The official (ISC)2 CCSP CBK reference
| Otros Autores: | , |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Hoboken, New Jersey :
John Wiley & Sons, Inc
[2021]
|
| Edición: | 6th ed |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009644302406719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright Page
- Contents at a Glance
- Contents
- Foreword
- Introduction
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
- Domain 1 Security and Risk Management
- Understand, Adhere to, and Promote Professional Ethics
- (ISC)2 Code of Professional Ethics
- Organizational Code of Ethics
- Understand and Apply Security Concepts
- Confidentiality
- Integrity
- Availability
- Evaluate and Apply Security Governance Principles
- Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives
- Organizational Processes
- Organizational Roles and Responsibilities
- Security Control Frameworks
- Due Care and Due Diligence
- Determine Compliance and Other Requirements
- Legislative and Regulatory Requirements
- Industry Standards and Other Compliance Requirements
- Privacy Requirements
- Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context
- Cybercrimes and Data Breaches
- Licensing and Intellectual Property Requirements
- Import/Export Controls
- Transborder Data Flow
- Privacy
- Understand Requirements for Investigation Types
- Administrative
- Criminal
- Civil
- Regulatory
- Industry Standards
- Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
- Policies
- Standards
- Procedures
- Guidelines
- Identify, Analyze, and Prioritize Business Continuity Requirements
- Business Impact Analysis
- Develop and Document the Scope and the Plan
- Contribute to and Enforce Personnel Security Policies and Procedures
- Candidate Screening and Hiring
- Employment Agreements and Policies.
- Onboarding, Transfers, and Termination Processes
- Vendor, Consultant, and Contractor Agreements and Controls
- Compliance Policy Requirements
- Privacy Policy Requirements
- Understand and Apply Risk Management Concepts
- Identify Threats and Vulnerabilities
- Risk Assessment
- Risk Response/Treatment
- Countermeasure Selection and Implementation
- Applicable Types of Controls
- Control Assessments
- Monitoring and Measurement
- Reporting
- Continuous Improvement
- Risk Frameworks
- Understand and Apply Threat Modeling Concepts and Methodologies
- Threat Modeling Concepts
- Threat Modeling Methodologies
- Apply Supply Chain Risk Management Concepts
- Risks Associated with Hardware, Software, and Services
- Third-Party Assessment and Monitoring
- Minimum Security Requirements
- Service-Level Requirements
- Frameworks
- Establish and Maintain a Security Awareness, Education, and Training Program
- Methods and Techniques to Present Awareness and Training
- Periodic Content Reviews
- Program Effectiveness Evaluation
- Summary
- Domain 2 Asset Security
- Identify and Classify Information and Assets
- Data Classification and Data Categorization
- Asset Classification
- Establish Information and Asset Handling Requirements
- Marking and Labeling
- Handling
- Storage
- Declassification
- Provision Resources Securely
- Information and Asset Ownership
- Asset Inventory
- Asset Management
- Manage Data Lifecycle
- Data Roles
- Data Collection
- Data Location
- Data Maintenance
- Data Retention
- Data Destruction
- Data Remanence
- Ensure Appropriate Asset Retention
- Determining Appropriate Records Retention
- Records Retention Best Practices
- Determine Data Security Controls and Compliance Requirements
- Data States
- Scoping and Tailoring
- Standards Selection
- Data Protection Methods
- Summary.
- Domain 3 Security Architecture and Engineering
- Research, Implement, and Manage Engineering Processes Using Secure Design Principles
- ISO/IEC 19249
- Threat Modeling
- Secure Defaults
- Fail Securely
- Separation of Duties
- Keep It Simple
- Trust, but Verify
- Zero Trust
- Privacy by Design
- Shared Responsibility
- Defense in Depth
- Understand the Fundamental Concepts of Security Models
- Primer on Common Model Components
- Information Flow Model
- Noninterference Model
- Bell-LaPadula Model
- Biba Integrity Model
- Clark-Wilson Model
- Brewer-Nash Model
- Take-Grant Model
- Select Controls Based Upon Systems Security Requirements
- Understand Security Capabilities of Information Systems
- Memory Protection
- Secure Cryptoprocessor
- Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
- Client-Based Systems
- Server-Based Systems
- Database Systems
- Cryptographic Systems
- Industrial Control Systems
- Cloud-Based Systems
- Distributed Systems
- Internet of Things
- Microservices
- Containerization
- Serverless
- Embedded Systems
- High-Performance Computing Systems
- Edge Computing Systems
- Virtualized Systems
- Select and Determine Cryptographic Solutions
- Cryptography Basics
- Cryptographic Lifecycle
- Cryptographic Methods
- Public Key Infrastructure
- Key Management Practices
- Digital Signatures and Digital Certificates
- Nonrepudiation
- Integrity
- Understand Methods of Cryptanalytic Attacks
- Brute Force
- Ciphertext Only
- Known Plaintext
- Chosen Plaintext Attack
- Frequency Analysis
- Chosen Ciphertext
- Implementation Attacks
- Side-Channel Attacks
- Fault Injection
- Timing Attacks
- Man-in-the-Middle
- Pass the Hash
- Kerberos Exploitation
- Ransomware
- Apply Security Principles to Site and Facility Design.
