CISSP All-in-One Exam Guide, Ninth Edition, 9th Edition

CISSP All-in-One Exam Guide, Ninth Edition, 9th Edition

by Fernando Maymi, Shon Harris
Released November 2021
Publisher(s): McGraw-Hill
ISBN: 9781260467369

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

A new edition of Shon Harris’ bestselling exam prep guide―fully updated for the 2021 version of the CISSP exam

Thoroughly updated for the latest release of the Certified Information Systems Security Professional exam, this comprehensive resource covers all objectives in the 2021 CISSP exam developed by the International Information Systems Security Certification Consortium (ISC)2®. CISSP All-in-One Exam Guide, Ninth Edition features learning objectives at the beginning of each chapter, exam tips, practice questions, and in-depth explanations. Written by leading experts in information security certification and training, this completely up-to-date self-study system helps you pass the exam with ease and also serves as an essential on-the-job reference.

Covers all 8 CISSP domains:

  • Security and risk management
  • Asset security
  • Security architecture and engineering
  • Communication and network security
  • Identity and access management (IAM)
  • Security assessment and testing
  • Security operations
  • Software development security
Online content includes:
  • 1400+ practice exam questions
  • Graphical question quizzes
  • Test engine that provides full-length practice exams and customizable quizzes by chapter or exam domain
  • Access to Flash cards

