Produktbild: The Official (ISC)2 CISSP CBK Reference
- 11%

The Official (ISC)2 CISSP CBK Reference

11% sparen

79,99 € UVP 89,90 €

inkl. gesetzl. MwSt., Versandkostenfrei

Lieferung nach Hause

Beschreibung

Produktdetails

Einband

Gebundene Ausgabe

Erscheinungsdatum

11.11.2021

Verlag

John Wiley & Sons

Seitenzahl

672

Maße (L/B/H)

24/19,6/3,7 cm

Gewicht

1262 g

Auflage

6. Auflage

Sprache

Englisch

ISBN

978-1-119-78999-4

Beschreibung

Produktdetails

Einband

Gebundene Ausgabe

Erscheinungsdatum

11.11.2021

Verlag

John Wiley & Sons

Seitenzahl

672

Maße (L/B/H)

24/19,6/3,7 cm

Gewicht

1262 g

Auflage

6. Auflage

Sprache

Englisch

ISBN

978-1-119-78999-4

EU-Ansprechpartner

Zeitfracht Medien GmbH
Ferdinand-Jühlke-Straße 7
99095 Erfurt
DE
produktsicherheit@zeitfracht.de

Herstelleradresse

Wiley & Sons
1 Oldlands Way
PO22 9NQ Bognor Regis
GB
trade@wiley.com

Noch keine Bewertungen vorhanden

Verfassen Sie die erste Bewertung zu diesem Artikel

Helfen Sie anderen Kundinnen und Kunden durch Ihre Meinung.

Kundinnen und Kunden meinen

Bewertungen (0)

Die Leseprobe wird geladen.
  • Produktbild: The Official (ISC)2 CISSP CBK Reference
  • Foreword xix
    Introduction xxi

    Domain 1: Security and Risk Management 1
    Understand, Adhere to, and Promote Professional Ethics 2
    (ISC)2 Code of Professional Ethics 2
    Organizational Code of Ethics 3
    Understand and Apply Security Concepts 4
    Confidentiality 4
    Integrity 5
    Availability 6
    Limitations of the CIA Triad 7
    Evaluate and Apply Security Governance Principles 8
    Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives 9
    Organizational Processes 10
    Organizational Roles and Responsibilities 14
    Security Control Frameworks 15
    Due Care and Due Diligence 22
    Determine Compliance and Other Requirements 23
    Legislative and Regulatory Requirements 23
    Industry Standards and Other Compliance Requirements 25
    Privacy Requirements 27
    Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context 28
    Cybercrimes and Data Breaches 28
    Licensing and Intellectual Property Requirements 36
    Import/Export Controls 39
    Transborder Data Flow 40
    Privacy 41
    Understand Requirements for Investigation Types 48
    Administrative 49
    Criminal 50
    Civil 52
    Regulatory 53
    Industry Standards 54
    Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 55
    Policies 55
    Standards 56
    Procedures 57
    Guidelines 57
    Identify, Analyze, and Prioritize Business Continuity Requirements 58
    Business Impact Analysis 59
    Develop and Document the Scope and the Plan 61
    Contribute to and Enforce Personnel Security Policies and Procedures 63
    Candidate Screening and Hiring 63
    Employment Agreements and Policies 64
    Onboarding, Transfers, and Termination Processes 65
    Vendor, Consultant, and Contractor Agreements and Controls 67
    Compliance Policy Requirements 67
    Privacy Policy Requirements 68
    Understand and Apply Risk Management Concepts 68
    Identify Threats and Vulnerabilities 68
    Risk Assessment 70
    Risk Response/Treatment 72
    Countermeasure Selection and Implementation 73
    pplicable Types of Controls 75
    Control Assessments 76
    Monitoring and Measurement 77
    Reporting 77
    Continuous Improvement 78
    Risk Frameworks 78
    Understand and Apply Threat Modeling Concepts and Methodologies 83
    Threat Modeling Concepts 84
    Threat Modeling Methodologies 85
    Apply Supply Chain Risk Management Concepts 88
    Risks Associated with Hardware, Software, and Services 88
    Third-Party Assessment and Monitoring 89
    Minimum Security Requirements 90
    Service-Level
    Requirements 90
    Frameworks 91
    Establish and Maintain a Security Awareness, Education, and Training Program 92
    Methods and Techniques to Present Awareness and Training 93
    Periodic Content Reviews 94
    Program Effectiveness Evaluation 94
    Summary 95

