The only official, comprehensive reference guide to the CISSP
Thoroughly updated for 2021 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)2 for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)2, the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.
This CBK covers the current eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Revised and updated by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:
- Common and good practices for each objective
- Common vocabulary and definitions
- References to widely accepted computing standards
- Highlights of successful approaches through case studies
Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.
Table of Contents
Foreword xix
Introduction xxi
Domain 1: Security and Risk Management 1
Understand, Adhere to, and Promote Professional Ethics 2
(ISC)2 Code of Professional Ethics 2
Organizational Code of Ethics 3
Understand and Apply Security Concepts 4
Confidentiality 4
Integrity 5
Availability 6
Limitations of the CIA Triad 7
Evaluate and Apply Security Governance Principles 8
Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives 9
Organizational Processes 10
Organizational Roles and Responsibilities 14
Security Control Frameworks 15
Due Care and Due Diligence 22
Determine Compliance and Other Requirements 23
Legislative and Regulatory Requirements 23
Industry Standards and Other Compliance Requirements 25
Privacy Requirements 27
Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context 28
Cybercrimes and Data Breaches 28
Licensing and Intellectual Property Requirements 36
Import/Export Controls 39
Transborder Data Flow 40
Privacy 41
Understand Requirements for Investigation Types 48
Administrative 49
Criminal 50
Civil 52
Regulatory 53
Industry Standards 54
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 55
Policies 55
Standards 56
Procedures 57
Guidelines 57
Identify, Analyze, and Prioritize Business Continuity Requirements 58
Business Impact Analysis 59
Develop and Document the Scope and the Plan 61
Contribute to and Enforce Personnel Security Policies and Procedures 63
Candidate Screening and Hiring 63
Employment Agreements and Policies 64
Onboarding, Transfers, and Termination Processes 65
Vendor, Consultant, and Contractor Agreements and Controls 67
Compliance Policy Requirements 67
Privacy Policy Requirements 68
Understand and Apply Risk Management Concepts 68
Identify Threats and Vulnerabilities 68
Risk Assessment 70
Risk Response/Treatment 72
Countermeasure Selection and Implementation 73
Applicable Types of Controls 75
Control Assessments 76
Monitoring and Measurement 77
Reporting 77
Continuous Improvement 78
Risk Frameworks 78
Understand and Apply Threat Modeling Concepts and Methodologies 83
Threat Modeling Concepts 84
Threat Modeling Methodologies 85
Apply Supply Chain Risk Management Concepts 88
Risks Associated with Hardware, Software, and Services 88
Third-Party Assessment and Monitoring 89
Minimum Security Requirements 90
Service-Level
Requirements 90
Frameworks 91
Establish and Maintain a Security Awareness, Education, and Training Program 92
Methods and Techniques to Present Awareness and Training 93
Periodic Content Reviews 94
Program Effectiveness Evaluation 94
Summary 95
Domain 2: Asset Security 97
Identify and Classify Information and Assets 97
Data Classification and Data Categorization 99
Asset Classification 101
Establish Information and Asset Handling Requirements 104
Marking and Labeling 104
Handling 105
Storage 105
Declassification 106
Provision Resources Securely 108
Information and Asset Ownership 108
Asset Inventory 109
Asset Management 112
Manage Data Lifecycle 115
Data Roles 116
Data Collection 120
Data Location 120
Data Maintenance 121
Data Retention 122
Data Destruction 123
Data Remanence 123
Ensure Appropriate Asset Retention 127
Determining Appropriate Records Retention 129
Records Retention Best Practices 130
Determine Data Security Controls and Compliance Requirements 131
Data States 133
Scoping and Tailoring 135
Standards Selection 137
Data Protection Methods 141
Summary 144
Domain 3: Security Architecture and Engineering 147
Research, Implement, and Manage Engineering Processes Using Secure Design Principles 149
ISO/IEC 19249 150
Threat Modeling 157
Secure Defaults 160
Fail Securely 161
Separation of Duties 161
Keep It Simple 162
Trust, but Verify 162
Zero Trust 163
Privacy by Design 165
Shared Responsibility 166
