ebook img

² Guide to the CISSP CBK PDF

1667 Pages·2015·30.92 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview ² Guide to the CISSP CBK

Foreword Introduction Editors Preface Domain 1 — Security & Risk Management Confidentiality, Integrity, and Availability Confidentiality Integrity Availability Security Governance Goals, Mission, and Objectives of the Organization Organizational Processes Security Roles and Responsibilities Information Security Strategies The Complete and Effective Security Program Oversight Committee Representation Control Frameworks Due Care Due Diligence Compliance Governance, Risk Management, and Compliance (GRC) Legislative and Regulatory Compliance Privacy Requirements Compliance Global Legal and Regulatory Issues Computer/Cyber Crime Licensing and Intellectual Property Import/Export Trans-Border Data Flow Privacy Data Breaches Relevant Laws and Regulations Understand Professional Ethics Regulatory Requirements for Ethics Programs Topics in Computer Ethics Common Computer Ethics Fallacies Hacking and Hacktivism Ethics Codes of Conduct and Resources (ISC)2 Code of Professional Ethics Support Organization’s Code of Ethics Develop and Implement Security Policy Business Continuity (BC) & Disaster Recovery (DR) Requirements Project Initiation and Management Develop and Document Project Scope and Plan Conducting the Business Impact Analysis (BIA) Identify and Prioritize Assess Exposure to Outages Recovery Point Objectives (RPO) Manage Personnel Security Employment Candidate Screening Employment Agreements and Policies Employee Termination Processes Vendor, Consultant, and Contractor Controls Privacy Risk Management Concepts Organizational Risk Management Concepts Risk Assessment Methodologies Identify Threats and Vulnerabilities Risk Assessment/Analysis Countermeasure Selection Implementation of Risk Countermeasures Types of Controls Access Control Types Controls Assessment/Monitoring and Measuring Tangible and Intangible Asset Valuation Continuous Improvement Risk Management Frameworks Threat Modeling Determining Potential Attacks and Reduction Analysis Technologies & Processes to Remediate Threats Acquisitions Strategy and Practice Hardware, Software, and Services Manage Third-Party Governance Minimum Security and Service-Level Requirements Security Education, Training, and Awareness Formal Security Awareness Training Awareness Activities and Methods – Creating the Culture of Awareness in the Organization Domain 2 — Asset Security Data Management: Determine and Maintain Ownership Data Policy Roles and Responsibilities Data Ownership Data Custodianship Data Quality Data Documentation and Organization Data Standards Data Lifecycle Control Data Specification and Modeling Database Maintenance Data Audit Data Storage and Archiving Longevity and Use Data Security Data Access, Sharing, and Dissemination Data Publishing Classify Information and Supporting Assets Asset Management Software Licensing Equipment Lifecycle Protect Privacy Ensure Appropriate Retention Media, Hardware, and Personnel Company “X” Data Retention Policy Determine Data Security Controls Data at Rest Data in Transit Baselines Scoping and Tailoring Standards Selection United States Resources International Resources National Cyber Security Framework Manual Framework for Improving Critical Infrastructure Cybersecurity Domain 3 — Security Engineering The Engineering Lifecycle Using Security Design Principles Fundamental Concepts of Security Models Common System Components How They Work Together Enterprise Security Architecture Common Architecture Frameworks Zachman Framework Capturing and Analyzing Requirements Creating and Documenting Security Architecture Information Systems Security Evaluation Models Common Formal Security Models Product Evaluation Models Industry and International Security Implementation Guidelines Security Capabilities of Information Systems Access Control Mechanisms Secure Memory Management Vulnerabilities of Security Architectures Systems Technology and Process Integration Single Point of Failure (SPOF) Client-Based Vulnerabilities Server-Based Vulnerabilities Database Security Large Scale Parallel Data Systems Distributed Systems Cryptographic Systems Software and System Vulnerabilities and Threats Web-Based Vulnerabilities in Mobile Systems Risks from Remote Computing Risks from Mobile Workers Vulnerabilities in Embedded Devices and Cyber-Physical Systems The Application and Use of Cryptography The History of Cryptography Emerging Technology Core Information Security Principles Additional Features of Cryptographic Systems The Cryptographic Lifecycle Public Key Infrastructure (PKI) Key Management Processes Creation and Distribution of Keys Digital Signatures Digital Rights Management (DRM) Non-Repudiation Hashing Simple Hash Functions Methods of Cryptanalytic Attacks Site and Facility Design Considerations The Security Survey Site Planning Roadway Design Crime Prevention through Environmental Design (CPTED) Windows Design and Implement Facility Security Implementation and Operation of Facilities Security Communications and Server Rooms Restricted and Work Area Security Data Center Security Domain 4 — Communications & Network Security Secure Network Architecture and Design OSI and TCP/IP IP Networking Directory Services Implications of Multi-Layer Protocols Converged Protocols Implementation Voice over Internet Protocol (VoIP) Wireless Wireless Security Issues Open System Authentication Cryptography Used to Maintain Communications Security Securing Network Components Hardware Transmission Media Network Access Control Devices End Point Security Content Distribution Networks Secure Communication Channels Voice Multimedia Collaboration Open Protocols, Applications, and Services Remote Access Data Communications Virtualized Networks Network Attacks The Network as an Enabler or Channel of Attack The Network as a Bastion of Defense Network Security Objectives and Attack Modes Scanning Techniques Security Event Management (SEM) IP Fragmentation Attacks and Crafted Packets Denial-of-Service (DoS) / Distributed-Denial-of Service (DDoS) Attacks Spoofing Session Highjack Domain 5 — Identity & Access Management Physical and Logical Access to Assets Identification and Authentication of People and Devices Identification, Authentication, and Authorization Identity Management Implementation Password Management Account Management Profile Management Directory Management Directory Technologies Single/Multi-Factor Authentication Accountability Session Management Registration and Proof of Identity Credential Management Systems Identity as a Service (IDaaS) Integrate Third-Party Identity Services Implement and Manage Authorization Mechanisms Role-Based Access Control Rule-Based Access Control Mandatory Access Controls (MACs) Discretionary Access Controls (DACs) Prevent or Mitigate Access Control Attacks Windows PowerShell Equivalent Commands Identity and Access Provisioning Lifecycle Provisioning Review Revocation Domain 6 — Security Assessment & Testing Assessment and Test Strategies Software Development as Part of System Design Log Reviews Synthetic Transactions Code Review and Testing Negative Testing/Misuse Case Testing Interface Testing Collect Security Process Data Internal and Third-Party Audits SOC Reporting Options Domain 7 — Security Operations Investigations The Crime Scene Policy, Roles, and Responsibilities Incident Handling and Response Recovery Phase Evidence Collection and Handling Reporting and Documenting Evidence Collection and Processing Continuous and Egress Monitoring Data Leak/Loss Prevention (DLP) Provisioning of Resources through Configuration Management Foundational Security Operations Concepts Key Themes Controlling Privileged Accounts Managing Accounts Using Groups and Roles Separation of Duties and Responsibilities Monitor Special Privileges Job Rotation Manage the Information Lifecycle Service Level Agreements (SLAs) Resource Protection Tangible versus Intangible Assets Hardware Media Management Incident Response Incident Management Security Measurements, Metrics, and Reporting Managing Security Technologies Detection Response Reporting Recovery Remediation and Review (Lessons Learned) Preventative Measures against Attacks Unauthorized Disclosure Network Intrusion Detection System Architecture Whitelisting, Blacklisting, and Greylisting… Oh My! Third-party Security Services, Sandboxing, Anti-malware, Honeypots and Honeynets Patch and Vulnerability Management Security and Patch Information Sources Change and Configuration Management Configuration Management Recovery Site Strategies Multiple Processing Sites System Resilience and Fault Tolerance Requirements The Disaster Recovery Process Documenting the Plan Response Personnel Communications Employee Notification Assessment Restoration Provide Training Exercise, Assess, and Maintain the Plan Test Plan Review Tabletop Exercise/Structured Walk-Through Test Walk-Through Drill/Simulation Test Functional Drill/Parallel Test Full-Interruption/Full-Scale Test Update and Maintenance of the Plan Business Continuity and Other Risk Areas Implementation and Operation of Perimeter Security Access Control Card Types Closed Circuit TV Internal Security Interior Intrusion Detection Systems Building and Inside Security Doors Personnel Safety Privacy Travel Duress Domain 8 — Security in the Software Development Life Cycle Software Development Security Outline Development Life Cycle Maturity Models Operation and Maintenance Change Management Integrated Product Team (e.g., DevOps) Environment and Security Controls Software Development Methods The Database and Data Warehousing Environment Database Vulnerabilities and Threats DBMS Controls Knowledge Management Web Application Environment Security of the Software Environment Applications Development and Programming Concepts The Software Environment Libraries & Toolsets Security Issues in Source Code Malicious Software (Malware) Malware Protection Software Protection Mechanisms Security Kernels, Reference Monitors, and the TCB Configuration Management Security of Code Repositories Security of Application Programming Interfaces (API) Assess the Effectiveness of Software Security Certification and Accreditation Auditing and Logging of Changes Risk Analysis and Mitigation

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.