The only official, comprehensive reference guide to the CISSP
All new for 2019 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)2 for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)2, the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.
This CBK covers the new eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Written by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:
- Common and good practices for each objective
- Common vocabulary and definitions
- References to widely accepted computing standards
- Highlights of successful approaches through case studies
Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.
Table of Contents
Foreword xxv
Introduction xxvii
Domain 1: Security and Risk Management 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2
Information Security 3
Evaluate and Apply Security Governance Principles 6
Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6
Vision, Mission, and Strategy 6
Governance 7
Due Care 10
Determine Compliance Requirements 11
Legal Compliance 12
Jurisdiction 12
Legal Tradition 12
Legal Compliance Expectations 13
Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13
Cyber Crimes and Data Breaches 14
Privacy 36
Understand, Adhere to, and Promote Professional Ethics 49
Ethical Decision-Making 49
Established Standards of Ethical Conduct 51
(ISC)² Ethical Practices 56
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57
Organizational Documents 58
Policy Development 61
Policy Review Process 61
Identify, Analyze, and Prioritize Business Continuity Requirements 62
Develop and Document Scope and Plan 62
Risk Assessment 70
Business Impact Analysis 71
Develop the Business Continuity Plan 73
Contribute to and Enforce Personnel Security Policies and Procedures 80
Key Control Principles 80
Candidate Screening and Hiring 82
Onboarding and Termination Processes 91
Vendor, Consultant, and Contractor Agreements and Controls 96
Privacy in the Workplace 97
Understand and Apply Risk Management Concepts 99
Risk 99
Risk Management Frameworks 99
Risk Assessment Methodologies 108
Understand and Apply Threat Modeling Concepts and Methodologies 111
Threat Modeling Concepts 111
Threat Modeling Methodologies 112
Apply Risk-Based Management Concepts to the Supply Chain 116
Supply Chain Risks 116
Supply Chain Risk Management 119
Establish and Maintain a Security Awareness, Education, and Training Program 121
Security Awareness Overview 122
Developing an Awareness Program 123
Training 127
Summary 128
Domain 2: Asset Security 131
Asset Security Concepts 131
Data Policy 132
Data Governance 132
Data Quality 133
Data Documentation 134
Data Organization 136
Identify and Classify Information and Assets 139
Asset Classification 141
Determine and Maintain Information and Asset Ownership 145
Asset Management Lifecycle 146
Software Asset Management 148
Protect Privacy 152
Cross-Border Privacy and Data Flow Protection 153
Data Owners 161
Data Controllers 162
Data Processors 163
Data Stewards 164
Data Custodians 164
Data Remanence 164
Data Sovereignty 168
Data Localization or Residency 169
Government and Law Enforcement Access to Data 171
Collection Limitation 172
Understanding Data States 173
Data Issues with Emerging Technologies 173
Ensure Appropriate Asset Retention 175
Retention of Records 178
Determining Appropriate Records Retention 178
Retention of Records in Data Lifecycle 179
Records Retention Best Practices 180
Determine Data Security Controls 181
Technical, Administrative, and Physical Controls 183
Establishing the Baseline Security 185
Scoping and Tailoring 186
Standards Selection 189
Data Protection Methods 198
Establish Information and Asset Handling Requirements 208
Marking and Labeling 208
Handling 209
Declassifying Data 210
Storage 211
Summary 212
Domain 3: Security Architecture and Engineering 213
Implement and Manage Engineering Processes Using Secure Design Principles 215
Saltzer and Schroeder’s Principles 216
ISO/IEC 19249 221
Defense in Depth 229
Using Security Principles 230
