CISSP Passport

CISSP Passport

by Bobby E. Rogers
Released October 2022
Publisher(s): McGraw-Hill
ISBN: 9781264277988

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This quick review study guide offers 100% coverage of every topic on the latest version of the CISSP exam

Get on the fast track to becoming CISSP certified with this affordable, portable study tool. Inside, cybersecurity instructor Bobby Rogers guides you on your career path, providing expert tips and sound advice along the way. With an intensive focus only on what you need to know to pass (ISC)2®’s 2021 Certified Information Systems Security Professional exam, this certification passport is your ticket to success on exam day.

Designed for focus on key topics and exam success:

  • List of official exam objectives covered by domain
  • Exam Tips offer expert pointers for success on the test
  • Cautions highlight common pitfalls and real-world issues as well as provide warnings about the exam
  • Tables, bulleted lists, and figures throughout focus on quick reference and review
  • Cross-Reference elements point to an essential, related concept covered elsewhere in the book
  • Additional Resources direct you to sources recommended for further learning
  • Practice questions and content review after each objective section prepare you for exam mastery
Covers all exam topics, including:
  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security
Online content includes:
  • Customizable practice exam test engine
  • 300 realistic practice questions with in-depth explanations

Table of contents

  1. Cover
  2. About the Author
  3. Title Page
  4. Copyright Page
  5. Dedication
  6. Contents
  7. Acknowledgments
  8. Introduction
  9. 1.0 Security and Risk Management
    1. Objective 1.1 Understand, adhere to, and promote professional ethics
      1. The (ISC)2 Code of Ethics
        1. Code of Ethics Preamble
        2. Code of Ethics Canons
      2. Organizational Code of Ethics
        1. Workplace Ethics Statements and Policies
        2. Other Sources for Ethics Requirements
      3. REVIEW
        1. 1.1 QUESTIONS
        2. 1.1 ANSWERS
    2. Objective 1.2 Understand and apply security concepts
      1. Security Concepts
        1. Data, Information, Systems, and Entities
        2. Confidentiality
        3. Integrity
        4. Availability
      2. Supporting Tenets of Information Security
        1. Identification
        2. Authentication
        3. Authenticity
        4. Authorization
        5. Auditing and Accountability
        6. Nonrepudiation
        7. Supporting Security Concepts
      3. REVIEW
        1. 1.2 QUESTIONS
        2. 1.2 ANSWERS
    3. Objective 1.3 Evaluate and apply security governance principles
      1. Security Governance
        1. External Governance
        2. Internal Governance
      2. Alignment of Security Functions to Business Requirements
        1. Business Strategy and Security Strategy
        2. Organizational Processes
        3. Organizational Roles and Responsibilities
        4. Security Control Frameworks
        5. Due Care/Due Diligence
      3. REVIEW
        1. 1.3 QUESTIONS
        2. 1.3 ANSWERS
    4. Objective 1.4 Determine compliance and other requirements
      1. Compliance
        1. Legal and Regulatory Compliance
        2. Contractual Compliance
        3. Compliance with Industry Standards
        4. Privacy Requirements
      2. REVIEW
        1. 1.4 QUESTIONS
        2. 1.4 ANSWERS
    5. Objective 1.5 Understand legal and regulatory issues that pertain to information security in a holistic context
      1. Legal and Regulatory Requirements
        1. Cybercrimes
        2. Licensing and Intellectual Property Requirements
        3. Import/Export Controls
        4. Transborder Data Flow
        5. Privacy Issues
      2. REVIEW
        1. 1.5 QUESTIONS
        2. 1.5 ANSWERS
    6. Objective 1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
      1. Investigations
        1. Administrative Investigations
