CISSP 4 in 1- Beginners Guide+ Guide to learn CISSP Principles+ The Fundamentals of Information Security Systems for CISSP… (Jones, Daniel) (Z-Library)

📄 File Format: PDF

💾 File Size: 15.2 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

(This page has no text content)

📄 Page 3

(This page has no text content)

📄 Page 4

(This page has no text content)

📄 Page 5

© Copyright 2021 - All rights reserved. This document is geared towards providing exact and reliable information in regards to the topic and issue covered. The publication is sold with the idea that the publisher is not required to render accounting, officially permitted or otherwise qualified services. If advice is necessary, legal or professional, a practiced individual in the profession should be ordered. - From a Declaration of Principles which was accepted and approved equally by a Committee of the American Bar Association and a Committee of Publishers and Associations. In no way is it legal to reproduce, duplicate, or transmit any part of this document in either electronic means or in printed format. Recording of this publication is strictly prohibited, and any storage of this document is not allowed unless with written permission from the publisher. All rights reserved. The information provided herein is stated to be truthful and consistent, in that any liability, in terms of inattention or otherwise, by any usage or abuse of any policies, processes, or directions contained within is the solitary and utter responsibility of the recipient reader. Under no circumstances will any legal responsibility or blame be held against the publisher for any reparation, damages, or monetary loss due to the information herein, either directly or indirectly. Respective authors own all copyrights not held by the publisher. The information herein is offered for informational purposes solely and is universal as so. The presentation of the information is without a contract or any type of guarantee assurance. The trademarks that are used are without any consent, and the publication of the trademark is without permission or backing by the trademark owner. All trademarks and brands within this book are for clarifying purposes only and are owned by the owners themselves, not affiliated with this document.

📄 Page 6

TABLE OF CONTENTS CISSP A Comprehensive Beginners Guide to Learn and Understand the Realms of CISSP from A-Z Introduction Chapter 1 : Security and Risk Management 1.1 Understand and Apply Concepts of Confidentiality, Integrity and Availability. 1.2 Evaluate and Apply Security Governance Principles 1.3 Determine Compliance Requirements 1.4 Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 1.5 Understand, Adhere To, and Promote Professional Ethics 1.6 Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 1.7 Identify, Analyze, and Prioritize Business Continuity (BC) Requirements 1.8 Contribute To and Enforce Personnel Security Policies and Procedures 1.9 Understand and Apply Risk Management Concepts 1.10 Understand and Apply Threat Modeling Concepts and Methodologies 1.11 Apply Risk-Based Management Concepts 1.12 Establish and Maintain Security Awareness, Education, and Training Program Chapter 2 : Asset Security 2.1 Data and Asset Classification and Labeling 2.2 Determine and Maintain Information and Asset Ownership 2.3 Protect Privacy 2.4 Ensure Appropriate Asset Retention 2.5 Determine Data Security Controls 2.6 Establish Information and Asset Handling Requirements Chapter 3 : Security Architecture and Engineering 3.1 Implement and Manage Engineering Processes using Secure Design Principles 3.2 Understand the Fundamental Concepts of Security Models 3.3 Select Controls Based on Systems Security Requirements 3.4 Understand Security Capabilities of Information Systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) 3.5 Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 3.6 Assess and Mitigate Vulnerabilities in Web-Based Systems 3.7 Assess and Mitigate Vulnerabilities in Mobile Systems 3.8 Assess and Mitigate Vulnerabilities in Embedded Devices 3.9 Apply Cryptography