Table of contents

  1. Cover
  2. About The Authors
  3. Title Page
  4. Copyright Page
  5. Dedication
  6. Contents at a Glance
  7. Contents
  8. From the Author
  9. Acknowledgments
  10. Why Become a CISSP?
  11. Part I Security and Risk Management
    1. Chapter 1 Cybersecurity Governance
      1. Fundamental Cybersecurity Concepts and Terms
        1. Confidentiality
        2. Integrity
        3. Availability
        4. Authenticity
        5. Nonrepudiation
        6. Balanced Security
        7. Other Security Terms
      2. Security Governance Principles
        1. Aligning Security to Business Strategy
        2. Organizational Processes
        3. Organizational Roles and Responsibilities
      3. Security Policies, Standards, Procedures, and Guidelines
        1. Security Policy
        2. Standards
        3. Baselines
        4. Guidelines
        5. Procedures
        6. Implementation
      4. Personnel Security
        1. Candidate Screening and Hiring
        2. Employment Agreements and Policies
        3. Onboarding, Transfers, and Termination Processes
        4. Vendors, Consultants, and Contractors
        5. Compliance Policies
        6. Privacy Policies
      5. Security Awareness, Education, and Training Programs
        1. Degree or Certification?
        2. Methods and Techniques to Present Awareness and Training
        3. Periodic Content Reviews
        4. Program Effectiveness Evaluation
      6. Professional Ethics
        1. (ISC)2 Code of Professional Ethics
        2. Organizational Code of Ethics
        3. The Computer Ethics Institute
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    2. Chapter 2 Risk Management
      1. Risk Management Concepts
        1. Holistic Risk Management
        2. Information Systems Risk Management Policy
        3. The Risk Management Team
        4. The Risk Management Process
        5. Overview of Vulnerabilities and Threats
        6. Identifying Threats and Vulnerabilities
      2. Assessing Risks
        1. Asset Valuation
        2. Risk Assessment Teams
        3. Methodologies for Risk Assessment
        4. Risk Analysis Approaches
        5. Qualitative Risk Analysis
      3. Responding to Risks
        1. Total Risk vs. Residual Risk
        2. Countermeasure Selection and Implementation
        3. Types of Controls
        4. Control Assessments
      4. Monitoring Risks
        1. Effectiveness Monitoring
        2. Change Monitoring
        3. Compliance Monitoring
        4. Risk Reporting
        5. Continuous Improvement
      5. Supply Chain Risk Management
        1. Upstream and Downstream Suppliers
        2. Risks Associated with Hardware, Software, and Services
        3. Other Third-Party Risks
        4. Minimum Security Requirements
        5. Service Level Agreements
      6. Business Continuity
        1. Standards and Best Practices
        2. Making BCM Part of the Enterprise Security Program
        3. Business Impact Analysis
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    3. Chapter 3 Compliance
      1. Laws and Regulations
        1. Types of Legal Systems
        2. Common Law Revisited
      2. Cybercrimes and Data Breaches
        1. Complexities in Cybercrime
        2. The Evolution of Attacks
        3. International Issues
        4. Data Breaches
        5. Import/Export Controls
        6. Transborder Data Flow
        7. Privacy
      3. Licensing and Intellectual Property Requirements
        1. Trade Secret
        2. Copyright
        3. Trademark
        4. Patent
        5. Internal Protection of Intellectual Property
        6. Software Piracy
      4. Compliance Requirements
        1. Contractual, Legal, Industry Standards, and Regulatory Requirements
        2. Privacy Requirements
        3. Liability and Its Ramifications
      5. Requirements for Investigations
        1. Administrative
        2. Criminal
        3. Civil
        4. Regulatory
      6. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    4. Chapter 4 Frameworks
      1. Overview of Frameworks
      2. Risk Frameworks
        1. NIST RMF
        2. ISO/IEC 27005
        3. OCTAVE
        4. FAIR
      3. Information Security Frameworks
        1. Security Program Frameworks
        2. Security Control Frameworks
      4. Enterprise Architecture Frameworks
        1. Why Do We Need Enterprise Architecture Frameworks?
        2. Zachman Framework
        3. The Open Group Architecture Framework
        4. Military-Oriented Architecture Frameworks
      5. Other Frameworks
        1. ITIL
        2. Six Sigma
        3. Capability Maturity Model
      6. Putting It All Together
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
  12. Part II Asset Security
    1. Chapter 5 Assets
      1. Information and Assets
        1. Identification
        2. Classification
      2. Physical Security Considerations
        1. Protecting Mobile Devices
        2. Paper Records
        3. Safes
      3. Managing the Life Cycle of Assets
        1. Ownership
        2. Inventories
        3. Secure Provisioning
        4. Asset Retention
      4. Data Life Cycle
        1. Data Acquisition
        2. Data Storage
        3. Data Use
        4. Data Sharing
        5. Data Archival
        6. Data Destruction
        7. Data Roles
      5. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    2. Chapter 6 Data Security
      1. Data Security Controls
        1. Data States
        2. Standards
        3. Scoping and Tailoring
      2. Data Protection Methods
        1. Digital Asset Management
        2. Digital Rights Management
        3. Data Loss Prevention
        4. Cloud Access Security Broker
      3. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
