Foreword xxv Introduction xxvii Domain 1: Security and Risk Management 1 Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2 Information Security 3 Evaluate and Apply Security Governance Principles 6 Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6 Vision, Mission, and Strategy 6 Governance 7 Due Care 10 Determine Compliance Requirements 11 Legal Compliance 12 Jurisdiction 12 Legal Tradition 12 Legal Compliance Expectations 13 Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13 Cyber Crimes and Data Breaches 14 Privacy 36 Understand, Adhere to, and Promote Professional Ethics 49 Ethical Decision-Making 49 Established Standards of Ethical Conduct 51 (ISC)² Ethical Practices 56 Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57 Organizational Documents 58 Policy Development 61 Policy Review Process 61 Identify, Analyze, and Prioritize Business Continuity Requirements 62 Develop and Document Scope and Plan 62 Risk Assessment 70 Business Impact Analysis 71 Develop the Business Continuity Plan 73 Contribute to and Enforce Personnel Security Policies and Procedures 80 Key Control Principles 80 Candidate Screening and Hiring 82 Onboarding and Termination Processes 91 Vendor, Consultant, and Contractor Agreements and Controls 96 Privacy in the Workplace 97 Understand and Apply Risk Management Concepts 99 Risk 99 Risk Management Frameworks 99 Risk Assessment Methodologies 108 Understand and Apply Threat Modeling Concepts and Methodologies 111 Threat Modeling Concepts 111 Threat Modeling Methodologies 112 Apply Risk-Based Management Concepts to the Supply Chain 116 Supply Chain Risks 116 Supply Chain Risk Management 119 Establish and Maintain a Security Awareness, Education, and Training Program 121 Security Awareness Overview 122 Developing an Awareness Program 123 Training 127 Summary 128 Domain 2: Asset Security 131 Asset Security Concepts 131 Data Policy 132 Data Governance 132 Data Quality 133 Data Documentation 134 Data Organization 136 Identify and Classify Information and Assets 139 Asset Classification 141 Determine and Maintain Information and Asset Ownership 145 Asset Management Lifecycle 146 Software Asset Management 148 Protect Privacy 152 Cross-Border Privacy and Data Flow Protection 153 Data Owners 161 Data Controllers 162 Data Processors 163 Data Stewards 164 Data Custodians 164 Data Remanence 164 Data Sovereignty 168 Data Localization or Residency 169 Government and Law Enforcement Access to Data 171 Collection Limitation 172 Understanding Data States 173 Data Issues with Emerging Technologies 173 Ensure Appropriate Asset Retention 175 Retention of Records 178 Determining Appropriate Records Retention 178 Retention of Records in Data Lifecycle 179 Records Retention Best Practices 180 Determine Data Security Controls 181 Technical, Administrative, and Physical Controls 183 Establishing the Baseline Security 185 Scoping and Tailoring 186 Standards Selection 189 Data Protection Methods 198 Establish Information and Asset Handling Requirements 208 Marking and Labeling 208 Handling 209 Declassifying Data 210 Storage 211 Summary 212 Domain 3: Security Architecture and Engineering 213 Implement and Manage Engineering Processes Using Secure Design Principles 215 Saltzer and Schroeder''s Principles 216 ISO/IEC 19249 221 Defense in Depth 229 Using Security Principles 230 Understand the Fundamental Concepts of Security Models 230 Bell-LaPadula Model 232 The Biba Integrity Model 234 The Clark-Wilson Model 235 The Brewer-Nash Model 235 Select Controls Based upon Systems Security Requirements 237 Understand Security Capabilities of Information Systems 241 Memory Protection 241 Virtualization 244 Secure Cryptoprocessor 247 Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 253 Client-Based Systems 254 Server-Based Systems 255 Database Systems 257 Cryptographic Systems 260 Industrial Control Systems 267 Cloud-Based Systems 271 Distributed Systems 274 Internet of Things 275 Assess and Mitigate Vulnerabilities in Web-Based Systems 278 Injection Vulnerabilities 