        2. Civil Investigations
        3. Criminal Investigations
        4. Regulatory Investigations
        5. Industry Standards for Investigations
      2. REVIEW
        1. 1.6 QUESTIONS
        2. 1.6 ANSWERS
    7. Objective 1.7 Develop, document, and implement security policy, standards, procedures, and guidelines
      1. Internal Governance
        1. Policy
        2. Procedures
        3. Standards
        4. Guidelines
        5. Baselines
      2. REVIEW
        1. 1.7 QUESTIONS
        2. 1.7 ANSWERS
    8. Objective 1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements
      1. Business Continuity
        1. Business Impact Analysis
        2. Developing the BIA
      2. REVIEW
        1. 1.8 QUESTIONS
        2. 1.8 ANSWERS
    9. Objective 1.9 Contribute to and enforce personnel security policies and procedures
      1. Personnel Security
        1. Candidate Screening and Hiring
        2. Employment Agreements and Policies
        3. Onboarding, Transfers, and Termination Processes
        4. Vendor, Consultant, and Contractor Agreements and Controls
        5. Compliance Policy Requirements
        6. Privacy Policy Requirements
      2. REVIEW
        1. 1.9 QUESTIONS
        2. 1.9 ANSWERS
    10. Objective 1.10 Understand and apply risk management concepts
      1. Risk Management
        1. Elements of Risk
        2. Identify Threats and Vulnerabilities
        3. Risk Assessment/Analysis
        4. Risk Response
        5. Risk Frameworks
        6. Countermeasure Selection and Implementation
        7. Applicable Types of Controls
        8. Control Assessments (Security and Privacy)
        9. Monitoring and Measurement
        10. Reporting
        11. Continuous Improvement
      2. REVIEW
        1. 1.10 QUESTIONS
        2. 1.10 ANSWERS
    11. Objective 1.11 Understand and apply threat modeling concepts and methodologies
      1. Threat Modeling
        1. Threat Components
        2. Threat Modeling Methodologies
      2. REVIEW
        1. 1.11 QUESTIONS
        2. 1.11 ANSWERS
    12. Objective 1.12 Apply Supply Chain Risk Management (SCRM) concepts
      1. Supply Chain Risk Management
        1. Risks Associated with Hardware, Software, and Services
        2. Third-Party Assessment and Monitoring
        3. Minimum Security Requirements
        4. Service Level Requirements
      2. REVIEW
        1. 1.12 QUESTIONS
        2. 1.12 ANSWERS
    13. Objective 1.13 Establish and maintain a security awareness, education, and training program
      1. Security Awareness, Education, and Training Program
        1. Methods and Techniques to Present Awareness and Training
        2. Periodic Content Reviews
        3. Program Effectiveness Evaluation
      2. REVIEW
        1. 1.13 QUESTIONS
        2. 1.13 ANSWERS
  10. 2.0 Asset Security
    1. Objective 2.1 Identify and classify information and assets
      1. Asset Classification
      2. Data Classification
      3. REVIEW
        1. 2.1 QUESTIONS
        2. 2.1 ANSWERS
    2. Objective 2.2 Establish information and asset handling requirements
      1. Information and Asset Handling
        1. Handling Requirements
        2. Information Classification and Handling Systems
      2. REVIEW
        1. 2.2 QUESTIONS
        2. 2.2 ANSWERS
    3. Objective 2.3 Provision resources securely
      1. Securing Resources
        1. Asset Ownership
        2. Asset Inventory
        3. Asset Management
      2. REVIEW
        1. 2.3 QUESTIONS
        2. 2.3 ANSWERS
    4. Objective 2.4 Manage data lifecycle
      1. Managing the Data Life Cycle
        1. Data Roles
        2. Data Collection
        3. Data Location
        4. Data Maintenance
        5. Data Retention
        6. Data Remanence
        7. Data Destruction
      2. REVIEW
        1. 2.4 QUESTIONS
        2. 2.4 ANSWERS
    5. Objective 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
      1. Asset Retention
        1. Asset Life Cycle
        2. End-of-Life and End-of-Support
      2. REVIEW
        1. 2.5 QUESTIONS