- Design Site and Facility Security Controls
- Wiring Closets/Intermediate Distribution Facilities
- Server Rooms/Data Centers
- Media Storage Facilities
- Evidence Storage
- Restricted and Work Area Security
- Utilities and Heating, Ventilation, and Air Conditioning
- Environmental Issues
- Fire Prevention, Detection, and Suppression
- Summary
- Domain 4 Communication and Network Security
- Assess and Implement Secure Design Principles in Network Architectures
- Open System Interconnection and Transmission Control Protocol/Internet Protocol Models
- The OSI Reference Model
- The TCP/IP Reference Model
- Internet Protocol Networking
- Secure Protocols
- Implications of Multilayer Protocols
- Converged Protocols
- Microsegmentation
- Wireless Networks
- Cellular Networks
- Content Distribution Networks
- Secure Network Components
- Operation of Hardware
- Repeaters, Concentrators, and Amplifiers
- Hubs
- Bridges
- Switches
- Routers
- Gateways
- Proxies
- Transmission Media
- Network Access Control
- Endpoint Security
- Mobile Devices
- Implement Secure Communication Channels According to Design
- Voice
- Multimedia Collaboration
- Remote Access
- Data Communications
- Virtualized Networks
- Third-Party Connectivity
- Summary
- Domain 5 Identity and Access Management
- Control Physical and Logical Access to Assets
- Access Control Definitions
- Information
- Systems
- Devices
- Facilities
- Applications
- Manage Identification and Authentication of People, Devices, and Services
- Identity Management Implementation
- Single/Multifactor Authentication
- Accountability
- Session Management
- Registration, Proofing, and Establishment of Identity
- Federated Identity Management
- Credential Management Systems
- Single Sign-On
- Just-In-Time
- Federated Identity with a Third-Party Service.
- On Premises
- Cloud
- Hybrid
- Implement and Manage Authorization Mechanisms
- Role-Based Access Control
- Rule-Based Access Control
- Mandatory Access Control
- Discretionary Access Control
- Attribute-Based Access Control
- Risk-Based Access Control
- Manage the Identity and Access Provisioning Lifecycle
- Account Access Review
- Account Usage Review
- Provisioning and Deprovisioning
- Role Definition
- Privilege Escalation
- Implement Authentication Systems
- OpenID Connect/Open Authorization
- Security Assertion Markup Language
- Kerberos
- Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus
- Summary
- Domain 6 Security Assessment and Testing
- Design and Validate Assessment, Test, and Audit Strategies
- Internal
- External
- Third-Party
- Conduct Security Control Testing
- Vulnerability Assessment
- Penetration Testing
- Log Reviews
- Synthetic Transactions
- Code Review and Testing
- Misuse Case Testing
- Test Coverage Analysis
- Interface Testing
- Breach Attack Simulations
- Compliance Checks
- Collect Security Process Data
- Technical Controls and Processes
- Administrative Controls
- Account Management
- Management Review and Approval
- Management Reviews for Compliance
- Key Performance and Risk Indicators
- Backup Verification Data
- Training and Awareness
- Disaster Recovery and Business Continuity
- Analyze Test Output and Generate Report
- Typical Audit Report Contents
- Remediation
- Exception Handling
- Ethical Disclosure
- Conduct or Facilitate Security Audits
- Designing an Audit Program
- Internal Audits
- External Audits
- Third-Party Audits
- Summary
- Domain 7 Security Operations
- Understand and Comply with Investigations
- Evidence Collection and Handling
- Reporting and Documentation
- Investigative Techniques.
- Digital Forensics Tools, Tactics, and Procedures.