  13. Part III Security Architecture and Engineering
    1. Chapter 7 System Architectures
      1. General System Architectures
        1. Client-Based Systems
        2. Server-Based Systems
        3. Database Systems
        4. High-Performance Computing Systems
      2. Industrial Control Systems
        1. Devices
        2. Distributed Control System
        3. Supervisory Control and Data Acquisition
        4. ICS Security
      3. Virtualized Systems
        1. Virtual Machines
        2. Containerization
        3. Microservices
        4. Serverless
      4. Cloud-Based Systems
        1. Software as a Service
        2. Platform as a Service
        3. Infrastructure as a Service
        4. Everything as a Service
        5. Cloud Deployment Models
      5. Pervasive Systems
        1. Embedded Systems
        2. Internet of Things
      6. Distributed Systems
        1. Edge Computing Systems
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    2. Chapter 8 Cryptology
      1. The History of Cryptography
      2. Cryptography Definitions and Concepts
        1. Cryptosystems
        2. Kerckhoffs’ Principle
        3. The Strength of the Cryptosystem
        4. One-Time Pad
        5. Cryptographic Life Cycle
      3. Cryptographic Methods
        1. Symmetric Key Cryptography
        2. Asymmetric Key Cryptography
        3. Elliptic Curve Cryptography
        4. Quantum Cryptography
        5. Hybrid Encryption Methods
      4. Integrity
        1. Hashing Functions
        2. Message Integrity Verification
      5. Public Key Infrastructure
        1. Digital Certificates
        2. Certificate Authorities
        3. Registration Authorities
        4. PKI Steps
        5. Key Management
      6. Attacks Against Cryptography
        1. Key and Algorithm Attacks
        2. Implementation Attacks
        3. Other Attacks
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    3. Chapter 9 Security Architectures
      1. Threat Modeling
        1. Attack Trees
        2. STRIDE
        3. The Lockheed Martin Cyber Kill Chain
        4. The MITRE ATT&CK Framework
        5. Why Bother with Threat Modeling
      2. Secure Design Principles
        1. Defense in Depth
        2. Zero Trust
        3. Trust But Verify
        4. Shared Responsibility
        5. Separation of Duties
        6. Least Privilege
        7. Keep It Simple
        8. Secure Defaults
        9. Fail Securely
        10. Privacy by Design
      3. Security Models
        1. Bell-LaPadula Model
        2. Biba Model
        3. Clark-Wilson Model
        4. Noninterference Model
        5. Brewer and Nash Model
        6. Graham-Denning Model
        7. Harrison-Ruzzo-Ullman Model
      4. Security Requirements
      5. Security Capabilities of Information Systems
        1. Trusted Platform Module
        2. Hardware Security Module
        3. Self-Encrypting Drive
        4. Bus Encryption
        5. Secure Processing
      6. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    4. Chapter 10 Site and Facility Security
      1. Site and Facility Design
        1. Security Principles
        2. The Site Planning Process
        3. Crime Prevention Through Environmental Design
        4. Designing a Physical Security Program
      2. Site and Facility Controls
        1. Work Area Security
        2. Data Processing Facilities
        3. Distribution Facilities
        4. Storage Facilities
        5. Utilities
        6. Fire Safety
        7. Environmental Issues
      3. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
  14. Part IV Communication and Network Security
    1. Chapter 11 Networking Fundamentals
      1. Data Communications Foundations
        1. Network Reference Models
        2. Protocols
        3. Application Layer
        4. Presentation Layer
        5. Session Layer
        6. Transport Layer
        7. Network Layer
        8. Data Link Layer
        9. Physical Layer
        10. Functions and Protocols in the OSI Model
        11. Tying the Layers Together
      2. Local Area Networks
        1. Network Topology
        2. Medium Access Control Mechanisms
        3. Layer 2 Protocols
        4. Transmission Methods
        5. Layer 2 Security Standards
      3. Internet Protocol Networking
        1. TCP
        2. IP Addressing
        3. IPv6
        4. Address Resolution Protocol
        5. Dynamic Host Configuration Protocol
        6. Internet Control Message Protocol
        7. Simple Network Management Protocol
        8. Domain Name Service
        9. Network Address Translation
        10. Routing Protocols
      4. Intranets and Extranets
      5. Metropolitan Area Networks
        1. Metro Ethernet
      6. Wide Area Networks
        1. Dedicated Links
        2. WAN Technologies
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    2. Chapter 12 Wireless Networking
      1. Wireless Communications Techniques
        1. Spread Spectrum
        2. Orthogonal Frequency Division Multiplexing
      2. Wireless Networking Fundamentals
        1. WLAN Components
        2. WLAN Standards
        3. Other Wireless Network Standards
        4. Other Important Standards
      3. Evolution of WLAN Security
        1. 802.11
        2. 802.11i
        3. 802.11w
        4. WPA3
        5. 802.1X
      4. Best Practices for Securing WLANs
      5. Mobile Wireless Communication
        1. Multiple Access Technologies
        2. Generations of Mobile Wireless
      6. Satellites
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    3. Chapter 13 Securing the Network
      1. Applying Secure Design Principles to Network Architectures
      2. Secure Networking
