CISSP For Dummies
7th edition
By: Lawrence C. Miller, Peter H. Gregory
Paperback | 28 February 2022 | Edition Number 7
At a Glance
608 Pages
23.5 x 18.5 x 4
New Edition
Paperback
Limited Stock Available
RRP $74.95
$45.35
39%OFF
or 4 interest-free payments of $11.34 with
orRevised for the updated 2021 exam, CISSP For Dummies is packed with everything you need to succeed on test day. With deep content review on every domain, plenty of practice questions, and online study tools, this book helps aspiring security professionals unlock the door to success on this high-stakes exam. This book, written by CISSP experts, goes beyond the exam material and includes tips on setting up a 60-day study plan, exam-day advice, and access to an online test bank of questions.
Make your test day stress-free with CISSP For Dummies!
- Review every last detail you need to pass the CISSP certification exam
- Master all 8 test domains, from Security and Risk Management through Software Development Security
- Get familiar with the 2021 test outline
- Boost your performance with an online test bank, digital flash cards, and test-day tips
About the Authors
Lawrence Miller, CISSP, is a veteran systems administration and information security professional. He has served as a consultant for various multi-national corporations and holds a wide array of networking certifications.
Peter Gregory, CISSP, is a security, risk, and technology director with experience in SAAS, retail, telecommunications, non-profit, legalized gaming, manufacturing, consulting, healthcare, and local government.
Introduction 1
About This Book 2
Foolish Assumptions 3
Icons Used in This Book 3
Beyond the Book 4
Where to Go from Here 5
Part 1: Getting Started with CISSP Certification 7
Chapter 1: (ISC)2 and the CISSP Certification 9
About (ISC)2 and the CISSP Certification 9
You Must Be This Tall to Ride This Ride (And Other Requirements) 10
Preparing for the Exam 12
Studying on your own 13
Getting hands-on experience 14
Getting official (ISC)2 CISSP training 14
Attending other training courses or study groups 15
Taking practice exams 15
Are you ready for the exam? 16
Registering for the Exam 16
About the CISSP Examination 17
After the Examination 20
Chapter 2: Putting Your Certification to Good Use 23
Networking with Other Security Professionals 24
Being an Active (ISC)2 Member 25
Considering (ISC)2 Volunteer Opportunities 26
Writing certification exam questions 27
Speaking at events 27
Helping at (ISC)2 conferences 27
Reading and contributing to (ISC)2 publications 27
Supporting the (ISC)2 Center for Cyber Safety and Education 28
Participating in bug-bounty programs 28
Participating in (ISC)2 focus groups 28
Joining the (ISC)2 community 28
Getting involved with a CISSP study group 28
Helping others learn more about data security 29
Becoming an Active Member of Your Local Security Chapter 30
Spreading the Good Word about CISSP Certification 31
Leading by example 32
Using Your CISSP Certification to Be an Agent of Change 32
Earning Other Certifications 33
Other (ISC)2 certifications 33
CISSP concentrations 34
Non-(ISC)2 certifications 34
Choosing the right certifications 38
Finding a mentor, being a mentor 39
Building your professional brand 39
Pursuing Security Excellence 40
Part 2: Certification Domains 43
Chapter 3: Security and Risk Management 45
Understand, Adhere to, and Promote Professional Ethics 45
(ISC)2 Code of Professional Ethics 46
Organizational code of ethics 47
Understand and Apply Security Concepts 49
Confidentiality 50
Integrity 51
Availability 51
Authenticity 52
Nonrepudiation 52
Evaluate and Apply Security Governance Principles 53
Alignment of security function to business strategy, goals, mission, and objectives 53
Organizational processes 54
Organizational roles and responsibilities 56
Security control frameworks 57
Due care and due diligence 60
Determine Compliance and Other Requirements 61
Contractual, legal, industry standards, and regulatory requirements 61
Privacy requirements 66
Understand Legal and Regulatory Issues That Pertain to Information Security 67