📄 Page 7

3.10 Apply Security Principles to Site and Facility Design 3.11 Implement Site and Facility Security Controls Chapter 4 : Communication and Network Security 4.1 Implement Secure Design Principles in Network Architecture 4.2 Secure Network Components 4.3 Implement Secure Communication Channels According to Design Chapter 5 : Identity and Access Management (IAM) 5.1 Control Physical and Logical Access to Assets 5.2 Manage Identification and Authentication of People, Devices and Services 5.3 Integrate Identity as a Third-Party Service 5.4 Implement and Manage Authorization Mechanisms 5.5 Manage the Identity and Access Provisioning Lifecycle Chapter 6 : Security Assessment and Testing 6.1 Design and Validate Assessment, Test, and Audit Strategies 6.2 Conduct Security Control Testing 6.3 Collect Security Process Data 6.4 Analyze Test Output and Generate Reports 6.5 Conduct or Facilitate Security Audits Chapter 7 : Security Operations 7.1 Understand and Support Investigations 7.2 Understand Requirements for Investigation Types 7.3 Conduct Logging and Monitoring Activities 7.4 Securely Provision Resources 7.5 Understand and Apply Foundational Security Operation Concepts 7.6 Apply Resource Protection Techniques 7.7 Conduct Incident Management 7.8 Operate and Maintain Detective and Preventative Measures 7.9 Implement and Support Patch and Vulnerability Management 7.10 Understand and Participate in Change Management Processes 7.11 Implement Recovery Strategies 7.12 Implement Disaster Recovery (DR): Recovery Processes 7.13 Test disaster recovery plans (DRP) 7.14 Participate in Business Continuity (BC) Planning and Exercises 7.15 Implement and Manage Physical Security 7.16 Address Personnel Safety and Security Concerns Chapter 8 : Software Development Security 8.1 Understand and Integrate Security throughout the Software Development Lifecycle (SDLC) 8.2 Identify and Apply Security Controls in Development Environments 8.3 Assess the Effectiveness of Software Security 8.4 Assess Security Impact of Acquired Software

📄 Page 8

8.5 Define and Apply Secure Coding Guidelines and Standards Conclusion CISSP A Comprehensive Beginner's Guide to Learn the Realms of Security Risk Management from A-Z using CISSP Principles Introduction How to Use This Book A Brief History, Requirements, and Future Prospects CISSP Concentration, Education and Examination Options Chapter One : Security and Risk Management – An Introduction Measuring Vulnerabilities Threat Actors, Threats, and Threat Rates The Cost Chapter Two : Understand and Apply Concepts of Confidentiality, Integrity, and Availability Confidentiality Integrity Confidentiality Chapter Three : Evaluate and Apply Security Governance Principles In this chapter, you will learn: Mission, Goals, and Objectives Organizational Processes (acquisitions, divestitures, governance committees) Acquisition and Divestitures Organizational Roles and Responsibilities COBIT ISO/IEC 27000 OCTAVE NIST Framework Corrective Controls Due Care/Due Diligence Chapter Four : Determining Compliance Requirements Contractual, Legal, Industry Standards, and Regulatory Requirements Country-Wide Classification Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS)

📄 Page 9

Sarbanes–Oxley Act (SOX) Privacy Requirements General Data Protection Regulation (GDPR) GDPR – Array of Legal Terms The Key Regulatory Point Chapter Five : Understanding Legal and Regulatory Issues Cybercrime Licensing and Intellectual Property Requirements Import/Export Controls Trans-Border Data Flow Chapter Six : Understand, Adhere To, and Promote Professional Ethics (ISC)² Code of Professional Ethics Cannons Organizational Code of Ethics Key Components of a Successful Code of Ethics Lineup Chapter Seven : Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines Standards Procedures Guidelines Baselines Chapter Eight : Identify, Analyze, and Prioritize Business Continuity (BC) Requirements Develop and Document Scope and Plan Planning for the Business Continuity Process Business Impact Analysis BIA Process Recovery Strategy Plan Development Testing and Exercises Chapter Nine : Contribute To and Enforce Personnel Security Policies and Procedures Candidate Screening and Hiring Employment Agreements and Policies Onboarding and Termination Processes Vendor, Consultant, and Contractor Agreements and Controls Compliance Policy Requirements Privacy Policy Requirements Chapter Ten : Understand and Risk Management Concepts Identify Threats and Vulnerabilities