Understand the Fundamental Concepts of Security Models 230
Bell-LaPadula Model 232
The Biba Integrity Model 234
The Clark-Wilson Model 235
The Brewer-Nash Model 235
Select Controls Based upon Systems Security Requirements 237
Understand Security Capabilities of Information Systems 241
Memory Protection 241
Virtualization 244
Secure Cryptoprocessor 247
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 253
Client-Based Systems 254
Server-Based Systems 255
Database Systems 257
Cryptographic Systems 260
Industrial Control Systems 267
Cloud-Based Systems 271
Distributed Systems 274
Internet of Things 275
Assess and Mitigate Vulnerabilities in Web-Based Systems 278
Injection Vulnerabilities 279
Broken Authentication 280
Sensitive Data Exposure 283
XML External Entities 284
Broken Access Control 284
Security Misconfiguration 285
Cross-Site Scripting 285
Using Components with Known Vulnerabilities 286
Insufficient Logging and Monitoring 286
Cross-Site Request Forgery 287
Assess and Mitigate Vulnerabilities in Mobile Systems 287
Passwords 288
Multifactor Authentication 288
Session Lifetime 289
Wireless Vulnerabilities 290
Mobile Malware 290
Unpatched Operating System or Browser 290
Insecure Devices 291
Mobile Device Management 291
Assess and Mitigate Vulnerabilities in Embedded Devices 292
Apply Cryptography 295
Cryptographic Lifecycle 295
Cryptographic Methods 298
Public Key Infrastructure 311
Key Management Practices 315
Digital Signatures 318
Non-Repudiation 320
Integrity 321
Understand Methods of Cryptanalytic Attacks 325
Digital Rights Management 339
Apply Security Principles to Site and Facility Design 342
Implement Site and Facility Security Controls 343
Physical Access Controls 343
Wiring Closets/Intermediate Distribution Facilities 345
Server Rooms/Data Centers 346
Media Storage Facilities 348
Evidence Storage 349
Restricted and Work Area Security 349
Utilities and Heating, Ventilation, and Air Conditioning 351
Environmental Issues 355
Fire Prevention, Detection, and Suppression 358
Summary 362
Domain 4: Communication and Network Security 363
Implement Secure Design Principles in Network Architectures 364
Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models 365
Internet Protocol Networking 382
Implications of Multilayer Protocols 392
Converged Protocols 394
Software-Defined Networks 395
Wireless Networks 396
Internet, Intranets, and Extranets 409
Demilitarized Zones 410
Virtual LANs 410
Secure Network Components 411
Firewalls 412
Network Address Translation 418
Intrusion Detection System 421
Security Information and Event Management 422
Network Security from Hardware Devices 423
Transmission Media 429
Endpoint Security 442
Implementing Defense in Depth 447
Content Distribution Networks 448
Implement Secure Communication Channels According to Design 449
Secure Voice Communications 449
Multimedia Collaboration 452
Remote Access 458
Data Communications 466
Virtualized Networks 470
Summary 481
Domain 5: Identity and Access Management 483
Control Physical and Logical Access to Assets 484
Information 485
Systems 486
Devices 487
Facilities 488
Manage Identification and Authentication of People, Devices, and Services 492
Identity Management Implementation 494
Single Factor/Multifactor Authentication 496
Accountability 511
Session Management 511
Registration and Proofing of Identity 513
Federated Identity Management 520
Credential Management Systems 524
Integrate Identity as a Third-Party Service 525
On-Premise 526
Cloud 527
Federated 527
Implement and Manage Authorization Mechanisms 528
Role-Based Access Control 528
Rule-Based Access Control 529
Mandatory Access Control 530
Discretionary Access Control 531
Attribute-Based Access Control 531
Manage the Identity and Access Provisioning Lifecycle 533
User Access Review 534
System Account Access Review 535
Provisioning and Deprovisioning 535
Auditing and Enforcement 536
Summary 537
Domain 6: Security Assessment and Testing 539
Design and Validate Assessment, Test, and Audit Strategies 540
Assessment Standards 543