Cybercrimes and data breaches 67
Licensing and intellectual property requirements 82
Import/export controls 85
Transborder data flow 85
Privacy 86
Understand Requirements for Investigation Types 93
Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines 94
Policies 95
Standards (and baselines) 95
Procedures 96
Guidelines 96
Identify, Analyze, and Prioritize Business Continuity (BC) Requirements 96
Business impact analysis 99
Develop and document the scope and the plan 107
Contribute to and Enforce Personnel Security Policies and Procedures 120
Candidate screening and hiring 120
Employment agreements and policies 123
Onboarding, transfers, and termination processes 123
Vendor, consultant, and contractor agreements and controls 124
Compliance policy requirements 125
Privacy policy requirements 125
Understand and Apply Risk Management Concepts 125
Identify threats and vulnerabilities 126
Risk assessment/analysis 126
Risk appetite and risk tolerance 132
Risk treatment 133
Countermeasure selection and implementation 133
Applicable types of controls 135
Control assessments (security and privacy) 137
Monitoring and measurement 139
Reporting 140
Continuous improvement 141
Risk frameworks 141
Understand and Apply Threat Modeling Concepts and Methodologies 143
Identifying threats 143
Determining and diagramming potential attacks 144
Performing reduction analysis 145
Remediating threats 145
Apply Supply Chain Risk Management (SCRM) Concepts 146
Risks associated with hardware, software, and services 147
Third-party assessment and monitoring 147
Fourth-party risk 147
Minimum security requirements 147
Service-level agreement requirements 147
Establish and Maintain a Security Awareness, Education, and Training Program 148
Methods and techniques to present awareness and training 148
Periodic content reviews 151
Program effectiveness evaluation 151
Chapter 4: Asset Security 153
Identify and Classify Information and Assets 153
Data classification 157
Asset classification 161
Establish Information and Asset Handling Requirements 162
Provision Resources Securely 164
Information and asset ownership 164
Asset inventory 165
Asset management 166
Manage Data Life Cycle 167
Data roles 168
Data collection 168
Data location 169
Data maintenance 169
Data retention 169
Data remanence 170
Data destruction 171
Ensure Appropriate Asset Retention 171
End of life 171
End of support 172
Determine Data Security Controls and Compliance Requirements 172
Data states 173
Scoping and tailoring 174
Standards selection 175
Data protection methods 176
Chapter 5: Security Architecture and Engineering 179
Research, Implement, and Manage Engineering Processes Using Secure Design Principles 180
Threat modeling 182
Least privilege (and need to know) 186
Defense in depth 187
Secure defaults 188
Fail securely 188
Separation of duties 189
Keep it simple 189
Zero trust 189
Privacy by design 191
Trust but verify 192
Shared responsibility 194
Understand the Fundamental Concepts of Security Models 196
Select Controls Based Upon Systems Security Requirements 199
Evaluation criteria 200
System certification and accreditation 205
Understand Security Capabilities of Information Systems 208
Trusted Computing Base 208
Trusted Platform Module 209
Secure modes of operation 209
Open and closed systems 210
Memory protection 210
Encryption and decryption 210
Protection rings 211
Security modes 211
Recovery procedures 212
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 213
Client-based systems 214
Server-based systems 215
Database systems 215
Cryptographic systems 216
Industrial control systems 217
Cloud-based systems 218
Distributed systems 220
Internet of Things 221
Microservices 221
Containerization 222
Serverless 223
Embedded systems 224
High-performance computing systems 225
Edge computing systems 225
Virtualized systems 226
Web-based systems 226
Mobile systems 228
Select and Determine Cryptographic Solutions 228
Plaintext and ciphertext 230
Encryption and decryption 230
End-to-end encryption 230
Link encryption 231
Putting it all together: The cryptosystem 232
Classes of ciphers 233
Types of ciphers 234