📄 Page 10

Risk Analysis and Assessment Risk Response Countermeasure Selection and Implementation Applicable Types of Controls Security Control Assessment (SCA) Asset Valuation Reporting Continuous Improvements Risk Frameworks Chapter Eleven : Understand and Apply Threat Modeling Concepts and Methodologies Why Threat Modeling and When? Threat Modeling Methodologies, Tools and Techniques Other Threat Modeling Tools Chapter Twelve : Apply Risk-Based Management Concepts to the Supply Chain Risks Associated with Hardware, Software, and Services Third-Party Assessment and Monitoring Minimum Security Requirements Service-Level Requirements Service Level Agreements Operational Level Agreements Underpinning Contracts Chapter Thirteen : Establish and Maintain a Security Awareness, Education, and Training Program Methods and Techniques to Present Awareness and Training Periodic Content Reviews Program Effectiveness Evaluation Conclusion References CISSP Simple and Effective Strategies to Learn the Fundamentals of Information Security Systems for CISSP Exam Introduction Chapter 1 : Security and Risk Management Maintaining Confidentiality and Various Requirements System Integrity and Availability

📄 Page 11

Enhancing Security and Designating the Roles Identifying and Assessing Threats and Risks Risk Terminology Risk Management Cost/Benefit Analysis Controls Risk Management Framework Business Continuity Management (BCM) Chapter 2 : Telecommunication and Network Security Local Area Network (LAN) Wide Area Network (WAN) OSI Reference Model The First Layer: Physical Layer Network Topologies Cable and Connector Types Interface Types Networking Equipment The Second Layer: Data Link Layer Logical Link Control (LLC) Media Access Control (MAC) Protocols in Local Area Networks and the Transmission Methods Protocols in WLAN and WLAN Tech Different Protocols and Technologies of WAN Point to Point Links Circuit Switched Networks Packet-Switched Networks The Networking Equipment Found in the Data Link Layer The Fourth Layer: Transport Layer The Fifth Layer: Session Layer The Sixth Layer: Presentation Layer The Seventh Layer: Application Layer Chapter 3 : Security of Software Development Security Workings in Distributed Software Working with Agents in Distributed Systems Object-Oriented Environments Databases Types of Databases Operating Systems Systems Development Life Cycle Controlling the Security of Applications AV Popping up Everywhere

📄 Page 12

Chapter 4 : Cryptography The Basics of Cryptography The Cryptosystem Classes of Ciphers The Different Types of Ciphers Symmetric and Asymmetric Key Systems Chapter 5 : Operating in a Secure Environment Computer Architecture Virtualization Operating in a Secured Environment Recovery Procedures Vulnerabilities in Security Architecture Security Countermeasures Confidentiality Integrity Availability Access Control Models Trusted Network Interpretation (TNI) European Information Technology Security Evaluation Criteria (ITSEC) Chapter 6 : Business Continuity Planning and Disaster Recovery Planning Setting Up a Business Continuity Plan Identifying the Elements of a BCP Developing the Business Continuity Plan Conclusion CISSP A Comprehensive Guide of Advanced Methods to Learn the CISSP CBK Reference Introduction How to Use this Book CISSP Domains, Learning Options, and Examination CISSP Domains Chapter 1 : Domain 1 - Security and Risk Management The Role of Information and Risk Risk, Threat, and Vulnerability 1.1 Understand and Apply Concepts of Confidentiality, Integrity, and Availability 1.2 Evaluate and Apply Security Governance Principles 1.3 Determine Compliance Requirements