Conduct Security Control Testing 545
Vulnerability Assessment 546
Penetration Testing 554
Log Reviews 564
Synthetic Transactions 565
Code Review and Testing 567
Misuse Case Testing 571
Test Coverage Analysis 573
Interface Testing 574
Collect Security Process Data 575
Account Management 577
Management Review and Approval 579
Key Performance and Risk Indicators 580
Backup Verification Data 583
Training and Awareness 584
Disaster Recovery and Business Continuity 585
Analyze Test Output and Generate Report 587
Conduct or Facilitate Security Audits 590
Internal Audits 591
External Audits 591
Third-Party Audits 592
Integrating Internal and External Audits 593
Auditing Principles 593
Audit Programs 594
Summary 596
Domain 7: Security Operations 597
Understand and Support Investigations 598
Evidence Collection and Handling 599
Reporting and Documentation 601
Investigative Techniques 602
Digital Forensics Tools, Techniques, and Procedures 604
Understand Requirements for Investigation Types 610
Administrative 611
Criminal 613
Civil 614
Regulatory 616
Industry Standards 616
Conduct Logging and Monitoring Activities 617
Define Auditable Events 618
Time 619
Protect Logs 620
Intrusion Detection and Prevention 621
Security Information and Event Management 623
Continuous Monitoring 625
Ingress Monitoring 629
Egress Monitoring 631
Securely Provision Resources 632
Asset Inventory 632
Asset Management 634
Configuration Management 635
Understand and Apply Foundational Security Operations Concepts 637
Need to Know/Least Privilege 637
Separation of Duties and Responsibilities 638
Privileged Account Management 640
Job Rotation 642
Information Lifecycle 643
Service Level Agreements 644
Apply Resource Protection Techniques to Media 647
Marking 647
Protecting 647
Transport 648
Sanitization and Disposal 649
Conduct Incident Management 650
An Incident Management Program 651
Detection 653
Response 656
Mitigation 657
Reporting 658
Recovery 661
Remediation 661
Lessons Learned 661
Third-Party Considerations 662
Operate and Maintain Detective and Preventative Measures 663
White-listing/Black-listing 665
Third-Party Security Services 665
Honeypots/Honeynets 667
Anti-Malware 667
Implement and Support Patch and Vulnerability Management 670
Understand and Participate in Change Management Processes 672
Implement Recovery Strategies 673
Backup Storage Strategies 673
Recovery Site Strategies 676
Multiple Processing Sites 678
System Resilience, High Availability, Quality of Service, and Fault Tolerance 679
Implement Disaster Recovery Processes 679
Response 680
Personnel 680
Communications 682
Assessment 682
Restoration 683
Training and Awareness 684
Test Disaster Recovery Plans 685
Read-Through/Tabletop 686
Walk-Through 687
Simulation 687
Parallel 687
Full Interruption 688
Participate in Business Continuity Planning and Exercises 688
Implement and Manage Physical Security 689
Physical Access Control 689
The Data Center 692
Address Personnel Safety and Security Concerns 693
Travel 693
Duress 693
Summary 694
Domain 8: Software Development Security 695
Understand and Integrate Security in the Software Development Lifecycle 696
Development Methodologies 696
Maturity Models 753
Operations and Maintenance 768
Change Management 770
Integrated Product Team 773
Identify and Apply Security Controls in Development Environments 776
Security of the Software Environment 777
Configuration Management as an Aspect of Secure Coding 796
Security of Code Repositories 798
Assess the Effectiveness of Software Security 802
Logging and Auditing of Changes 802
Risk Analysis and Mitigation 817
Assess the Security Impact of Acquired Software 835
Acquired Software Types 835
Software Acquisition Process 842
Relevant Standards 845
Software Assurance 848
Certification and Accreditation 852
Define and Apply Secure Coding Standards and Guidelines 853
Security Weaknesses and Vulnerabilities at the Source-Code Level 854
Security of Application Programming Interfaces 859
Secure Coding Practices 868
Summary 874
Index 875