    Domain 2: Asset Security 97
    Identify and Classify Information and Assets 97
    Data Classification and Data Categorization 99
    Asset Classification 101
    Establish Information and Asset Handling Requirements 104
    Marking and Labeling 104
    Handling 105
    Storage 105
    Declassification 106
    Provision Resources Securely 108
    Information and Asset Ownership 108
    Asset Inventory 109
    Asset Management 112
    Manage Data Lifecycle 115
    Data Roles 116
    Data Collection 120
    Data Location 120
    Data Maintenance 121
    Data Retention 122
    Data Destruction 123
    Data Remanence 123
    Ensure Appropriate Asset Retention 127
    Determining Appropriate Records Retention 129
    Records Retention Best Practices 130
    Determine Data Security Controls and Compliance Requirements 131
    Data States 133
    Scoping and Tailoring 135
    Standards Selection 137
    Data Protection Methods 141
    Summary 144

    Domain 3: Security Architecture and Engineering 147
    Research, Implement, and Manage Engineering Processes Using Secure Design Principles 149
    ISO/IEC 19249 150
    Threat Modeling 157
    Secure Defaults 160
    Fail Securely 161
    Separation of Duties 161
    Keep It Simple 162
    Trust, but Verify 162
    Zero Trust 163
    Privacy by Design 165
    Shared Responsibility 166
    Defense in Depth 167
    Understand the Fundamental Concepts of Security Models 168
    Primer on Common Model Components 168
    Information Flow Model 169
    Noninterference Model 169
    Bell-LaPadula Model 170
    iba Integrity Model 172
    Clark-Wilson Model 173
    Brewer-Nash Model 173
    Take-Grant Model 175
    Select Controls Based Upon Systems Security Requirements 175
    Understand Security Capabilities of Information Systems 179
    Memory Protection 180
    Secure Cryptoprocessor 182
    Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 187
    Client-Based Systems 187
    Server-Based Systems 189
    Database Systems 191
    Cryptographic Systems 194
    Industrial Control Systems 200
    Cloud-Based Systems 203
    Distributed Systems 207
    Internet of Things 208
    Microservices 212
    Containerization 214
    Serverless 215
    Embedded Systems 216
    High-Performance Computing Systems 219
    Edge Computing Systems 220
    Virtualized Systems 221
    Select and Determine Cryptographic Solutions 224
    Cryptography Basics 225
    Cryptographic Lifecycle 226
    Cryptographic Methods 229
    Public Key Infrastructure 243
    Key Management Practices 246
    Digital Signatures and Digital Certificates 250
    Nonrepudiation 252
    Integrity 253
    Understand Methods of Cryptanalytic Attacks 257
    Brute Force 258
    Ciphertext Only 260
    Known Plaintext 260
    Chosen Plaintext Attack 260
    Frequency Analysis 261
    Chosen Ciphertext 261
    Implementation Attacks 261
    Side-Channel Attacks 261
    Fault Injection 263
    Timing Attacks 263
    Man-in-the-Middle 263
    Pass the Hash 263
    Kerberos Exploitation 264
    Ransomware 264
    Apply Security Principles to Site and Facility Design 265
    Design Site and Facility Security Controls 265
    Wiring Closets/Intermediate Distribution Facilities 266
    Server Rooms/Data Centers 267
    Media Storage Facilities 268
    Evidence Storage 269
    Restricted and Work Area Security 270
    Utilities and Heating, Ventilation, and Air Conditioning 272
    Environmental Issues 275
    Fire Prevention, Detection, and Suppression 277
    Summary 281