📄 Page 13

1.4 Understand Legal and Regulatory Issues that pertain to Information Security in a Global Context 1.5 Understand, Adhere To and Promote Professional Ethics 1.6 Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 1.7 Identify, Analyze, and Prioritize Business Continuity (BC) Requirements 1.8 Contribute To and Enforce Personnel Security Policies and Procedures 1.9 Understand and Apply Risk Management Concepts 1.10 Understand and Apply Threat Modeling Concepts and Methodologies 1.11 Apply Risk-Based Management Concepts to the Supply Chain 1.12 Establish and Maintain a Security Awareness, Education, and Training Program Chapter 2 : Domain 2 - Asset Security 2.1 Identify and Classify Information and Sssets 2.2 Determine and Maintain Information and Asset Ownership 2.3 Protect Privacy 2.4 Ensure Appropriate Asset Retention 2.5 Determine Data Security Controls 2.6 Establish Information and Asset Handling Requirements Chapter 3 : Domain 3 - Security Architecture and Engineering 3.1 Implement and Manage Engineering Processes using Secure Design Principles 3.2 Understand the Fundamental Concepts of Security Models 3.3 Select Controls Based Upon Systems Security Requirements 3.4 Understand Security Capabilities of Information Systems (e.g., Memory Protection, Trusted Platform Module (TPM), Encryption/Decryption) 3.5 Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 3.6 Assess and Mitigate Vulnerabilities in Web-Based Systems 3.7 Assess and Mitigate Vulnerabilities in Mobile Systems 3.8 Assess and Mitigate Vulnerabilities in Embedded Devices 3.9 Apply Cryptography 3.10 Apply Security Principles to Site and Facility Design 3.11 Implement Site and Facility Security Controls Chapter 4 : Domain 4 - Communication and Network Security 4.1 Implement Secure Design Principles in Network Architecture 4.2 Secure Network Components 4.3 Implement Secure Communication Channels According to Design Chapter 5 : Domain 5 - Identity and Access Management (IAM) 5.1 Control Physical and Logical Access to Assets 5.2 Manage Identification and Authentication of People, Devices, and Services 5.3 Integrated Identity as a Third-Party Service 5.4 Implement and Manage Authorization Mechanisms 5.5 Manage the Identity and Access Provisioning Lifecycle

📄 Page 14

Chapter 6 : Domain 6 - Security Assessment and Testing 6.1 Design and Validate Assessment, Test, and Audit Strategies 6.2 Conducting Security Control Tests 6.3 Collect Security Process Data 6.4 Analyze Test Output and Generate Reports 6.5 Conduct or Facilitate Security Audits Chapter 7 : Domain 7 - Security Operations 7.1 Understanding and Support Investigations 7.2 Understanding Requirements for Investigation Types 7.3 Conduct Logging and Monitoring Activities 7.4 Secure Provision Resources 7.5 Understand and Apply Foundational Security Operation Concepts 7.6 Apply Resource Protection Techniques 7.7 Conduct Incident Management 7.8 Operate and Maintain Detective and Preventive Measures 7.9 Implement and Support Patch and Vulnerability Management 7.10 Understanding and Participating in Change Management 7.11 Implement Recovery Strategies 7.12 Implement Disaster Recovery Process 7.13 Disaster Recovery Plans (DRP) 7.14 Participate in Business Continuity Planning and Exercises 7.15 Implement and Manage Physical Security 7 . 16 Address Personal Safety and Security Concerns Chapter 8 : Domain 8 - Software Development Security 8.1 Understand and Integrate Security Throughout the Software Development Lifecycle (SDLC) 8.2 Identify and Apply Security Controls in Development Environments 8.3 Assess the Effectiveness of Software Security 8.4 Assess Security Impact of Acquired Software 8.5 Define and Apply Secure Coding Guidelines and Standards Conclusion

📄 Page 15

CISSP A Comprehensive Beginners Guide to Learn and Understand the Realms of CISSP from A-Z DANIEL JONES

📄 Page 16

Introduction CISSP: Certified Information Systems Security Professional is the world’s premier cyber security certification (ISC)2 . The world’s leading and the largest IT security organization was formed in 1989 as a non-profit organization. The requirement for standardization and maintaining vendor- neutrality while providing a global competency lead to the formation of the “International Information Systems Security Certification Consortium” or in short (ISC)2 . In 1994, with the launch of the CISSP credential, a door was opened to a world class information security education and certification. CISSP is a fantastic journey through the world of information security. To build a strong, robust and competitive information security strategy and the practical implementation is a crucial task, yet a challenge that is entirely beneficial to an entire organization. CISSP focuses on an in-depth understanding of the components of critical areas in the information security. This certification stands out as proof of the advanced skills, and knowledge one possesses in terms of designing, implementing, developing, managing and maintaining a secure atmosphere in an organization. The learning process and gaining experience are the two main parts of the CISSP path. It is definitely a joyful journey, yet one of the most challenging, without a proper education and guidelines. The intention of this book is to prepare you for the adventure by providing you a summary of the CISSP certification, how it is achieved and a comprehensive A-Z guide on the domains covered in the certification. This is going to help you get started and become familiar with the CISSP itself. With a bit of a history, benefits, requirements to become certified, the prospects, and a guide through all the domains, topics, sub-topics that are tested in the exam. After you read this you will have a solid understanding of the topics and will be ready for the next level in the CISSP path. A Brief History In 2003, The USA Department of Defense (NSA) adopted the CISSP as a baseline in order to form the ISSEP (Information System Security Engineer