        2. 2.5 ANSWERS
    6. Objective 2.6 Determine data security controls and compliance requirements
      1. Data Security and Compliance
        1. Data States
        2. Control Standards Selection
        3. Scoping and Tailoring Data Security Controls
        4. Data Protection Methods
      2. REVIEW
        1. 2.6 QUESTIONS
        2. 2.6 ANSWERS
  11. 3.0 Security Architecture and Engineering
    1. Objective 3.1 Research, implement, and manage engineering processes using secure design principles
      1. Threat Modeling
      2. Least Privilege
      3. Defense in Depth
      4. Secure Defaults
      5. Fail Securely
      6. Separation of Duties
      7. Keep It Simple
      8. Zero Trust
      9. Privacy by Design
      10. Trust But Verify
      11. Shared Responsibility
      12. REVIEW
        1. 3.1 QUESTIONS
        2. 3.1 ANSWERS
    2. Objective 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
      1. Security Models
        1. Terms and Concepts
        2. System States and Processing Modes
        3. Confidentiality Models
        4. Integrity Models
        5. Other Access Control Models
      2. REVIEW
        1. 3.2 QUESTIONS
        2. 3.2 ANSWERS
    3. Objective 3.3 Select controls based upon systems security requirements
      1. Selecting Security Controls
        1. Performance and Functional Requirements
        2. Data Protection Requirements
        3. Governance Requirements
        4. Interface Requirements
        5. Risk Response Requirements
      2. REVIEW
        1. 3.3 QUESTIONS
        2. 3.3 ANSWERS
    4. Objective 3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
      1. Information System Security Capabilities
        1. Hardware and Firmware System Security
        2. Secure Processing
      2. REVIEW
        1. 3.4 QUESTIONS
        2. 3.4 ANSWERS
    5. Objective 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
      1. Vulnerabilities of Security Architectures, Designs, and Solutions
        1. Client-Based Systems
        2. Server-Based Systems
        3. Distributed Systems
        4. Database Systems
        5. Cryptographic Systems
        6. Industrial Control Systems
        7. Internet of Things
        8. Embedded Systems
        9. Cloud-Based Systems
        10. Virtualized Systems
        11. Containerization
        12. Microservices
        13. Serverless
        14. High-Performance Computing Systems
        15. Edge Computing Systems
      2. REVIEW
        1. 3.5 QUESTIONS
        2. 3.5 ANSWERS
    6. Objective 3.6 Select and determine cryptographic solutions
      1. Cryptography
        1. Cryptographic Life Cycle
        2. Cryptographic Methods
        3. Integrity
        4. Hybrid Cryptography
        5. Digital Certificates
        6. Public Key Infrastructure
        7. Nonrepudiation and Digital Signatures
        8. Key Management Practices
      2. REVIEW
        1. 3.6 QUESTIONS
        2. 3.6 ANSWERS
    7. Objective 3.7 Understand methods of cryptanalytic attacks
      1. Cryptanalytic Attacks
        1. Brute Force
        2. Ciphertext Only
        3. Known Plaintext
        4. Chosen Ciphertext and Chosen Plaintext
        5. Frequency Analysis
        6. Implementation
        7. Side Channel
        8. Fault Injection
        9. Timing
        10. Man-in-the-Middle (On-Path)
        11. Pass the Hash
        12. Kerberos Exploitation
        13. Ransomware
      2. REVIEW
        1. 3.7 QUESTIONS
        2. 3.7 ANSWERS
    8. Objective 3.8 Apply security principles to site and facility design
      1. Site and Facility Design
        1. Site Planning
        2. Secure Design Principles
      2. REVIEW
        1. 3.8 QUESTIONS
        2. 3.8 ANSWERS
    9. Objective 3.9 Design site and facility security controls
      1. Designing Facility Security Controls
        1. Crime Prevention Through Environmental Design
        2. Key Facility Areas of Concern
      2. REVIEW
        1. 3.9 QUESTIONS
        2. 3.9 ANSWERS
  12. 4.0 Communication and Network Security