    Domain 4: Communication and Network Security 283
    Assess and Implement Secure Design Principles in Network Architectures 283
    Open System Interconnection and Transmission Control Protocol/Internet Protocol Models 285
    The OSI Reference Model 286
    The TCP/IP Reference Model 299
    Internet Protocol Networking 302
    Secure Protocols 311
    Implications of Multilayer Protocols 313
    Converged Protocols 315
    Microsegmentation 316
    Wireless Networks 319
    Cellular Networks 333
    Content Distribution Networks 334
    Secure Network Components 335
    Operation of Hardware 335
    Repeaters, Concentrators, and Amplifiers 341
    Hubs 341
    Bridges 342
    Switches 342
    Routers 343
    ateways 343
    Proxies 343
    Transmission Media 345
    Network Access Control 352
    Endpoint Security 354
    Mobile Devices 355
    Implement Secure Communication Channels According to Design 357
    Voice 357
    Multimedia Collaboration 359
    Remote Access 365
    Data Communications 371
    Virtualized Networks 373
    Third-Party
    Connectivity 374
    Summary 374

    Domain 5: Identity and Access Management 377
    Control Physical and Logical Access to Assets 378
    Access Control Definitions 378
    Information 379
    Systems 380
    Devices 381
    Facilities 383
    Applications 386
    Manage Identification and Authentication of People, Devices, and Services 387
    Identity Management Implementation 388
    Single/Multifactor Authentication 389
    Accountability 396
    Session Management 396
    Registration, Proofing, and Establishment of Identity 397
    Federated Identity Management 399
    Credential Management Systems 399
    Single Sign-On 400
    Just-In-Time 401
    Federated Identity with a Third-Party Service 401
    On Premises 402
    Cloud 403
    Hybrid 403
    Implement and Manage Authorization Mechanisms 404
    Role-Based Access Control 405
    Rule-Based Access Control 405
    Mandatory Access Control 406
    Discretionary Access Control 406
    Attribute-Based Access Control 407
    Risk-Based Access Control 408
    Manage the Identity and Access Provisioning Lifecycle 408
    Account Access Review 409
    Account Usage Review 411
    Provisioning and Deprovisioning 411
    Role Definition 412
    Privilege Escalation 413
    Implement Authentication Systems 414
    OpenID Connect/Open Authorization 414
    Security Assertion Markup Language 415
    Kerberos 416
    Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus 417
    Summary 418

    Domain 6: Security Assessment and Testing 419
    Design and Validate Assessment, Test, and Audit Strategies 420
    Internal 421
    External 422
    Third-Party 423
    Conduct Security Control Testing 423
    Vulnerability Assessment 423
    Penetration Testing 428
    Log Reviews 435
    Synthetic Transactions 435
    Code Review and Testing 436
    Misuse Case Testing 437
    Test Coverage Analysis 438
    Interface Testing 439
    Breach Attack Simulations 440
    Compliance Checks 441
    Collect Security Process Data 442
    Technical Controls and Processes 443
    Administrative Controls 443
    Account Management 444
    Management Review and Approval 445
    Management Reviews for Compliance 446
    Key Performance and Risk Indicators 447
    Backup Verification Data 450
    Training and Awareness 450
    Disaster Recovery and Business Continuity 451
    Analyze Test Output and Generate Report 452
    Typical Audit Report Contents 453
    Remediation 454
    Exception Handling 455
    Ethical Disclosure 456
    Conduct or Facilitate Security Audits 458
    Designing an Audit Program 458
    Internal Audits 459
    External Audits 460
    Third-Party Audits 460
    Summary 461

