Official (ISC) 2 Guide to the Cissp Cbk Reference

Ulteriori informazioni

The only official, comprehensive reference guide to the CISSPAll new for 2019 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)² for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)², the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.This CBK covers the new eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Written by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:? Common and good practices for each objective? Common vocabulary and definitions? References to widely accepted computing standards? Highlights of successful approaches through case studiesWhether you?ve earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.

Sommario

Foreword xxvIntroduction xxviiDomain 1: Security and Risk Management 1Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2Information Security 3Evaluate and Apply Security Governance Principles 6Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6Vision, Mission, and Strategy 6Governance 7Due Care 10Determine Compliance Requirements 11Legal Compliance 12Jurisdiction 12Legal Tradition 12Legal Compliance Expectations 13Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13Cyber Crimes and Data Breaches 14Privacy 36Understand, Adhere to, and Promote Professional Ethics 49Ethical Decision-Making 49Established Standards of Ethical Conduct 51(ISC)² Ethical Practices 56Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57Organizational Documents 58Policy Development 61Policy Review Process 61Identify, Analyze, and Prioritize Business Continuity Requirements 62Develop and Document Scope and Plan 62Risk Assessment 70Business Impact Analysis 71Develop the Business Continuity Plan 73Contribute to and Enforce Personnel Security Policies and Procedures 80Key Control Principles 80Candidate Screening and Hiring 82Onboarding and Termination Processes 91Vendor, Consultant, and Contractor Agreements and Controls 96Privacy in the Workplace 97Understand and Apply Risk Management Concepts 99Risk 99Risk Management Frameworks 99Risk Assessment Methodologies 108Understand and Apply Threat Modeling Concepts and Methodologies 111Threat Modeling Concepts 111Threat Modeling Methodologies 112Apply Risk-Based Management Concepts to the Supply Chain 116Supply Chain Risks 116Supply Chain Risk Management 119Establish and Maintain a Security Awareness, Education, and Training Program 121Security Awareness Overview 122Developing an Awareness Program 123Training 127Summary 128Domain 2: Asset Security 131Asset Security Concepts 131Data Policy 132Data Governance 132Data Quality 133Data Documentation 134Data Organization 136Identify and Classify Information and Assets 139Asset Classification 141Determine and Maintain Information and Asset Ownership 145Asset Management Lifecycle 146Software Asset Management 148Protect Privacy 152Cross-Border Privacy and Data Flow Protection 153Data Owners 161Data Controllers 162Data Processors 163Data Stewards 164Data Custodians 164Data Remanence 164Data Sovereignty 168Data Localization or Residency 169Government and Law Enforcement Access to Data 171Collection Limitation 172Understanding Data States 173Data Issues with Emerging Technologies 173Ensure Appropriate Asset Retention 175Retention of Records 178Determining Appropriate Records Retention 178Retention of Records in Data Lifecycle 179Records Retention Best Practices 180Determine Data Security Controls 181Technical, Administrative, and Physical Controls 183Establishing the Baseline Security 185Scoping and Tailoring 186Standards Selection 189Data Protection Methods 198Establish Information and Asset Handling Requirements 208Marking and Labeling 208Handling 209Declassifying Data 210Storage 211Summary 212Domain 3: Security Architecture and Engineering 213Implement and Manage Engineering Processes Using Secure Design Principles 215Saltzer and Schroeder's Principles 216ISO/IEC 19249 221Defense in Depth 229Using Security Principles 230Understand the Fundamental Concepts of Security Models 230Bell-LaPadula Model 232The Biba Integrity Model 234The Clark-Wilson Model 235The Brewer-Nash Model 235Select Controls Based upon Systems Security Requirements 237Understand Security Capabilities of Information Systems 241Memory Protection 241Virtualization 244Secure Cryptoprocessor 247Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 253Client-Based Systems 254Server-Based Systems 255Database Systems 257Cryptographic Systems 260Industrial Control Systems 267Cloud-Based Systems 271Distributed Systems 274Internet of Things 275Assess and Mitigate Vulnerabilities in Web-Based Systems 278Injection Vulnerabilities 279Broken Authentication 280Sensitive Data Exposure 283XML External Entities 284Broken Access Control 284Security Misconfiguration 285Cross-Site Scripting 285Using Components with Known Vulnerabilities 286Insufficient Logging and Monitoring 286Cross-Site Request Forgery 287Assess and Mitigate Vulnerabilities in Mobile Systems 287Passwords 288Multifactor Authentication 288Session Lifetime 289Wireless Vulnerabilities 290Mobile Malware 290Unpatched Operating System or Browser 290Insecure Devices 291Mobile Device Management 291Assess and Mitigate Vulnerabilities in Embedded Devices 292Apply Cryptography 295Cryptographic Lifecycle 295Cryptographic Methods 298Public Key Infrastructure 311Key Management Practices 315Digital Signatures 318Non-Repudiation 320Integrity 321Understand Methods of Cryptanalytic Attacks 325Digital Rights Management 339Apply Security Principles to Site and Facility Design 342Implement Site and Facility Security Controls 343Physical Access Controls 343Wiring Closets/Intermediate Distribution Facilities 345Server Rooms/Data Centers 346Media Storage Facilities 348Evidence Storage 349Restricted and Work Area Security 349Utilities and Heating, Ventilation, and Air Conditioning 351Environmental Issues 355Fire Prevention, Detection, and Suppression 358Summary 362Domain 4: Communication and Network Security 363Implement Secure Design Principles in Network Architectures 364Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models 365Internet Protocol Networking 382Implications of Multilayer Protocols 392Converged Protocols 394Software-Defined Networks 395Wireless Networks 396Internet, Intranets, and Extranets 409Demilitarized