Defense in Depth 167
Understand the Fundamental Concepts of Security Models 168
Primer on Common Model Components 168
Information Flow Model 169
Noninterference Model 169
Bell-LaPadula Model 170
Biba Integrity Model 172
Clark-Wilson Model 173
Brewer-Nash Model 173
Take-Grant Model 175
Select Controls Based Upon Systems Security Requirements 175
Understand Security Capabilities of Information Systems 179
Memory Protection 180
Secure Cryptoprocessor 182
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 187
Client-Based Systems 187
Server-Based Systems 189
Database Systems 191
Cryptographic Systems 194
Industrial Control Systems 200
Cloud-Based Systems 203
Distributed Systems 207
Internet of Things 208
Microservices 212
Containerization 214
Serverless 215
Embedded Systems 216
High-Performance Computing Systems 219
Edge Computing Systems 220
Virtualized Systems 221
Select and Determine Cryptographic Solutions 224
Cryptography Basics 225
Cryptographic Lifecycle 226
Cryptographic Methods 229
Public Key Infrastructure 243
Key Management Practices 246
Digital Signatures and Digital Certificates 250
Nonrepudiation 252
Integrity 253
Understand Methods of Cryptanalytic Attacks 257
Brute Force 258
Ciphertext Only 260
Known Plaintext 260
Chosen Plaintext Attack 260
Frequency Analysis 261
Chosen Ciphertext 261
Implementation Attacks 261
Side-Channel Attacks 261
Fault Injection 263
Timing Attacks 263
Man-in-the-Middle 263
Pass the Hash 263
Kerberos Exploitation 264
Ransomware 264
Apply Security Principles to Site and Facility Design 265
Design Site and Facility Security Controls 265
Wiring Closets/Intermediate Distribution Facilities 266
Server Rooms/Data Centers 267
Media Storage Facilities 268
Evidence Storage 269
Restricted and Work Area Security 270
Utilities and Heating, Ventilation, and Air Conditioning 272
Environmental Issues 275
Fire Prevention, Detection, and Suppression 277
Summary 281
Domain 4: Communication and Network Security 283
Assess and Implement Secure Design Principles in Network Architectures 283
Open System Interconnection and Transmission Control Protocol/Internet Protocol Models 285
The OSI Reference Model 286
The TCP/IP Reference Model 299
Internet Protocol Networking 302
Secure Protocols 311
Implications of Multilayer Protocols 313
Converged Protocols 315
Microsegmentation 316
Wireless Networks 319
Cellular Networks 333
Content Distribution Networks 334
Secure Network Components 335
Operation of Hardware 335
Repeaters, Concentrators, and Amplifiers 341
Hubs 341
Bridges 342
Switches 342
Routers 343
Gateways 343
Proxies 343
Transmission Media 345
Network Access Control 352
Endpoint Security 354
Mobile Devices 355
Implement Secure Communication Channels According to Design 357
Voice 357
Multimedia Collaboration 359
Remote Access 365
Data Communications 371
Virtualized Networks 373
Third-Party
Connectivity 374
Summary 374
Domain 5: Identity and Access Management 377
Control Physical and Logical Access to Assets 378
Access Control Definitions 378
Information 379
Systems 380
Devices 381
Facilities 383
Applications 386
Manage Identification and Authentication of People, Devices, and Services 387
Identity Management Implementation 388
Single/Multifactor Authentication 389
Accountability 396
Session Management 396
Registration, Proofing, and Establishment of Identity 397
Federated Identity Management 399
Credential Management Systems 399
Single Sign-On 400
Just-In-Time 401
Federated Identity with a Third-Party Service 401
On Premises 402
Cloud 403
Hybrid 403
Implement and Manage Authorization Mechanisms 404
Role-Based Access Control 405
Rule-Based Access Control 405
Mandatory Access Control 406
Discretionary Access Control 406
Attribute-Based Access Control 407
Risk-Based Access Control 408
Manage the Identity and Access Provisioning Lifecycle 408
Account Access Review 409
Account Usage Review 411
Provisioning and Deprovisioning 411
Role Definition 412
Privilege Escalation 413
Implement Authentication Systems 414
OpenID Connect/Open Authorization 414
Security Assertion Markup Language 415
Kerberos 416
Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus 417
Summary 418
Domain 6: Security Assessment and Testing 419
Design and Validate Assessment, Test, and Audit Strategies 420
Internal 421
External 422
Third-Party 423
Conduct Security Control Testing 423
Vulnerability Assessment 423
Penetration Testing 428
