Table Of ContentAbout This E-Book
EPUB is an open, industry-standard format for e-books. However, support for EPUB and its many
features varies across reading devices and applications. Use your device or app settings to customize
the presentation to your liking. Settings that you can customize often include font, font size, single or
double column, landscape or portrait mode, and figures that you can click or tap to enlarge. For
additional information about the settings and features on your reading device or app, visit the device
manufacturer’s Web site.
Many titles include programming code or configuration examples. To optimize the presentation of
these elements, view the e-book in single-column, landscape mode and adjust the font size to the
smallest setting. In addition to presenting code and configurations in the reflowable text format, we
have included images of the code that mimic the presentation found in the print book; therefore, where
the reflowable format may compromise the presentation of the code listing, you will see a “Click here
to view code image” link. Click the link to view the print-fidelity code image. To return to the
previous page viewed, click the Back button on your device or app.
CISSP Cert Guide
Second Edition
Robin Abernathy
Troy McMillian
800 East 96th Street
Indianapolis, Indiana 46240 USA
CISSP Cert Guide, Second Edition
Copyright © 2016 by Pearson Education, Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or
transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without
written permission from the publisher. No patent liability is assumed with respect to the use of the
information contained herein. Although every precaution has been taken in the preparation of this
book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability
assumed for damages resulting from the use of the information contained herein.
ISBN-13: 978-0-7897-5518-6
ISBN-10: 0-7897-5518-1
Library of Congress Control Number: 2016940246
Printed in the United States of America
First Printing: June 2016
Editor in Chief
Mark Taub
Acquisitions Editor
Michelle Newcomb
Senior Development Editor
Christopher Cleveland
Managing Editor
Sandra Schroeder
Project Editor
Mandie Frank
Copy Editor
Kitty Wilson
Indexer
Larry Sweazy
Proofreader
The Wordsmithery LLC
Technical Reviewers
Chris Crayton
Troy McMillan
Publishing Coordinator
Vanessa Evans
Cover Designer
Chuti Prasertsith
Compositor
Bronkella Publishing
Trademarks
All terms mentioned in this book that are known to be trademarks or service marks have been
appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this information.
Use of a term in this book should not be regarded as affecting the validity of any trademark or service
mark.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but no
warranty or fitness is implied. The information provided is on an “as is” basis. The author and the
publisher shall have neither liability nor responsibility to any person or entity with respect to any loss
or damages arising from the information contained in this book or from the use of the CD or programs
accompanying it.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which
may include electronic versions; custom cover designs; and content particular to your business,
training goals, marketing focus, or branding interests), please contact our corporate sales department
at
Contents at a Glance
Introduction
Chapter 1 Security and Risk Management
Chapter 2 Asset Security
Chapter 3 Security Engineering
Chapter 4 Communication and Network Security
Chapter 5 Identity and Access Management
Chapter 6 Security Assessment and Testing
Chapter 7 Security Operations
Chapter 8 Software Development Security
Glossary
Appendix A Memory Tables
Appendix B Memory Tables Answer Key
Index
Table of Contents
Introduction
The Goals of the CISSP Certification
Sponsoring Bodies
Stated Goals
The Value of the CISSP Certification
To the Security Professional
To the Enterprise
The Common Body of Knowledge
Security and Risk Management (e.g. Security, Risk, Compliance, Law, Regulations, Business
Continuity)
Asset Security (Protecting Security of Assets)
Security Engineering (Engineering and Management of Security)
Communication and Network Security (Designing and Protecting Network Security)
Identity and Access Management (Controlling Access and Managing Identity)
Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
Security Operations (e.g. Foundational Concepts, Investigations, Incident Management,
Disaster Recovery)
Software Development Security (Understanding, Applying, and Enforcing Software Security)
Steps to Becoming a CISSP
Qualifying for the Exam
Signing Up for the Exam
About the CISSP Exam
Chapter 1 Security and Risk Management
Security Terms
CIA
Confidentiality
Integrity
Availability
Default Stance
Defense in Depth
Job Rotation
Separation of Duties
Security Governance Principles
Security Function Alignment
Organizational Strategy and Goals
Organizational Mission and Objectives
Business Case
Security Budget, Metrics, and Effectiveness
Resources
Organizational Processes
Acquisitions and Divestitures
Governance Committees
Security Roles and Responsibilities
Board of Directors
Management
Audit Committee
Data Owner
Data Custodian
System Owner
System Administrator
Security Administrator
Security Analyst
Application Owner
Supervisor
User
Auditor
Control Frameworks
ISO/IEC 27000 Series
Zachman Framework
The Open Group Architecture Framework (TOGAF)
Department of Defense Architecture Framework (DoDAF)
British Ministry of Defence Architecture Framework (MODAF)
Sherwood Applied Business Security Architecture (SABSA)
Control Objectives for Information and Related Technology (CobiT)
National Institute of Standards and Technology (NIST) Special Publication (SP)
Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
Information Technology Infrastructure Library (ITIL)
Six Sigma
Capability Maturity Model Integration (CMMI)
CCTA Risk Analysis and Management Method (CRAMM)
Top-Down Versus Bottom-Up Approach
Security Program Life Cycle
Due Care
Due Diligence
Compliance
Legislative and Regulatory Compliance
Privacy Requirements Compliance
Legal and Regulatory Issues
Computer Crime Concepts
Computer-Assisted Crime
Computer-Targeted Crime
Incidental Computer Crime
Computer Prevalence Crime
Hackers Versus Crackers
Computer Crime Examples
Major Legal Systems
Civil Code Law
Common Law
Criminal Law
Civil/Tort Law
Administrative/Regulatory Law
Customary Law
Religious Law
Mixed Law
Licensing and Intellectual Property
Patent
Trade Secret
Trademark
Copyright
Software Piracy and Licensing Issues
Internal Protection
Digital Rights Management (DRM)
Import/Export Controls
Trans-Border Data Flow
Privacy
Personally Identifiable Information (PII)
Laws and Regulations
Data Breaches
Professional Ethics
2
(ISC) Code of Ethics
Computer Ethics Institute
Internet Architecture Board
Organizational Ethics
Security Documentation
Policies
Organizational Security Policy
System-Specific Security Policy
Issue-Specific Security Policy
Policy Categories
Standards
Baselines
Guidelines
Procedures
Business Continuity
Business Continuity and Disaster Recovery Concepts
Disruptions
Disasters
Disaster Recovery and the Disaster Recovery Plan (DRP)
Continuity Planning and the Business Continuity Plan (BCP)
Business Impact Analysis (BIA)
Contingency Plan
Availability
Reliability
Project Scope and Plan
Personnel Components
Project Scope
Business Continuity Steps
Business Impact Analysis Development
Identify Critical Processes and Resources
Identify Outage Impacts, and Estimate Downtime
Identify Resource Requirements
Identify Recovery Priorities