Zones 410Virtual LANs 410Secure Network Components 411Firewalls 412Network Address Translation 418Intrusion Detection System 421Security Information and Event Management 422Network Security from Hardware Devices 423Transmission Media 429Endpoint Security 442Implementing Defense in Depth 447Content Distribution Networks 448Implement Secure Communication Channels According to Design 449Secure Voice Communications 449Multimedia Collaboration 452Remote Access 458Data Communications 466Virtualized Networks 470Summary 481Domain 5: Identity and Access Management 483Control Physical and Logical Access to Assets 484Information 485Systems 486Devices 487Facilities 488Manage Identification and Authentication of People, Devices, and Services 492Identity Management Implementation 494Single Factor/Multifactor Authentication 496Accountability 511Session Management 511Registration and Proofing of Identity 513Federated Identity Management 520Credential Management Systems 524Integrate Identity as a Third-Party Service 525On-Premise 526Cloud 527Federated 527Implement and Manage Authorization Mechanisms 528Role-Based Access Control 528Rule-Based Access Control 529Mandatory Access Control 530Discretionary Access Control 531Attribute-Based Access Control 531Manage the Identity and Access Provisioning Lifecycle 533User Access Review 534System Account Access Review 535Provisioning and Deprovisioning 535Auditing and Enforcement 536Summary 537Domain 6: Security Assessment and Testing 539Design and Validate Assessment, Test, and Audit Strategies 540Assessment Standards 543Conduct Security Control Testing 545Vulnerability Assessment 546Penetration Testing 554Log Reviews 564Synthetic Transactions 565Code Review and Testing 567Misuse Case Testing 571Test Coverage Analysis 573Interface Testing 574Collect Security Process Data 575Account Management 577Management Review and Approval 579Key Performance and Risk Indicators 580Backup Verification Data 583Training and Awareness 584Disaster Recovery and Business Continuity 585Analyze Test Output and Generate Report 587Conduct or Facilitate Security Audits 590Internal Audits 591External Audits 591Third-Party Audits 592Integrating Internal and External Audits 593Auditing Principles 593Audit Programs 594Summary 596Domain 7: Security Operations 597Understand and Support Investigations 598Evidence Collection and Handling 599Reporting and Documentation 601Investigative Techniques 602Digital Forensics Tools, Techniques, and Procedures 604Understand Requirements for Investigation Types 610Administrative 611Criminal 613Civil 614Regulatory 616Industry Standards 616Conduct Logging and Monitoring Activities 617Define Auditable Events 618Time 619Protect Logs 620Intrusion Detection and Prevention 621Security Information and Event Management 623Continuous Monitoring 625Ingress Monitoring 629Egress Monitoring 631Securely Provision Resources 632Asset Inventory 632Asset Management 634Configuration Management 635Understand and Apply Foundational Security Operations Concepts 637Need to Know/Least Privilege 637Separation of Duties and Responsibilities 638Privileged Account Management 640Job Rotation 642Information Lifecycle 643Service Level Agreements 644Apply Resource Protection Techniques to Media 647Marking 647Protecting 647Transport 648Sanitization and Disposal 649Conduct Incident Management 650An Incident Management Program 651Detection 653Response 656Mitigation 657Reporting 658Recovery 661Remediation 661Lessons Learned 661Third-Party Considerations 662Operate and Maintain Detective and Preventative Measures 663White-listing/Black-listing 665Third-Party Security Services 665Honeypots/Honeynets 667Anti-Malware 667Implement and Support Patch and Vulnerability Management 670Understand and Participate in Change Management Processes 672Implement Recovery Strategies 673Backup Storage Strategies 673Recovery Site Strategies 676Multiple Processing Sites 678System Resilience, High Availability, Quality of Service, and Fault Tolerance 679Implement Disaster Recovery Processes 679Response 680Personnel 680Communications 682Assessment 682Restoration 683Training and Awareness 684Test Disaster Recovery Plans 685Read-Through/Tabletop 686Walk-Through 687Simulation 687Parallel 687Full Interruption 688Participate in Business Continuity Planning and Exercises 688Implement and Manage Physical Security 689Physical Access Control 689The Data Center 692Address Personnel Safety and Security Concerns 693Travel 693Duress 693Summary 694Domain 8: Software Development Security 695Understand and Integrate Security in the Software Development Lifecycle 696Development Methodologies 696Maturity Models 753Operations and Maintenance 768Change Management 770Integrated Product Team 773Identify and Apply Security Controls in Development Environments 776Security of the Software Environment 777Configuration Management as an Aspect of Secure Coding 796Security of Code Repositories 798Assess the Effectiveness of Software Security 802Logging and Auditing of Changes 802Risk Analysis and Mitigation 817Assess the Security Impact of Acquired Software 835Acquired Software Types 835Software Acquisition Process 842Relevant Standards 845Software Assurance 848Certification and Accreditation 852Define and Apply Secure Coding Standards and Guidelines 853Security Weaknesses and Vulnerabilities at the Source-Code Level 854Security of Application Programming Interfaces 859Secure Coding Practices 868Summary 874Index 875

Info autore

This common body of knowledge is written and reviewed by a collection of experienced CISSP experts from a range of information security roles and organizations.

Riassunto

The only official, comprehensive reference guide to the CISSP

All new for 2019 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)² for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)², the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.
This CBK covers the new eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Written by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:

? Common and good practices for each objective

? Common vocabulary and definitions

? References to widely accepted computing standards

? Highlights of successful approaches through case studies

Whether you?ve earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.