Log Reviews 435
Synthetic Transactions 435
Code Review and Testing 436
Misuse Case Testing 437
Test Coverage Analysis 438
Interface Testing 439
Breach Attack Simulations 440
Compliance Checks 441
Collect Security Process Data 442
Technical Controls and Processes 443
Administrative Controls 443
Account Management 444
Management Review and Approval 445
Management Reviews for Compliance 446
Key Performance and Risk Indicators 447
Backup Verification Data 450
Training and Awareness 450
Disaster Recovery and Business Continuity 451
Analyze Test Output and Generate Report 452
Typical Audit Report Contents 453
Remediation 454
Exception Handling 455
Ethical Disclosure 456
Conduct or Facilitate Security Audits 458
Designing an Audit Program 458
Internal Audits 459
External Audits 460
Third-Party Audits 460
Summary 461
Domain 7: Security Operations 463
Understand and Comply with Investigations 464
Evidence Collection and Handling 465
Reporting and Documentation 467
Investigative Techniques 469
Digital Forensics Tools, Tactics, and Procedures 470
Artifacts 475
Conduct Logging and Monitoring Activities 478
Intrusion Detection and Prevention 478
Security Information and Event Management 480
Continuous Monitoring 481
Egress Monitoring 483
Log Management 484
Threat Intelligence 486
User and Entity Behavior Analytics 488
Perform Configuration Management 489
Provisioning 490
Asset Inventory 492
Baselining 492
Automation 493
Apply Foundational Security Operations Concepts 494
Need-to-Know/Least Privilege 494
Separation of Duties and Responsibilities 495
Privileged Account Management 496
Job Rotation 498
Service-Level
Agreements 498
Apply Resource Protection 499
Media Management 500
Media Protection Techniques 501
Conduct Incident Management 502
Incident Management Plan 503
Detection 505
Response 506
Mitigation 507
Reporting 508
Recovery 510
Remediation 510
Lessons Learned 511
Operate and Maintain Detective and Preventative Measures 511
Firewalls 512
Intrusion Detection Systems and Intrusion Prevention Systems 514
Whitelisting/Blacklisting 515
Third-Party-Provided Security Services 515
Sandboxing 517
Honeypots/Honeynets 517
Anti-malware 518
Machine Learning and Artificial Intelligence Based Tools 518
Implement and Support Patch and Vulnerability Management 519
Patch Management 519
Vulnerability Management 521
Understand and Participate in Change Management Processes 522
Implement Recovery Strategies 523
Backup Storage Strategies 524
Recovery Site Strategies 527
Multiple Processing Sites 527
System Resilience, High Availability, Quality of Service, and Fault Tolerance 528
Implement Disaster Recovery Processes 529
Response 529
Personnel 530
Communications 531
Assessment 532
Restoration 533
Training and Awareness 534
Lessons Learned 534
Test Disaster Recovery Plans 535
Read-through/Tabletop 536
Walkthrough 536
Simulation 537
Parallel 537
Full Interruption 537
Participate in Business Continuity Planning and Exercises 538
Implement and Manage Physical Security 539
Perimeter Security Controls 541
Internal Security Controls 543
Address Personnel Safety and Security Concerns 545
Travel 545
Security Training and Awareness 546
Emergency Management 546
Duress 547
Summary 548
Domain 8: Software Development Security 549
Understand and Integrate Security in the Software Development Life Cycle (SDLC) 550
Development Methodologies 551
Maturity Models 561
Operation and Maintenance 567
Change Management 568
Integrated Product Team 571
Identify and Apply Security Controls in Software Development Ecosystems 572
Programming Languages 572
Libraries 577
Toolsets 578
Integrated Development Environment 579
Runtime 580
Continuous Integration and Continuous Delivery 581
Security Orchestration, Automation, and Response 583
Software Configuration Management 585
Code Repositories 586
Application Security Testing 588
Assess the Effectiveness of Software Security 590
Auditing and Logging of Changes 590
Risk Analysis and Mitigation 595
Assess Security Impact of Acquired Software 599
Commercial Off-the-Shelf 599
Open Source 601
Third-Party 602
Managed Services (SaaS, IaaS, PaaS) 602
Define and Apply Secure Coding Guidelines and Standards 604
Security Weaknesses and Vulnerabilities at the Source-Code Level 605
Security of Application Programming Interfaces 613
API Security Best Practices 613
Secure Coding Practices 618
Software-Defined Security 621
Summary 624
Index 625