📄 Page 17

Professional) program. Today it is considered one of the CISSP concentrations. CISSP also stands as the most required security certification in LinkedIn. The most significant win it reached is to become the first information security credential to meet the conditions of ISO/IEC Standard 17024. According to (ISC)2, CISSP works in more than 160 nations globally. More than 129,000 professionals currently hold the certification and this implies how popular and global this certification is. Job Prospects Information security as a carrier is not a new trend and the requirements, opportunities and salary has grown continuously. To become an information security (Infosec) professional takes dedication, commitment, learning, experimentation and hands on experience. To become a professional with applied knowledge takes experience, which is a critical factor. There are lots of Infosec programs and certifications worldwide. Among all the certificates, such as CISA, CISM etc., CISSP is known as the elite certification, as well as one of the most challenging, yet rewarding. The CISSP provides many benefits. Among them, the following are outstanding: - Carrier Advancements - Vendor-Neutral Skills - A Solid Foundation - Expanded Knowledge - Higher Salary Scale - Respect among the workers, peers and employers - A Wonderful Community of Professionals The certification is ideal for the following roles: - Chief Information Officer (CIO/CISO)

📄 Page 18

- Director of Security - IT Directors - IT Managers - Network/Security Architects - Network/Security Analysts - Security System Engineers - Security Auditors - Security Consultants Salary Prospects: - The average yearly salary in the USA is $131,000. - Expected to grow by 18% from the year 2014 to 2024. Industry Prospects: - A high demand in Finance, Professional Services, Defense. - A growing demand in HealthCare and Retail sectors. More about the Education Paths and Examination Options The CISSP concentrates on eight security domains. It critically evaluates the expertise across these domains.

📄 Page 19

Eight domains and the Weightings - The CISSP is available in eight languages at 882 locations and in 114 countries around the globe. - As of December 18, 2017, the English CISSP exam uses Computerized Adaptive Testing (CAT). - It is provided in several languages: English, French, German, Brazilian Portuguese, etc. and even for the visually impaired. - Non-English exams are conducted as a linear, fixed-form exam. - The number of questions in a CAT exam can be between 100-150. - The number of questions in the linear examination is 250. - The CAT is 3 hours long, while the linear is 6 hours long - Finally, you need to score 700 points to pass the exam. CISSP Learning Options and Getting Ready for the Exam

📄 Page 20

There are a handful of options if you would like to learn CISSP from scratch. Here is a list of the options. The selection of a suitable method is up to the student. - Classroom Based Training - Online Instructor Lead - On-Site - Online Self-Paced The classroom based training is good for the traditional learner who would like to obtain knowledge during classroom lead training in order to interact with the instructor, as well as the rest of the class. An (ISC)² trainer, or an authorized trainer in an (ISC)² office, or in an institute of one of the authorized training partners, will take the student through the course with well-structured courseware. The training will take 3-5 days, 8 hours per day. The training includes real-world scenarios and case studies. The online learning option is one of the most popular and cost-effective choices nowadays, as it eliminates travel cost. For the people with a busy schedule, this is the best option. The courseware in (ISC)² is available for 60 days of access. An authorized instructor will be available. There are weekday, weekend and other options to select to for the requirements. If you are looking for corporate training for an organization or an enterprise, (ISC)² provides on-site training. The training is similar to the classroom lead training. There will also be a dedicated exam schedule assistance. If someone wants to self-learn CISSP in their convenience, this option is also available. This may be the most popular options available for many students who are geographically dispersed. Also, the best option to cut costs and time. There is instructor-created HD content and the materials are equivalent to the class-room content. Interactive games, Flash cards, exam simulations, all of these at a single place for 120 days if you select (ISC)². There are many other training providers to select from. This is also suitable for an organization.