        1. Link Encryption vs. End-to-End Encryption
        2. TLS
        3. VPN
      3. Secure Protocols
        1. Web Services
        2. Domain Name System
        3. Electronic Mail
      4. Multilayer Protocols
        1. Distributed Network Protocol 3
        2. Controller Area Network Bus
        3. Modbus
      5. Converged Protocols
        1. Encapsulation
        2. Fiber Channel over Ethernet
        3. Internet Small Computer Systems Interface
      6. Network Segmentation
        1. VLANs
        2. Virtual eXtensible Local Area Network
        3. Software-Defined Networks
        4. Software-Defined Wide Area Network
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    4. Chapter 14 Network Components
      1. Transmission Media
        1. Types of Transmission
        2. Cabling
        3. Bandwidth and Throughput
      2. Network Devices
        1. Repeaters
        2. Bridges
        3. Switches
        4. Routers
        5. Gateways
        6. Proxy Servers
        7. PBXs
        8. Network Access Control Devices
        9. Network Diagramming
        10. Operation of Hardware
      3. Endpoint Security
      4. Content Distribution Networks
      5. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    5. Chapter 15 Secure Communications Channels
      1. Voice Communications
        1. Public Switched Telephone Network
        2. DSL
        3. ISDN
        4. Cable Modems
        5. IP Telephony
      2. Multimedia Collaboration
        1. Meeting Applications
        2. Unified Communications
      3. Remote Access
        1. VPN
        2. Desktop Virtualization
        3. Secure Shell
      4. Data Communications
        1. Network Sockets
        2. Remote Procedure Calls
      5. Virtualized Networks
      6. Third-Party Connectivity
      7. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
  15. Part V Identity and Access Management
    1. Chapter 16 Identity and Access Fundamentals
      1. Identification, Authentication, Authorization, and Accountability
        1. Identification and Authentication
        2. Knowledge-Based Authentication
        3. Biometric Authentication
        4. Ownership-Based Authentication
      2. Credential Management
        1. Password Managers
        2. Password Synchronization
        3. Self-Service Password Reset
        4. Assisted Password Reset
        5. Just-in-Time Access
        6. Registration and Proofing of Identity
        7. Profile Update
        8. Session Management
        9. Accountability
      3. Identity Management
        1. Directory Services
        2. Directories’ Role in Identity Management
        3. Single Sign-On
        4. Federated Identity Management
      4. Federated Identity with a Third-Party Service
        1. Integration Issues
        2. On-Premise
        3. Cloud
        4. Hybrid
      5. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    2. Chapter 17 Managing Identities and Access
      1. Authorization Mechanisms
        1. Discretionary Access Control
        2. Mandatory Access Control
        3. Role-Based Access Control
        4. Rule-Based Access Control
        5. Attribute-Based Access Control
        6. Risk-Based Access Control
      2. Implementing Authentication and Authorization Systems
        1. Access Control and Markup Languages
        2. OAuth
        3. OpenID Connect
        4. Kerberos
        5. Remote Access Control Technologies
      3. Managing the Identity and Access Provisioning Life Cycle
        1. Provisioning
        2. Access Control
        3. Compliance
        4. Configuration Management
        5. Deprovisioning
      4. Controlling Physical and Logical Access
        1. Information Access Control
        2. System and Application Access Control
        3. Access Control to Devices
        4. Facilities Access Control
      5. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
  16. Part VI Security Assessment and Testing
    1. Chapter 18 Security Assessments
      1. Test, Assessment, and Audit Strategies
        1. Designing an Assessment
        2. Validating an Assessment
      2. Testing Technical Controls
        1. Vulnerability Testing
        2. Other Vulnerability Types
        3. Penetration Testing
        4. Red Teaming
        5. Breach Attack Simulations
        6. Log Reviews
        7. Synthetic Transactions
        8. Code Reviews
        9. Code Testing
        10. Misuse Case Testing
        11. Test Coverage
        12. Interface Testing
        13. Compliance Checks
      3. Conducting Security Audits
        1. Internal Audits
        2. External Audits
        3. Third-Party Audits
      4. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    2. Chapter 19 Measuring Security
      1. Quantifying Security
        1. Security Metrics
        2. Key Performance and Risk Indicators
      2. Security Process Data
        1. Account Management
        2. Backup Verification
        3. Security Training and Security Awareness Training
        4. Disaster Recovery and Business Continuity
      3. Reporting
        1. Analyzing Results
        2. Writing Technical Reports
        3. Executive Summaries
      4. Management Review and Approval
        1. Before the Management Review
        2. Reviewing Inputs
        3. Management Approval
      5. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
  17. Part VII Security Operations
    1. Chapter 20 Managing Security Operations
      1. Foundational Security Operations Concepts
        1. Accountability
        2. Need-to-Know/Least Privilege
        3. Separation of Duties and Responsibilities
        4. Privileged Account Management
        5. Job Rotation
        6. Service Level Agreements
      2. Change Management
