CISSP for dummies
Get CISSP certified, with this comprehensive study plan! Revised for the updated 2021 exam, CISSP For Dummies is packed with everything you need to succeed on test day. With deep content review on every domain, plenty of practice questions, and online study tools, this book helps aspiring security p...
| Otros Autores: | , |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Hoboken, NJ :
John Wiley and Sons
[2022]
|
| Edición: | Seventh edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009724227106719 |
Tabla de Contenidos:
- Intro
- Title Page
- Copyright Page
- Table of Contents
- Introduction
- About This Book
- Foolish Assumptions
- Icons Used in This Book
- Beyond the Book
- Where to Go from Here
- Part 1 Getting Started with CISSP Certification
- Chapter 1 (ISC)2 and the CISSP Certification
- About (ISC)2 and the CISSP Certification
- You Must Be This Tall to Ride This Ride (And Other Requirements)
- Preparing for the Exam
- Studying on your own
- Getting hands-on experience
- Getting official (ISC)2 CISSP training
- Attending other training courses or study groups
- Taking practice exams
- Are you ready for the exam?
- Registering for the Exam
- About the CISSP Examination
- After the Examination
- Chapter 2 Putting Your Certification to Good Use
- Networking with Other Security Professionals
- Being an Active (ISC)2 Member
- Considering (ISC)2 Volunteer Opportunities
- Writing certification exam questions
- Speaking at events
- Helping at (ISC)2 conferences
- Reading and contributing to (ISC)2 publications
- Supporting the (ISC)2 Center for Cyber Safety and Education
- Participating in bug-bounty programs
- Participating in (ISC)2 focus groups
- Joining the (ISC)2 community
- Getting involved with a CISSP study group
- Helping others learn more about data security
- Becoming an Active Member of Your Local Security Chapter
- Spreading the Good Word about CISSP Certification
- Leading by example
- Using Your CISSP Certification to Be an Agent of Change
- Earning Other Certifications
- Other (ISC)2 certifications
- CISSP concentrations
- Non-(ISC)2 certifications
- Choosing the right certifications
- Finding a mentor, being a mentor
- Building your professional brand
- Pursuing Security Excellence
- Part 2 Certification Domains
- Chapter 3 Security and Risk Management.
- Understand, Adhere to, and Promote Professional Ethics
- (ISC)2 Code of Professional Ethics
- Organizational code of ethics
- Understand and Apply Security Concepts
- Confidentiality
- Integrity
- Availability
- Authenticity
- Nonrepudiation
- Evaluate and Apply Security Governance Principles
- Alignment of security function to business strategy, goals, mission, and objectives
- Organizational processes
- Organizational roles and responsibilities
- Security control frameworks
- Due care and due diligence
- Determine Compliance and Other Requirements
- Contractual, legal, industry standards, and regulatory requirements
- Privacy requirements
- Understand Legal and Regulatory Issues That Pertain to Information Security
- Cybercrimes and data breaches
- Licensing and intellectual property requirements
- Import/export controls
- Transborder data flow
- Privacy
- Understand Requirements for Investigation Types
- Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines
- Policies
- Standards (and baselines)
- Procedures
- Guidelines
- Identify, Analyze, and Prioritize Business Continuity (BC) Requirements
- Business impact analysis
- Develop and document the scope and the plan
- Contribute to and Enforce Personnel Security Policies and Procedures
- Candidate screening and hiring
- Employment agreements and policies
- Onboarding, transfers, and termination processes
- Vendor, consultant, and contractor agreements and controls
- Compliance policy requirements
- Privacy policy requirements
- Understand and Apply Risk Management Concepts
- Identify threats and vulnerabilities
- Risk assessment/analysis
- Risk appetite and risk tolerance
- Risk treatment
- Countermeasure selection and implementation
- Applicable types of controls
- Control assessments (security and privacy).
