About This E-Book EPUB is an open, industry-standard format for e-books. However, support for EPUB and its many features varies across reading devices and applications. Use your device or app settings to customize the presentation to your liking. Settings that you can customize often include font, font size, single or double column, landscape or portrait mode, and figures that you can click or tap to enlarge. For additional information about the settings and features on your reading device or app, visit the device manufacturer’s Web site. Many titles include programming code or configuration examples. To optimize the presentation of these elements, view the e-book in single-column, landscape mode and adjust the font size to the smallest setting. In addition to presenting code and configurations in the reflowable text format, we have included images of the code that mimic the presentation found in the print book; therefore, where the reflowable format may compromise the presentation of the code listing, you will see a “Click here to view code image” link. Click the link to view the print-fidelity code image. To return to the previous page viewed, click the Back button on your device or app. CISSP Cert Guide Second Edition Robin Abernathy Troy McMillian 800 East 96th Street Indianapolis, Indiana 46240 USA CISSP Cert Guide, Second Edition Copyright © 2016 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-5518-6 ISBN-10: 0-7897-5518-1 Library of Congress Control Number: 2016940246 Printed in the United States of America First Printing: June 2016 Editor in Chief Mark Taub Acquisitions Editor Michelle Newcomb Senior Development Editor Christopher Cleveland Managing Editor Sandra Schroeder Project Editor Mandie Frank Copy Editor Kitty Wilson Indexer Larry Sweazy Proofreader The Wordsmithery LLC Technical Reviewers Chris Crayton Troy McMillan Publishing Coordinator Vanessa Evans Cover Designer Chuti Prasertsith Compositor Bronkella Publishing Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it. Special Sales For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at Contents at a Glance Introduction Chapter 1 Security and Risk Management Chapter 2 Asset Security Chapter 3 Security Engineering Chapter 4 Communication and Network Security Chapter 5 Identity and Access Management Chapter 6 Security Assessment and Testing Chapter 7 Security Operations Chapter 8 Software Development Security Glossary Appendix A Memory Tables Appendix B Memory Tables Answer Key Index Table of Contents Introduction The Goals of the CISSP Certification Sponsoring Bodies Stated Goals The Value of the CISSP Certification To the Security Professional To the Enterprise The Common Body of Knowledge Security and Risk Management (e.g. Security, Risk, Compliance, Law, Regulations, Business Continuity) Asset Security (Protecting Security of Assets) Security Engineering (Engineering and Management of Security) Communication and Network Security (Designing and Protecting Network Security) Identity and Access Management (Controlling Access and Managing Identity) Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing) Security Operations (e.g. Foundational Concepts, Investigations, Incident Management, Disaster Recovery) Software Development Security (Understanding, Applying, and Enforcing Software Security) Steps to Becoming a CISSP Qualifying for the Exam Signing Up for the Exam About the CISSP Exam Chapter 1 Security and Risk Management Security Terms CIA Confidentiality Integrity Availability Default Stance Defense in Depth Job Rotation Separation of Duties Security Governance Principles Security Function Alignment Organizational Strategy and Goals Organizational Mission and Objectives Business Case Security Budget, Metrics, and Effectiveness Resources Organizational Processes Acquisitions and Divestitures Governance Committees Security Roles and Responsibilities Board of Directors Management Audit Committee Data Owner Data Custodian System Owner System Administrator Security Administrator Security Analyst Application Owner Supervisor User Auditor Control Frameworks ISO/IEC 27000 Series Zachman Framework The Open Group Architecture Framework (TOGAF) Department of Defense Architecture Framework (DoDAF) British Ministry of Defence Architecture Framework (MODAF) Sherwood Applied Business Security Architecture (SABSA) Control Objectives for Information and Related Technology (CobiT) National Institute of Standards and Technology (NIST) Special Publication (SP) Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) Information Technology Infrastructure Library (ITIL) Six Sigma Capability Maturity Model Integration (CMMI) CCTA Risk Analysis and Management Method (CRAMM) Top-Down Versus Bottom-Up Approach Security Program Life Cycle Due Care Due Diligence Compliance Legislative and Regulatory Compliance Privacy Requirements Compliance Legal and Regulatory Issues Computer Crime Concepts Computer-Assisted Crime Computer-Targeted Crime Incidental Computer Crime Computer Prevalence Crime Hackers Versus Crackers Computer Crime Examples Major Legal Systems Civil Code Law Common Law Criminal Law Civil/Tort Law Administrative/Regulatory Law Customary Law Religious Law Mixed Law Licensing and Intellectual Property Patent Trade Secret Trademark Copyright Software Piracy and Licensing Issues Internal Protection Digital Rights Management (DRM) Import/Export Controls Trans-Border Data Flow Privacy Personally Identifiable Information (PII) Laws and Regulations Data Breaches Professional Ethics 2 (ISC) Code of Ethics Computer Ethics Institute Internet Architecture Board Organizational Ethics Security Documentation Policies Organizational Security Policy System-Specific Security Policy Issue-Specific Security Policy Policy Categories Standards Baselines Guidelines Procedures Business Continuity Business Continuity and Disaster Recovery Concepts Disruptions Disasters Disaster Recovery and the Disaster Recovery Plan (DRP) Continuity Planning and the Business Continuity Plan (BCP) Business Impact Analysis (BIA) Contingency Plan Availability Reliability Project Scope and Plan Personnel Components Project Scope Business Continuity Steps Business Impact Analysis Development Identify Critical Processes and Resources Identify Outage Impacts, and Estimate Downtime Identify Resource Requirements Identify Recovery Priorities