        1. Change Management Practices
        2. Change Management Documentation
      3. Configuration Management
        1. Baselining
        2. Provisioning
        3. Automation
      4. Resource Protection
        1. System Images
        2. Source Files
        3. Backups
      5. Vulnerability and Patch Management
        1. Vulnerability Management
        2. Patch Management
      6. Physical Security
        1. External Perimeter Security Controls
        2. Facility Access Control
        3. Internal Security Controls
        4. Personnel Access Controls
        5. Intrusion Detection Systems
        6. Auditing Physical Access
      7. Personnel Safety and Security
        1. Travel
        2. Security Training and Awareness
        3. Emergency Management
        4. Duress
      8. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    2. Chapter 21 Security Operations
      1. The Security Operations Center
        1. Elements of a Mature SOC
        2. Threat Intelligence
      2. Preventive and Detective Measures
        1. Firewalls
        2. Intrusion Detection and Prevention Systems
        3. Antimalware Software
        4. Sandboxing
        5. Outsourced Security Services
        6. Honeypots and Honeynets
        7. Artificial Intelligence Tools
      3. Logging and Monitoring
        1. Log Management
        2. Security Information and Event Management
        3. Egress Monitoring
        4. User and Entity Behavior Analytics
        5. Continuous Monitoring
      4. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    3. Chapter 22 Security Incidents
      1. Overview of Incident Management
        1. Detection
        2. Response
        3. Mitigation
        4. Reporting
        5. Recovery
        6. Remediation
        7. Lessons Learned
      2. Incident Response Planning
        1. Roles and Responsibilities
        2. Incident Classification
        3. Notifications
        4. Operational Tasks
        5. Runbooks
      3. Investigations
        1. Motive, Opportunity, and Means
        2. Computer Criminal Behavior
        3. Evidence Collection and Handling
        4. What Is Admissible in Court?
        5. Digital Forensics Tools, Tactics, and Procedures
        6. Forensic Investigation Techniques
        7. Other Investigative Techniques
        8. Forensic Artifacts
        9. Reporting and Documenting
      4. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    4. Chapter 23 Disasters
      1. Recovery Strategies
        1. Business Process Recovery
        2. Data Backup
        3. Documentation
        4. Human Resources
        5. Recovery Site Strategies
        6. Availability
      2. Disaster Recovery Processes
        1. Response
        2. Personnel
        3. Communications
        4. Assessment
        5. Restoration
        6. Training and Awareness
        7. Lessons Learned
        8. Testing Disaster Recovery Plans
      3. Business Continuity
        1. BCP Life Cycle
        2. Information Systems Availability
        3. End-User Environment
      4. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
  18. Part VIII Software Development Security
    1. Chapter 24 Software Development
      1. Software Development Life Cycle
        1. Project Management
        2. Requirements Gathering Phase
        3. Design Phase
        4. Development Phase
        5. Testing Phase
        6. Operations and Maintenance Phase
      2. Development Methodologies
        1. Waterfall Methodology
        2. Prototyping
        3. Incremental Methodology
        4. Spiral Methodology
        5. Rapid Application Development
        6. Agile Methodologies
        7. DevOps
        8. DevSecOps
        9. Other Methodologies
      3. Maturity Models
        1. Capability Maturity Model Integration
        2. Software Assurance Maturity Model
      4. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
    2. Chapter 25 Secure Software
      1. Programming Languages and Concepts
        1. Assemblers, Compilers, Interpreters
        2. Runtime Environments
        3. Object-Oriented Programming Concepts
        4. Cohesion and Coupling
        5. Application Programming Interfaces
        6. Software Libraries
      2. Secure Software Development
        1. Source Code Vulnerabilities
        2. Secure Coding Practices
      3. Security Controls for Software Development
        1. Development Platforms
        2. Tool Sets
        3. Application Security Testing
        4. Continuous Integration and Delivery
        5. Security Orchestration, Automation, and Response
        6. Software Configuration Management
        7. Code Repositories
      4. Software Security Assessments
        1. Risk Analysis and Mitigation
        2. Change Management
      5. Assessing the Security of Acquired Software
        1. Commercial Software
        2. Open-Source Software
        3. Third-Party Software
        4. Managed Services
      6. Chapter Review
        1. Quick Review
        2. Questions
        3. Answers
  19. Appendix A Comprehensive Questions
    1. Answers
    2. Appendix B Objective Map
    3. Appendix C About the Online Content
      1. System Requirements
      2. Your Total Seminars Training Hub Account
        1. Privacy Notice
      3. Single User License Terms and Conditions
      4. TotalTester Online
      5. Graphical Questions
      6. Online Flash Cards
        1. Single User License Terms and Conditions
      7. Technical Support
    4. Glossary
    5. Index

Product information

  • Title: CISSP All-in-One Exam Guide, Ninth Edition, 9th Edition
  • Author(s): Fernando Maymi, Shon Harris
  • Release date: November 2021
  • Publisher(s): McGraw-Hill
  • ISBN: 9781260467369