(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide
eBook - ePub

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Mike Chapple, James Michael Stewart, Darril Gibson

Buch teilen
  1. English
  2. ePUB (handyfreundlich)
  3. Über iOS und Android verfügbar
eBook - ePub

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Mike Chapple, James Michael Stewart, Darril Gibson

Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben

Über dieses Buch

The only Official CISSP Study Guide - fully updated for the 2021 CISSP Body of Knowledge

(ISC)2 Certified Information Systems Security Professional (CISSP) Official Study Guide, 9th Edition has been completely updated based on the latest 2021 CISSP Exam Outline. This bestselling Sybex Study Guide covers 100% of the exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, knowledge from our real-world experience, advice on mastering this adaptive exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.

The three co-authors of this book bring decades of experience as cybersecurity practitioners and educators, integrating real-world expertise with the practical knowledge you'll need to successfully pass the CISSP exam. Combined, they've taught cybersecurity concepts to millions of students through their books, video courses, and live training programs.

Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:

  • Over 900 new and improved practice test questions with complete answer explanations. This includes all of the questions from the book plus four additional online-only practice exams, each with 125 unique questions. You can use the online-only practice exams as full exam simulations. Our questions will help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.
  • More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
  • A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam
  • New for the 9th edition: Audio Review. Author Mike Chapple reads the Exam Essentials for each chapter providing you with 2 hours and 50 minutes of new audio review for yet another way to reinforce your knowledge as you prepare.

All of the online features aresupported by Wiley's support agents who are available 24x7 via email or live chat to assist with access and login questions.

Coverage of all of the exam topics in the book means you'll be ready for:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Häufig gestellte Fragen

Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide von Mike Chapple, James Michael Stewart, Darril Gibson im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Informatique & Guides de certification en informatique. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.

Information

Verlag
Sybex
Jahr
2021
ISBN
9781119786245
Auflage
9
Thema
Informatique
Thema
Guides de certification en informatique

Chapter 1
Security Governance Through Principles and Policies

THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
  • Domain 1.0: Security and Risk Management
    • 1.2 Understand and apply security concepts
      • 1.2.1 Confidentiality, integrity, and availability, authenticity and nonrepudiation
    • 1.3 Evaluate and apply security governance principles
      • 1.3.1 Alignment of security function to business strategy, goals, mission, and objectives
      • 1.3.2 Organizational processes (e.g., acquisitions, divestitures, governance committees)
      • 1.3.3 Organizational roles and responsibilities
      • 1.3.4 Security control frameworks
      • 1.3.5 Due care/due diligence
    • 1.7 Develop, document, and implement security policy, standards, procedures, and guidelines
    • 1.11 Understand and apply threat modeling concepts and methodologies
    • 1.12 Apply Supply Chain Risk Management (SCRM) concepts
      • 1.12.1 Risks associated with hardware, software, and services
      • 1.12.2 Third-party assessment and monitoring
      • 1.12.3 Minimum security requirements
      • 1.12.4 Service level requirements
  • Domain 3: Security Architecture and Engineering
    • 3.1 Research, implement and manage engineering processes using secure design principles
      • 3.1.1 Threat modeling
      • 3.1.3 Defense in depth
image
The Security and Risk Management domain of the CISSP certification exam encompasses many of the foundational elements of security solutions. Additional elements of this domain are discussed in various chapters: Chapter 2, “Personnel Security and Risk Management Concepts”; Chapter 3, “Business Continuity Planning”; Chapter 4, “Laws, Regulations, and Compliance”; and Chapter 19, “Investigations and Ethics.” Please be sure to review all these chapters to have a complete perspective on the topics of this domain.

Security 101

We often hear how important security is, but we don't always understand why. Security is important because it helps to ensure that an organization is able to continue to exist and operate in spite of any attempts to steal its data or compromise its physical or logical elements. Security should be viewed as an element of business management rather than an IT concern. In fact, IT and security are different. Information technology (IT) or even information systems (IS) is the hardware and software that support the operations or functions of a business. Security is the business management tool that ensures the reliable and protected operation of IT/IS. Security exists to support the objectives, mission, and goals of the organization.
Generally, a security framework should be adopted that provides a starting point for how to implement security. Once an initiation of security has been accomplished, then fine-tuning that security is accomplished through evaluation. There are three common types of security evaluation: risk assessment, vulnerability assessment, and penetration testing (these are covered in detail in Chapter 2 and Chapter 15, “Security Assessment and Testing”). Risk assessment is a process of identifying assets, threats, and vulnerabilities, and then using that information to calculate risk. Once risk is understood, it is used to guide the improvement of the existing security infrastructure. Vulnerability assessment uses automated tools to locate known security weaknesses, which can be addressed by adding in more defenses or adjusting the existing protections. Penetration testing uses trusted individuals to stress-test the security infrastructure to find issues that may not be discovered by the prior two means, with the goal of finding those concerns before an adversary takes advantage of them.
Security should be cost-effective. Organizations do not have infinite budgets and thus must allocate their funds appropriately. Additionally, an organizational budget includes a percentage of monies dedicated to security, just as most other business tasks and processes require capital, not to mention payments to employees, insurance, retirement, and so on. You should select security controls that provide the greatest protection for the lowest resource cost.
Security should be legally defensible. The laws of your jurisdiction are the backstop of organizational security. When someone intrudes into your environment and breaches security, especially when such activities are illegal, then prosecution in court may be the only available response for compensation or closure. Also, many decisions made by an organization will have legal liability issues. If required to defend a security action in the courtroom, legally supported security will go a long way toward protecting your organization from facing large fines, penalties, or charges of negligence.
Security is a journey, not a finish line. It is not a process that will ever be concluded. It is not possible to fully secure something, because security issues are always changing. Our deployed technology is changing by the passage of time, by the users, and by the adversaries discovering flaws and developing exploits. The defenses that were sufficient yesterday may not be sufficient tomorrow. As new vulnerabilities are discovered, as new means of attack are crafted and new exploits are built, we have to respond by reassessing our security infrastructure and responding appropriately.

Understand and Apply Security Concepts

Security management concepts and principles are inherent elements in a security policy and solution deployment. They define the basic parameters needed for a secure environment. They also define the goals and objectives that both policy designers and system implementers must achieve to create a secure solution.
Confidentiality, integrity, and availability (CIA) (i.e., the CIA Triad) are typically viewed as the primary goals and objectives of a security infrastructure (see Figure 1.1).
Schematic illustration of the CIA Triad.
FIGURE 1.1 The CIA Triad
Security controls are typically evaluated on how well they address these three core information security tenets. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles.

Confidentiality

The first principle of the CIA Triad is confidentiality. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality protections prevent disclosure while protecting authorized access.
Violations of confidentiality are not limited to directed intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are the result of human error, oversight, or ineptitude. Confidentiality violations can result from the actions of an end user or a system administrator. They can also occur because of an oversight in a security policy or a misconfigured security control.
Numerous countermeasures can help ensure confidentiality against possible threats. These include encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training.
Concepts, conditions, and aspects of confidentiality include the following:
  • Sensitivity Sensitivity refers to the quality of information, which could cause harm or damage if disclosed.
  • Discretion Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
  • Criticality The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information.
  • Concealment Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy.
  • Secrecy Secrecy is the act of keeping something a secret or preventing the disclosure of information.
  • Privacy Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to s...

Inhaltsverzeichnis