279 Broken Authentication 280 Sensitive Data Exposure 283 XML External Entities 284 Broken Access Control 284 Security Misconfiguration 285 Cross-Site Scripting 285 Using Components with Known Vulnerabilities 286 Insufficient Logging and Monitoring 286 Cross-Site Request Forgery 287 Assess and Mitigate Vulnerabilities in Mobile Systems 287 Passwords 288 Multifactor Authentication 288 Session Lifetime 289 Wireless Vulnerabilities 290 Mobile Malware 290 Unpatched Operating System or Browser 290 Insecure Devices 291 Mobile Device Management 291 Assess and Mitigate Vulnerabilities in Embedded Devices 292 Apply Cryptography 295 Cryptographic Lifecycle 295 Cryptographic Methods 298 Public Key Infrastructure 311 Key Management Practices 315 Digital Signatures 318 Non-Repudiation 320 Integrity 321 Understand Methods of Cryptanalytic Attacks 325 Digital Rights Management 339 Apply Security Principles to Site and Facility Design 342 Implement Site and Facility Security Controls 343 Physical Access Controls 343 Wiring Closets/Intermediate Distribution Facilities 345 Server Rooms/Data Centers 346 Media Storage Facilities 348 Evidence Storage 349 Restricted and Work Area Security 349 Utilities and Heating, Ventilation, and Air Conditioning 351 Environmental Issues 355 Fire Prevention, Detection, and Suppression 358 Summary 362 Domain 4: Communication and Network Security 363 Implement Secure Design Principles in Network Architectures 364 Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models 365 Internet Protocol Networking 382 Implications of Multilayer Protocols 392 Converged Protocols 394 Software-Defined Networks 395 Wireless Networks 396 Internet, Intranets, and Extranets 409 Demilitarized Zones 410 Virtual LANs 410 Secure Network Components 411 Firewalls 412 Network Address Translation 418 Intrusion Detection System 421 Security Information and Event Management 422 Network Security from Hardware Devices 423 Transmission Media 429 Endpoint Security 442 Implementing Defense in Depth 447 Content Distribution Networks 448 Implement Secure Communication Channels According to Design 449 Secure Voice Communications 449 Multimedia Collaboration 452 Remote Access 458 Data Communications 466 Virtualized Networks 470 Summary 481 Domain 5: Identity and Access Management 483 Control Physical and Logical Access to Assets 484 Information 485 Systems 486 Devices 487 Facilities 488 Manage Identification and Authentication of People, Devices, and Services 492 Identity Management Implementation 494 Single Factor/Multifactor Authentication 496 Accountability 511 Session Management 511 Registration and Proofing of Identity 513 Federated Identity Management 520 Credential Management Systems 524 Integrate Identity as a Third-Party Service 525 On-Premise 526 Cloud 527 Federated 527 Implement and Manage Authorization Mechanisms 528 Role-Based Access Control 528 Rule-Based Access Control 529 Mandatory Access Control 530 Discretionary Access Control 531 Attribute-Based Access Control 531 Manage the Identity and Access Provisioning Lifecycle 533 User Access Review 534 System Account Access Review 535 Provisioning and Deprovisioning 535 Auditing and Enforcement 536 Summary 537 Domain 6: Security Assessment and Testing 539 Design and Validate Assessment, Test, and Audit Strategies 540 Assessment Standards 543 Conduct Security Control Testing 545 Vulnerability Assessment 546 Penetration Testing 554 Log Reviews 564 Synthetic Transactions 565 Code Review and Testing 567 Misuse Case Testing 571 Test Coverage Analysis 573 Interface Testing 574 Collect Security Process Data 575 Account Management 577 Management Review and Approval 579 Key Performance and Risk Indicators 580 Backup Verification Data 583 Training and Awareness 584 Disaster Recovery and Business Continuity 585 Analyze Test Output and Generate Report 587 Conduct or Facilitate Security Audits 590 Internal Audits 591 External Audits 591 Third-Party Audits 592 Integrating Internal and Extern.
The Official (ISC)2 Guide to the CISSP CBK Reference