    1. Objective 4.1 Assess and implement secure design principles in network architectures
      1. Fundamental Networking Concepts
        1. Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models
        2. Internet Protocol Networking
        3. Secure Protocols
      2. Application of Secure Networking Concepts
        1. Implications of Multilayer Protocols
        2. Converged Protocols
        3. Micro-segmentation
      3. Wireless Technologies
        1. Wireless Theory and Signaling
        2. Wi-Fi
        3. Bluetooth
        4. Zigbee
        5. Satellite
        6. Li-Fi
        7. Cellular Networks
      4. Content Distribution Networks
      5. REVIEW
        1. 4.1 QUESTIONS
        2. 4.1 ANSWERS
    2. Objective 4.2 Secure network components
      1. Network Security Design and Components
        1. Operation of Hardware
        2. Transmission Media
        3. Endpoint Security
      2. REVIEW
        1. 4.2 QUESTIONS
        2. 4.2 ANSWERS
    3. Objective 4.3 Implement secure communication channels according to design
      1. Securing Communications Channels
        1. Voice
        2. Multimedia Collaboration
        3. Remote Access
        4. Data Communications
        5. Virtualized Networks
        6. Third-Party Connectivity
      2. REVIEW
        1. 4.3 QUESTIONS
        2. 4.3 ANSWERS
  13. 5.0 Identity and Access Management (IAM)
    1. Objective 5.1 Control physical and logical access to assets
      1. Controlling Logical and Physical Access
        1. Logical Access
        2. Physical Access
      2. REVIEW
        1. 5.1 QUESTIONS
        2. 5.1 ANSWERS
    2. Objective 5.2 Manage identification and authentication of people, devices, and services
      1. Identification and Authentication
        1. Identity Management Implementation
        2. Single/Multifactor Authentication
        3. Accountability
        4. Session Management
        5. Registration, Proofing, and Establishment of Identity
        6. Federated Identity Management
        7. Credential Management Systems
        8. Single Sign-On
        9. Just-in-Time
      2. REVIEW
        1. 5.2 QUESTIONS
        2. 5.2 ANSWERS
    3. Objective 5.3 Federated identity with a third-party service
      1. Third-Party Identity Services
        1. On-Premise
        2. Cloud
        3. Hybrid
      2. REVIEW
        1. 5.3 QUESTIONS
        2. 5.3 ANSWERS
    4. Objective 5.4 Implement and manage authorization mechanisms
      1. Authorization Mechanisms and Models
        1. Discretionary Access Control
        2. Mandatory Access Control
        3. Role-Based Access Control
        4. Rule-Based Access Control
        5. Attribute-Based Access Control
        6. Risk-Based Access Control
      2. REVIEW
        1. 5.4 QUESTIONS
        2. 5.4 ANSWERS
    5. Objective 5.5 Manage the identity and access provisioning lifecycle
      1. Identity and Access Provisioning Life Cycle
        1. Provisioning and Deprovisioning
        2. Role Definition
        3. Privilege Escalation
      2. Account Access Review
      3. REVIEW
        1. 5.5 QUESTIONS
        2. 5.5 ANSWERS
    6. Objective 5.6 Implement authentication systems
      1. Authentication Systems
        1. Open Authorization
        2. OpenID Connect
        3. Security Assertion Markup Language
        4. Kerberos
        5. Remote Access Authentication and Authorization
      2. REVIEW
        1. 5.6 QUESTIONS
        2. 5.6 ANSWERS
  14. 6.0 Security Assessment and Testing
    1. Objective 6.1 Design and validate assessment, test, and audit strategies
      1. Defining Assessments, Tests, and Audits
      2. Designing and Validating Evaluations
        1. Goals and Strategies
        2. Use of Internal, External, and Third-Party Assessors
      3. REVIEW
        1. 6.1 QUESTIONS
        2. 6.1 ANSWERS
    2. Objective 6.2 Conduct security control testing
      1. Security Control Testing
        1. Vulnerability Assessment
        2. Penetration Testing
        3. Log Reviews
        4. Synthetic Transactions
