Certified Information Systems Security Professional (CISSP) Updated 2018

Overview

This section gives information on Certified Information Systems Security Professional (CISSP) certification. It demonstrates that the holder has been working in IT Security for over five years, has a broad range of knowledge in ten domains related to creating, supporting and maintaining a secure IT infrastructure and can implement things like risk management and risk identification.

Security Governance

This section covers the the three pillars of security, confidentiality, integrity and availability. It explains how to apply security governance principles through alignment of security functions to an organizations strategy, goals, mission and objectives.

Compliance

This section discusses the legislative and regulatory compliance, and privacy requirements compliance. It explains legal and regulatory issues that pertain to information security in a global context such as computer crimes, licensing, intellectual property, import and export controls, privacy and data breaches.

Code of Ethics

This section discusses professional ethics. It explains the (ISC)2 Code of Ethics and demonstrates how it applies as a CISSP, as well as an organizations code of ethics. It also covers security policies, standards, procedures, and guidelines.

Business Continuity

This section explains business continuity requirements. It covers the concept of developing and documenting project scope and plan.

Personnel Security

This section discusses several types of personnel security policies. It coves employment candidate screening, like reference checks and education verification. It also explains employment agreements and policies and the termination process.

Risk Management

This section covers risk management concepts. It explains some terminology such as risk assessment methodologies and ways to perform risk analysis. It discusses the different types of controls available, and control categories.

Threat Modeling

This section covers threat modeling. It discusses the penetration testing methodology and some resources that can be helpful in threat modeling.

Acquisition Risk Strategy

This section explains integrating risk assessment into acquisition strategies, like hardware purchases as well as outsourcing. It discusses the importance of auditing vendors and having service level agreements.

Asset Classification

This section covers asset security. It explains the need for classification and describes different classification systems. It discusses data ownership and data classification.

Protect Privacy

This section discusses protecting the privacy of information. It explains the importance of privacy policies, boundaries for data usage, data owners, data custodians and their responsibilities.

Retention and Data Security

This section discusses retention policies for data, hardware and even personnel. It explains the importance of aligning these policies with business requirements.

Data Handling Requirements

This section discusses data handling requirements and retention policies. It explains data at rest and data in transit, and the different ways to protect it. It also covers encryption as a method to protect data, both at rest and in transit.

Secure Design Principles

This section covers implementing and managing the engineering processes using secure design principles. It discusses the role of a CISSP in the system engineering process, and standards from NIST and ISO.

Security Model Concepts

This section covers system components like processors and memory, and the need for secure system design. It discusses system security architecture and enterprise security architecture.

Controls and Capabilities

This section discusses what a control is and its standards. It explains the controls specified by ISO 27002 and PCI-DSS.

Assess Vulnerabilities

This section discusses assessing and mitigating vulnerabilities related to security architecture. It covers hardware failure, privilege misuse, emanation threats, race conditions, covert channels, and centralized and decentralized architecture.

Apply Cryptography

This section covers how cryptography is applied. It discusses the future of cryptography, quantum cryptography. It explains the application of public key infrastructure (PKI) and a certificate services hierarchy.

Physical Security

This section discusses the physical security and secures site design. It explains about defining boundaries and determining what needs to be protected. It also covers different controls used for physical security, like cameras, fences and fire suppression systems.

Secure Network Design

This section discusses secure network design such as OSI model. It explains different layers and protocols.

IP Networking and Protocols

This section covers IP addressing such as IPv4 and IPv6 addresses. It also discusses port numbers and how they are used in communication.

Securing Network Devices

This section discusses securing network devices. It covers the risks associated with modems, switches, routers. It also explains statefull, stateless firewalls, transmission media and technologies like proxy, NAT and PAT.

Secure Communications

This section covers secure communication channels. It discusses risks in communication channels and the ways to protect communications using various tunneling technologies, like PPTP, L2TP, IPSec and RADIUS.

Mitigate Network Attacks

This section discusses the ways to secure network communications to mitigate many network attacks. It explains the importance of defense in depth and define the four phases of an attack.

Identification and Authorization

This section discusses the concepts of identity and access management (IAM). It talks about the process of identifying, authenticating and authorizing a subject. It also explains the identity lifecycle, and the concept of single sign-on.

Manage Authentication

This section covers authentication. It explains kerberos and the importance of time sync and NTP. It discusses hard tokens, soft tokens, OTP tokens, out of band tokens, and biometrics.

Assessment and Testing

This section discusses the importance of assessment, and also the importance of determining the root cause when analyzing the results.

Investigations

This section discusses how to respond to a security incident. It talks about identifying and securing evidence at a crime scene. It also explains about preserving evidence through an investigation, concepts like chain of custody and Locard’s Exchange Principle.

Secure Operations Concepts

This section discusses secure operations concepts. It talks about Intrusion Detection Systems and Intrusion Prevention Systems. It covers data loss prevention and service level agreements.

Resource Protection

This section discusses implementing safeguards to protect the media used to store data. It talks about encryption for both data at rest and data in motion.

Incident Management

This section talks about incident management and incident response. It explains the five critical components of incident response – detect, determine, minimize, resolve, and document.

Preventative Measures

This section discusses preventative measures. It explains that preventative measures in place are appropriate for a specific risk, and making sure they are working as expected.

Recovery Strategies

This section covers recovery strategies used to recover after an incident. It explains key terms and concepts like recovery point and recovery time objectives, and maximum tolerable downtime. It also discusses different types of backups and there use.

Physical / Personnel Security

This section talks about physical security and personnel security. It explains physical access controls like man traps. It also talks about the importance of protecting our most valuable resource, our personnel.

Software Dev Security

This section discusses about applying security in the software development life cycle. It explains the concept of securing early and often. It also covers the development phases, project initiation and planning, and system design specifications.