Cryptographic life cycle 237
Cryptographic methods 238
Public key infrastructure 248
Key management practices 248
Digital signatures and digital certificates 250
Nonrepudiation 250
Integrity (hashing) 251
Understand Methods of Cryptanalytic Attacks 253
Brute force 254
Ciphertext only 254
Known plaintext 255
Frequency analysis 255
Chosen ciphertext 255
Implementation attacks 255
Side channel 255
Fault injection 256
Timing 256
Man in the middle 256
Pass the hash 257
Kerberos exploitation 257
Ransomware 257
Apply Security Principles to Site and Facility Design 259
Design Site and Facility Security Controls 261
Wiring closets, server rooms, and more 264
Restricted and work area security 265
Utilities and heating, ventilation, and air conditioning 266
Environmental issues 267
Fire prevention, detection, and suppression 268
Power 272
Chapter 6: Communication and Network Security 275
Assess and Implement Secure Design Principles in Network Architectures 275
OSI and TCP/IP models 277
The OSI Reference Model 278
The TCP/IP Model 315
Secure Network Components 316
Operation of hardware 316
Transmission media 317
Network access control devices 318
Endpoint security 328
Implement Secure Communication Channels According to Design 331
Voice 331
Multimedia collaboration 332
Remote access 332
Data communications 336
Virtualized networks 336
Third-party connectivity 338
Chapter 7: Identity and Access Management 339
Control Physical and Logical Access to Assets 340
Information 340
Systems and devices 340
Facilities 342
Applications 342
Manage Identification and Authentication of People, Devices, and Services 343
Identity management implementation 343
Single-/multifactor authentication 343
Accountability 358
Session management 359
Registration, proofing, and establishment of identity 360
Federated identity management 361
Credential management systems 361
Single sign-on 362
Just-in-Time 363
Federated Identity with a Third-Party Service 363
On-premises 365
Cloud 365
Hybrid 365
Implement and Manage Authorization Mechanisms 365
Role-based access control 366
Rule-based access control 367
Mandatory access control 367
Discretionary access control 368
Attribute-based access control 369
Risk-based access control 370
Manage the Identity and Access Provisioning Life Cycle 370
Implement Authentication Systems 372
OpenID Connect/Open Authorization 372
Security Assertion Markup Language 372
Kerberos 373
Radius and Tacacs+ 376
Chapter 8: Security Assessment and Testing 379
Design and Validate Assessment, Test, and Audit Strategies 379
Conduct Security Control Testing 381
Vulnerability assessment 381
Penetration testing 383
Log reviews 388
Synthetic transactions 389
Code review and testing 390
Misuse case testing 391
Test coverage analysis 392
Interface testing 392
Breach attack simulations 393
Compliance checks 393
Collect Security Process Data 393
Account management 395
Management review and approval 395
Key performance and risk indicators 396
Backup verification data 397
Training and awareness 399
Disaster recovery and business continuity 400
Analyze Test Output and Generate Reports 400
Remediation 401
Exception handling 402
Ethical disclosure 403
Conduct or Facilitate Security Audits 404
Chapter 9: Security Operations 407
Understand and Comply with Investigations 408
Evidence collection and handling 408
Reporting and documentation 415
Investigative techniques 416
Digital forensics tools, tactics, and procedures 418
Artifacts 419
Conduct Logging and Monitoring Activities 419
Intrusion detection and prevention 419
Security information and event management 421
Security orchestration, automation, and response 421
Continuous monitoring 422
Egress monitoring 422
Log management 423
Threat intelligence 423
User and entity behavior analysis 424
Perform Configuration Management 424
Apply Foundational Security Operations Concepts 426
Need-to-know and least privilege 427
Separation of duties and responsibilities 428
Privileged account management 429
Job rotation 431
Service-level agreements 433
Apply Resource Protection 436
Media management 436
Media protection techniques 438