    Domain 7: Security Operations 463
    Understand and Comply with Investigations 464
    Evidence Collection and Handling 465
    Reporting and Documentation 467
    Investigative Techniques 469
    Digital Forensics Tools, Tactics, and Procedures 470
    Artifacts 475
    Conduct Logging and Monitoring Activities 478
    Intrusion Detection and Prevention 478
    Security Information and Event Management 480
    Continuous Monitoring 481
    Egress Monitoring 483
    Log Management 484
    Threat Intelligence 486
    User and Entity Behavior Analytics 488
    Perform Configuration Management 489
    Provisioning 490
    Asset Inventory 492
    aselining 492
    Automation 493
    Apply Foundational Security Operations Concepts 494
    Need-to-Know/Least Privilege 494
    Separation of Duties and Responsibilities 495
    Privileged Account Management 496
    Job Rotation 498
    Service-Level
    Agreements 498
    Apply Resource Protection 499
    Media Management 500
    Media Protection Techniques 501
    Conduct Incident Management 502
    Incident Management Plan 503
    Detection 505
    Response 506
    Mitigation 507
    Reporting 508
    Recovery 510
    Remediation 510
    Lessons Learned 511
    Operate and Maintain Detective and Preventative Measures 511
    Firewalls 512
    Intrusion Detection Systems and Intrusion Prevention Systems 514
    Whitelisting/Blacklisting 515
    Third-Party-Provided Security Services 515
    Sandboxing 517
    Honeypots/Honeynets 517
    Anti-malware 518
    Machine Learning and Artificial Intelligence Based Tools 518
    Implement and Support Patch and Vulnerability Management 519
    Patch Management 519
    Vulnerability Management 521
    Understand and Participate in Change Management Processes 522
    Implement Recovery Strategies 523
    Backup Storage Strategies 524
    Recovery Site Strategies 527
    Multiple Processing Sites 527
    System Resilience, High Availability, Quality of Service, and Fault Tolerance 528
    Implement Disaster Recovery Processes 529
    Response 529
    Personnel 530
    Communications 531
    Assessment 532
    Restoration 533
    Training and Awareness 534
    Lessons Learned 534
    Test Disaster Recovery Plans 535
    Read-through/Tabletop 536
    Walkthrough 536
    Simulation 537
    Parallel 537
    Full Interruption 537
    Participate in Business Continuity Planning and Exercises 538
    Implement and Manage Physical Security 539
    Perimeter Security Controls 541
    Internal Security Controls 543
    Address Personnel Safety and Security Concerns 545
    Travel 545
    Security Training and Awareness 546
    Emergency Management 546
    Duress 547
    Summary 548

    Domain 8: Software Development Security 549
    Understand and Integrate Security in the Software Development Life Cycle (SDLC) 550
    Development Methodologies 551
    Maturity Models 561
    Operation and Maintenance 567
    Change Management 568
    Integrated Product Team 571
    Identify and Apply Security Controls in Software Development Ecosystems 572
    Programming Languages 572
    Libraries 577
    Toolsets 578
    Integrated Development Environment 579
    Runtime 580
    Continuous Integration and Continuous Delivery 581
    Security Orchestration, Automation, and Response 583
    Software Configuration Management 585
    Code Repositories 586
    Application Security Testing 588
    Assess the Effectiveness of Software Security 590
    Auditing and Logging of Changes 590
    Risk Analysis and Mitigation 595
    Assess Security Impact of Acquired Software 599
    Commercial Off-the-Shelf 599
    Open Source 601
    Third-Party 602
    Managed Services (SaaS, IaaS, PaaS) 602
    Define and Apply Secure Coding Guidelines and Standards 604
    Security Weaknesses and Vulnerabilities at the Source-Code Level 605
    Security of Application Programming Interfaces 613
    API Security Best Practices 613
    Secure Coding Practices 618
    Software-Defined Security 621

    Summary 624
    Index 625