        5. Code Review and Testing
        6. Misuse Case Testing
        7. Test Coverage Analysis
        8. Interface Testing
        9. Breach Attack Simulations
        10. Compliance Checks
      2. REVIEW
        1. 6.2 QUESTIONS
        2. 6.2 ANSWERS
    3. Objective 6.3 Collect security process data (e.g., technical and administrative)
      1. Security Data
        1. Security Process Data
      2. REVIEW
        1. 6.3 QUESTIONS
        2. 6.3 ANSWERS
    4. Objective 6.4 Analyze test output and generate report
      1. Test Results and Reporting
        1. Analyzing the Test Results
        2. Reporting
        3. Remediation, Exception Handling, and Ethical Disclosure
      2. REVIEW
        1. 6.4 QUESTIONS
        2. 6.4 ANSWERS
    5. Objective 6.5 Conduct or facilitate security audits
      1. Conducting Security Audits
        1. Internal Security Auditors
        2. External Security Auditors
        3. Third-Party Security Auditors
      2. REVIEW
        1. 6.5 QUESTIONS
        2. 6.5 ANSWERS
  15. 7.0 Security Operations
    1. Objective 7.1 Understand and comply with investigations
      1. Investigations
        1. Forensic Investigations
        2. Evidence Collection and Handling
        3. Digital Forensics Tools, Tactics, and Procedures
        4. Investigative Techniques
        5. Reporting and Documentation
      2. REVIEW
        1. 7.1 QUESTIONS
        2. 7.1 ANSWERS
    2. Objective 7.2 Conduct logging and monitoring activities
      1. Logging and Monitoring
        1. Continuous Monitoring
        2. Intrusion Detection and Prevention
        3. Security Information and Event Management
        4. Egress Monitoring
        5. Log Management
        6. Threat Intelligence
        7. User and Entity Behavior Analytics
      2. REVIEW
        1. 7.2 QUESTIONS
        2. 7.2 ANSWERS
    3. Objective 7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
      1. Configuration Management Activities
        1. Provisioning
        2. Baselining
        3. Automating the Configuration Management Process
      2. REVIEW
        1. 7.3 QUESTIONS
        2. 7.3 ANSWERS
    4. Objective 7.4 Apply foundational security operations concepts
      1. Security Operations
        1. Need-to-Know/Least Privilege
        2. Separation of Duties and Responsibilities
        3. Privileged Account Management
        4. Job Rotation
        5. Service Level Agreements
      2. REVIEW
        1. 7.4 QUESTIONS
        2. 7.4 ANSWERS
    5. Objective 7.5 Apply resource protection
      1. Media Management and Protection
        1. Media Management
        2. Media Protection Techniques
      2. REVIEW
        1. 7.5 QUESTIONS
        2. 7.5 ANSWERS
    6. Objective 7.6 Conduct incident management
      1. Security Incident Management
        1. Incident Management Life Cycle
      2. REVIEW
        1. 7.6 QUESTIONS
        2. 7.6 ANSWERS
    7. Objective 7.7 Operate and maintain detective and preventative measures
      1. Detective and Preventive Controls
        1. Allow-Listing and Deny-Listing
        2. Firewalls
        3. Intrusion Detection Systems and Intrusion Prevention Systems
        4. Third-Party Provided Security Services
        5. Honeypots and Honeynets
        6. Anti-malware
        7. Sandboxing
        8. Machine Learning and Artificial Intelligence
      2. REVIEW
        1. 7.7 QUESTIONS
        2. 7.7 ANSWERS
    8. Objective 7.8 Implement and support patch and vulnerability management
      1. Patch and Vulnerability Management
        1. Managing Vulnerabilities
        2. Managing Patches and Updates
      2. REVIEW
        1. 7.8 QUESTIONS
        2. 7.8 ANSWERS
    9. Objective 7.9 Understand and participate in change management processes
      1. Change Management
        1. Change Management Processes
      2. REVIEW
        1. 7.9 QUESTIONS
        2. 7.9 ANSWERS
    10. Objective 7.10 Implement recovery strategies
      1. Recovery Strategies
        1. Backup Storage Strategies
        2. Recovery Site Strategies