- Monitoring and measurement
- Reporting
- Continuous improvement
- Risk frameworks
- Understand and Apply Threat Modeling Concepts and Methodologies
- Identifying threats
- Determining and diagramming potential attacks
- Performing reduction analysis
- Remediating threats
- Apply Supply Chain Risk Management (SCRM) Concepts
- Risks associated with hardware, software, and services
- Third-party assessment and monitoring
- Fourth-party risk
- Minimum security requirements
- Service-level agreement requirements
- Establish and Maintain a Security Awareness, Education, and Training Program
- Methods and techniques to present awareness and training
- Periodic content reviews
- Program effectiveness evaluation
- Chapter 4 Asset Security
- Identify and Classify Information and Assets
- Data classification
- Asset classification
- Establish Information and Asset Handling Requirements
- Provision Resources Securely
- Information and asset ownership
- Asset inventory
- Asset management
- Manage Data Life Cycle
- Data roles
- Data collection
- Data location
- Data maintenance
- Data retention
- Data remanence
- Data destruction
- Ensure Appropriate Asset Retention
- End of life
- End of support
- Determine Data Security Controls and Compliance Requirements
- Data states
- Scoping and tailoring
- Standards selection
- Data protection methods
- Chapter 5 Security Architecture and Engineering
- Research, Implement, and Manage Engineering Processes Using Secure Design Principles
- Threat modeling
- Least privilege (and need to know)
- Defense in depth
- Secure defaults
- Fail securely
- Separation of duties
- Keep it simple
- Zero trust
- Privacy by design
- Trust but verify
- Shared responsibility
- Understand the Fundamental Concepts of Security Models.
- Select Controls Based Upon Systems Security Requirements
- Evaluation criteria
- System certification and accreditation
- Understand Security Capabilities of Information Systems
- Trusted Computing Base
- Trusted Platform Module
- Secure modes of operation
- Open and closed systems
- Memory protection
- Encryption and decryption
- Protection rings
- Security modes
- Recovery procedures
- Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
- Client-based systems
- Server-based systems
- Database systems
- Cryptographic systems
- Industrial control systems
- Cloud-based systems
- Distributed systems
- Internet of Things
- Microservices
- Containerization
- Serverless
- Embedded systems
- High-performance computing systems
- Edge computing systems
- Virtualized systems
- Web-based systems
- Mobile systems
- Select and Determine Cryptographic Solutions
- Plaintext and ciphertext
- Encryption and decryption
- End-to-end encryption
- Link encryption
- Putting it all together: The cryptosystem
- Classes of ciphers
- Types of ciphers
- Cryptographic life cycle
- Cryptographic methods
- Public key infrastructure
- Key management practices
- Digital signatures and digital certificates
- Nonrepudiation
- Integrity (hashing)
- Understand Methods of Cryptanalytic Attacks
- Brute force
- Ciphertext only
- Known plaintext
- Frequency analysis
- Chosen ciphertext
- Implementation attacks
- Side channel
- Fault injection
- Timing
- Man in the middle
- Pass the hash
- Kerberos exploitation
- Ransomware
- Apply Security Principles to Site and Facility Design
- Design Site and Facility Security Controls
- Wiring closets, server rooms, and more
- Restricted and work area security
- Utilities and heating, ventilation, and air conditioning
- Environmental issues.
- Fire prevention, detection, and suppression
- Power
- Chapter 6 Communication and Network Security
- Assess and Implement Secure Design Principles in Network Architectures
- OSI and TCP/IP models
- The OSI Reference Model
- The TCP/IP Model
- Secure Network Components
- Operation of hardware
- Transmission media
- Network access control devices
- Endpoint security
- Implement Secure Communication Channels According to Design
- Voice
- Multimedia collaboration
- Remote access
- Data communications
- Virtualized networks
- Third-party connectivity
- Chapter 7 Identity and Access Management
- Control Physical and Logical Access to Assets
- Information
- Systems and devices
- Facilities
- Applications
- Manage Identification and Authentication of People, Devices, and Services
- Identity management implementation
- Single-/multifactor authentication
- Accountability
- Session management
- Registration, proofing, and establishment of identity
- Federated identity management
- Credential management systems
- Single sign-on
- Just-in-Time
- Federated Identity with a Third-Party Service
- On-premises
- Cloud
- Hybrid
- Implement and Manage Authorization Mechanisms
- Role-based access control
- Rule-based access control
- Mandatory access control
- Discretionary access control
- Attribute-based access control
- Risk-based access control
- Manage the Identity and Access Provisioning Life Cycle
- Implement Authentication Systems
- OpenID Connect/Open Authorization
- Security Assertion Markup Language
- Kerberos
- RADIUS and TACACS+
- Chapter 8 Security Assessment and Testing
- Design and Validate Assessment, Test, and Audit Strategies
- Conduct Security Control Testing
- Vulnerability assessment
- Penetration testing
- Log reviews
- Synthetic transactions
- Code review and testing
- Misuse case testing.
- Test coverage analysis.