Conduct Incident Management 438
Operate and Maintain Detective and Preventative Measures 440
Implement and Support Patch and Vulnerability Management 442
Understand and Participate in Change Management Processes 443
Implement Recovery Strategies 444
Backup storage strategies 444
Recovery site strategies 445
Multiple processing sites 445
System resilience, high availability, quality of service, and fault tolerance 445
Implement Disaster Recovery Processes 448
Response 451
Personnel 453
Communications 454
Assessment 455
Restoration 455
Training and awareness 456
Lessons learned 456
Test Disaster Recovery Plans 456
Read-through or tabletop 457
Walkthrough 457
Simulation 458
Parallel 459
Full interruption (or cutover) 459
Participate in Business Continuity Planning and Exercises 460
Implement and Manage Physical Security 460
Address Personnel Safety and Security Concerns 461
Chapter 10: Software Development Security 463
Understand and Integrate Security in the Software
Development Life Cycle 464
Development methodologies 464
Maturity models 473
Operation and maintenance 474
Change management 475
Integrated product team 476
Identify and Apply Security Controls in Software Development Ecosystems 476
Programming languages 477
Libraries 478
Tool sets 478
Integrated development environment 480
Runtime 480
Continuous integration/continuous delivery 481
Security orchestration, automation, and response 481
Software configuration management 482
Code repositories 483
Application security testing 484
Assess the Effectiveness of Software Security 486
Auditing and logging of changes 486
Risk analysis and mitigation 487
Assess Security Impact of Acquired Software 489
Define and Apply Secure Coding Guidelines and Standards 490
Security weaknesses and vulnerabilities at the source-code level 491
Security of application programming interfaces 492
Secure coding practices 493
Software-defined security 495
Part 3: The Part of Tens 497
Chapter 11: Ten Ways to Prepare for the Exam 499
Know Your Learning Style 499
Get a Networking Certification First 500
Register Now 500
Make a 60-Day Study Plan 500
Get Organized and Read 501
Join a Study Group 501
Take Practice Exams 502
Take a CISSP Training Seminar 502
Adopt an Exam-Taking Strategy 502
Take a Breather 503
Chapter 12: Ten Test-Day Tips 505
Get a Good Night’s Rest 505
Dress Comfortably 506
Eat a Good Meal 506
Arrive Early 506
Bring Approved Identification 506
Bring Snacks and Drinks 507
Bring Prescription and Over-the-Counter Medications 507
Leave Your Mobile Devices Behind 507
Take Frequent Breaks 507
Guess — As a Last Resort 508
Glossary 509
Index 565
ISBN: 9781119806820
ISBN-10: 1119806828
Series: For Dummies (Computer/Tech)
Published: 28th February 2022
Format: Paperback
Language: English
Number of Pages: 608
Audience: General Adult
Publisher: John Wiley & Sons Inc (US)
Country of Publication: US
Edition Number: 7
Dimensions (cm): 23.5 x 18.5 x 4
Weight (kg): 1.12
Shipping
Standard Shipping | Express Shipping | |
---|---|---|
Metro postcodes: | $9.99 | $14.95 |
Regional postcodes: | $9.99 | $14.95 |
Rural postcodes: | $9.99 | $14.95 |
How to return your order
At Booktopia, we offer hassle-free returns in accordance with our returns policy. If you wish to return an item, please get in touch with Booktopia Customer Care.
Additional postage charges may be applicable.
Defective items
If there is a problem with any of the items received for your order then the Booktopia Customer Care team is ready to assist you.
For more info please visit our Help Centre.
You Can Find This Book In
More in Certification Computing Reference
This product is categorised by
- Non-FictionComputing & I.T.Computer Certification
- Non-FictionEducationGeneral Study & Learning Skills
- Non-FictionComputing & I.T.Computer SecurityData Encryption
- Non-FictionSelf-Help, Personal Development & Practical AdviceHow-toFor Dummies BooksComputing Certification Computing Reference
- BargainsAcademia & Knowledge Bargains
- BargainsNon-Fiction BargainsFamily & Relationships Bargains
- BargainsNon-Fiction BargainsBusiness, Finance & Self Help