Mobile Malware 290

Unpatched Operating System or Browser 290

Insecure Devices 291

Mobile Device Management 291

Assess and Mitigate Vulnerabilities in Embedded Devices 292

Apply Cryptography 295

Cryptographic Lifecycle 295

Cryptographic Methods 298

Public Key Infrastructure 311

Key Management Practices 315

Digital Signatures 318

Non-Repudiation 320

Integrity 321

Understand Methods of Cryptanalytic Attacks 325

Digital Rights Management 339

Apply Security Principles to Site and Facility Design 342

Implement Site and Facility Security Controls 343

Physical Access Controls 343

Wiring Closets/Intermediate Distribution Facilities 345

Server Rooms/Data Centers 346

Media Storage Facilities 348

Evidence Storage 349

Restricted and Work Area Security 349

Utilities and Heating, Ventilation, and Air Conditioning 351

Environmental Issues 355

Fire Prevention, Detection, and Suppression 358

Summary 362

Domain 4: Communication and Network Security 363

Implement Secure Design Principles in Network Architectures 364

Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models 365

Internet Protocol Networking 382

Implications of Multilayer Protocols 392

Converged Protocols 394

Software-Defined Networks 395

Wireless Networks 396

Internet, Intranets, and Extranets 409

Demilitarized Zones 410

Virtual LANs 410

Secure Network Components 411

Firewalls 412

Network Address Translation 418

Intrusion Detection System 421

Security Information and Event Management 422

Network Security from Hardware Devices 423

Transmission Media 429

Endpoint Security 442

Implementing Defense in Depth 447

Content Distribution Networks 448

Implement Secure Communication Channels According to Design 449

Secure Voice Communications 449

Multimedia Collaboration 452

Remote Access 458

Data Communications 466

Virtualized Networks 470

Summary 481

Domain 5: Identity and Access Management 483

Control Physical and Logical Access to Assets 484

Information 485

Systems 486

Devices 487

Facilities 488

Manage Identification and Authentication of People, Devices, and Services 492

Identity Management Implementation 494

Single Factor/Multifactor Authentication 496

Accountability 511

Session Management 511

Registration and Proofing of Identity 513

Federated Identity Management 520

Credential Management Systems 524

Integrate Identity as a Third-Party Service 525

On-Premise 526

Cloud 527

Federated 527

Implement and Manage Authorization Mechanisms 528

Role-Based Access Control 528

Rule-Based Access Control 529

Mandatory Access Control 530

Discretionary Access Control 531

Attribute-Based Access Control 531

Manage the Identity and Access Provisioning Lifecycle 533

User Access Review 534

System Account Access Review 535

Provisioning and Deprovisioning 535

Auditing and Enforcement 536

Summary 537

Domain 6: Security Assessment and Testing 539

Design and Validate Assessment, Test, and Audit Strategies 540

Assessment Standards 543

Conduct Security Control Testing 545

Vulnerability Assessment 546

Penetration Testing 554

Log Reviews 564

Synthetic Transactions 565

Code Review and Testing 567

Misuse Case Testing 571

Test Coverage Analysis 573

Interface Testing 574

Collect Security Process Data 575

Account Management 577

Management Review and Approval 579

Key Performance and Risk Indicators 580

Backup Verification Data 583

Training and Awareness 584

Disaster Recovery and Business Continuity 585

Analyze Test Output and Generate Report 587

Conduct or Facilitate Security Audits 590

Internal Audits 591

External Audits 591

Third-Party Audits 592

Integrating Internal and External Audits 593

Auditing Principles 593

Audit Programs 594

Summary 596

Domain 7: Security Operations 597

Understand and Support Investigations 598

Evidence Collection and Handling 599

Reporting and Documentation 601

Investigative Techniques 602

Digital Forensics Tools, Techniques, and Procedures 604

Understand Requirements for Investigation Types 610

Administrative 611

Criminal 613

Civil 614

Regulatory 616

Industry Standards 616

Conduct Logging and Monitoring Activities 617

Define Auditable Events 618

Time 619

Protect Logs 620

Intrusion Detection and Prevention 621

Security Information and Event Management 623

Continuous Monitoring 625

Ingress Monitoring 629

Egress Monitoring 631

Securely Provision Resources 632

Asset Inventory 632

Asset Management 634

Configuration Management 635

Understand and Apply Foundational Security Operations Concepts 637

Need to Know/Least Privilege 637

Separation of Duties and Responsibilities 638

Privileged Account Management 640

Job Rotation 642

Information Lifecycle 643

Service Level Agreements 644

Apply Resource Protection Techniques to Media 647

Marking 647

Protecting 647

Transport 648

Sanitization and Disposal 649

Conduct Incident Management 650

An Incident Management Program 651

Detection 653

Response 656

Mitigation 657

Reporting 658

Recovery 661

Remediation 661

Lessons Learned 661

Third-Party Considerations 662

Operate and Maintain Detective and Preventative Measures 663

White-listing/Black-listing 665

Third-Party Security Services 665

Honeypots/Honeynets 667

Anti-Malware 667

Implement and Support Patch and Vulnerability Management 670

Understand and Participate in Change Management Processes 672

Implement Recovery Strategies 673

Backup Storage Strategies 673

Recovery Site Strategies 676

Multiple Processing Sites 678

System Resilience, High Availability, Quality of Service, and Fault Tolerance 679

Implement Disaster Recovery Processes 679

Response 680

Personnel 680

Communications 682

Assessment 682

Restoration 683

Training and Awareness 684

Test Disaster Recovery Plans 685

Read-Through/Tabletop 686

Walk-Through 687

Simulation 687

Parallel 687

Full Interruption 688

Participate in Business Continuity Planning and Exercises 688

Implement and Manage Physical Security 689

Physical Access Control 689

The Data Center 692

Address Personnel Safety and Security Concerns 693

Travel 693

Duress 693

Summary 694

Domain 8: Software Development Security 695

Understand and Integrate Security in the Software Development Lifecycle 696

Development Methodologies 696

Maturity Models 753

Operations and Maintenance 768

Change Management 770

Integrated Product Team 773

Identify and Apply Security Controls in Development Environments 776

Security of the Software Environment 777

Configuration Management as an Aspect of Secure Coding 796

Security of Code Repositories 798

Assess the Effectiveness of Software Security 802

Logging and Auditing of Changes 802

Risk Analysis and Mitigation 817

Assess the Security Impact of Acquired Software 835

Acquired Software Types 835

Software Acquisition Process 842

Relevant Standards 845

Software Assurance 848

Certification and Accreditation 852

Define and Apply Secure Coding Standards and Guidelines 853

Security Weaknesses and Vulnerabilities at the Source-Code Level 854

Security of Application Programming Interfaces 859

Secure Coding Practices 868

Summary 874

Index 875

Authors

John Warsinske Kevin Henry Mark Graff Christopher Hoover Ben Malisow Sean Murphy C. Paul Oakes George Pajari Jeff T. Parker David Seidl Mike Vasquez