        3. Multiple Processing Sites
        4. Resiliency
        5. High Availability
        6. Quality of Service
        7. Fault Tolerance
      2. REVIEW
        1. 7.10 QUESTIONS
        2. 7.10 ANSWERS
    11. Objective 7.11 Implement Disaster Recovery (DR) processes
      1. Disaster Recovery
        1. Saving Lives and Preventing Harm to People
      2. The Disaster Recovery Plan
        1. Response
        2. Personnel
        3. Communications
        4. Assessment
        5. Restoration
        6. Training and Awareness
        7. Lessons Learned
      3. REVIEW
        1. 7.11 QUESTIONS
        2. 7.11 ANSWERS
    12. Objective 7.12 Test Disaster Recovery Plans (DRP)
      1. Testing the Disaster Recovery Plan
        1. Read-Through/Tabletop
        2. Walk-Through
        3. Simulation
        4. Parallel Testing
        5. Full Interruption
      2. REVIEW
        1. 7.12 QUESTIONS
        2. 7.12 ANSWERS
    13. Objective 7.13 Participate in Business Continuity (BC) planning and exercises
      1. Business Continuity
        1. Business Continuity Planning
        2. Business Continuity Exercises
      2. REVIEW
        1. 7.13 QUESTIONS
        2. 7.13 ANSWERS
    14. Objective 7.14 Implement and manage physical security
      1. Physical Security
        1. Perimeter Security Controls
        2. Internal Security Controls
      2. REVIEW
        1. 7.14 QUESTIONS
        2. 7.14 ANSWERS
    15. Objective 7.15 Address personnel safety and security concerns
      1. Personnel Safety and Security
        1. Travel
        2. Security Training and Awareness
        3. Emergency Management
        4. Duress
      2. REVIEW
        1. 7.15 QUESTIONS
        2. 7.15 ANSWERS
  16. 8.0 Software Development Security
    1. Objective 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
      1. Software Development Life Cycle
        1. Development Methodologies
        2. Maturity Models
        3. Operation and Maintenance
        4. Change Management
        5. Integrated Product Team
      2. REVIEW
        1. 8.1 QUESTIONS
        2. 8.1 ANSWERS
    2. Objective 8.2 Identify and apply security controls in software development ecosystems
      1. Security Controls in Software Development
        1. Programming Languages
        2. Libraries
        3. Tool Sets
        4. Integrated Development Environment
        5. Runtime
        6. Continuous Integration and Continuous Delivery
        7. Security Orchestration, Automation, and Response
        8. Software Configuration Management
        9. Code Repositories
        10. Application Security Testing
      2. REVIEW
        1. 8.2 QUESTIONS
        2. 8.2 ANSWERS
    3. Objective 8.3 Assess the effectiveness of software security
      1. Software Security Effectiveness
        1. Auditing and Logging Changes
        2. Risk Analysis and Mitigation
      2. REVIEW
        1. 8.3 QUESTIONS
        2. 8.3 ANSWERS
    4. Objective 8.4 Assess security impact of acquired software
      1. Security Impact of Acquired Software
        1. Commercial-off-the-Shelf Software
        2. Open-Source Software
        3. Third-Party Software
        4. Managed Services
      2. REVIEW
        1. 8.4 QUESTIONS
        2. 8.4 ANSWERS
    5. Objective 8.5 Define and apply secure coding guidelines and standards
      1. Secure Coding Guidelines and Standards
        1. Security Weaknesses and Vulnerabilities at the Source-Code Level
        2. Security of Application Programming Interfaces
        3. Secure Coding Practices
        4. Software-Defined Security
      2. REVIEW
        1. 8.5 QUESTIONS
        2. 8.5 ANSWERS
  17. A About the Online Content
    1. System Requirements
    2. Your Total Seminars Training Hub Account
      1. Privacy Notice
    3. Single User License Terms and Conditions
    4. TotalTester Online
    5. Technical Support
  18. Index

Product information

  • Title: CISSP Passport
  • Author(s): Bobby E. Rogers
  • Release date: October 2022
  • Publisher(s): McGraw-Hill
  • ISBN: 9781264277988