Zum Hauptinhalt springen
Dekorationsartikel gehören nicht zum Leistungsumfang.
The Official (ISC)2 CISSP CBK Reference
Buch von Aaron Kraus (u. a.)
Sprache: Englisch

102,95 €*

inkl. MwSt.

Versandkostenfrei per Post / DHL

Lieferzeit 1-2 Wochen

Kategorien:
Beschreibung
The only official, comprehensive reference guide to the CISSP

Thoroughly updated for 2021 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)² for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)², the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.

This CBK covers the current eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Revised and updated by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:
* Common and good practices for each objective
* Common vocabulary and definitions
* References to widely accepted computing standards
* Highlights of successful approaches through case studies

Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.
The only official, comprehensive reference guide to the CISSP

Thoroughly updated for 2021 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)² for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)², the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.

This CBK covers the current eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Revised and updated by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:
* Common and good practices for each objective
* Common vocabulary and definitions
* References to widely accepted computing standards
* Highlights of successful approaches through case studies

Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.
Inhaltsverzeichnis

Foreword xix

Introduction xxi

Domain 1: Security and Risk Management 1

Understand, Adhere to, and Promote Professional Ethics 2

(ISC)2 Code of Professional Ethics 2

Organizational Code of Ethics 3

Understand and Apply Security Concepts 4

Confidentiality 4

Integrity 5

Availability 6

Limitations of the CIA Triad 7

Evaluate and Apply Security Governance Principles 8

Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives 9

Organizational Processes 10

Organizational Roles and Responsibilities 14

Security Control Frameworks 15

Due Care and Due Diligence 22

Determine Compliance and Other Requirements 23

Legislative and Regulatory Requirements 23

Industry Standards and Other Compliance Requirements 25

Privacy Requirements 27

Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context 28

Cybercrimes and Data Breaches 28

Licensing and Intellectual Property Requirements 36

Import/Export Controls 39

Transborder Data Flow 40

Privacy 41

Understand Requirements for Investigation Types 48

Administrative 49

Criminal 50

Civil 52

Regulatory 53

Industry Standards 54

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 55

Policies 55

Standards 56

Procedures 57

Guidelines 57

Identify, Analyze, and Prioritize Business Continuity Requirements 58

Business Impact Analysis 59

Develop and Document the Scope and the Plan 61

Contribute to and Enforce Personnel Security Policies and Procedures 63

Candidate Screening and Hiring 63

Employment Agreements and Policies 64

Onboarding, Transfers, and Termination Processes 65

Vendor, Consultant, and Contractor Agreements and Controls 67

Compliance Policy Requirements 67

Privacy Policy Requirements 68

Understand and Apply Risk Management Concepts 68

Identify Threats and Vulnerabilities 68

Risk Assessment 70

Risk Response/Treatment 72

Countermeasure Selection and Implementation 73

Applicable Types of Controls 75

Control Assessments 76

Monitoring and Measurement 77

Reporting 77

Continuous Improvement 78

Risk Frameworks 78

Understand and Apply Threat Modeling Concepts and Methodologies 83

Threat Modeling Concepts 84

Threat Modeling Methodologies 85

Apply Supply Chain Risk Management Concepts 88

Risks Associated with Hardware, Software, and Services 88

Third-Party Assessment and Monitoring 89

Minimum Security Requirements 90

Service-Level

Requirements 90

Frameworks 91

Establish and Maintain a Security Awareness, Education, and Training Program 92

Methods and Techniques to Present Awareness and Training 93

Periodic Content Reviews 94

Program Effectiveness Evaluation 94

Summary 95

Domain 2: Asset Security 97

Identify and Classify Information and Assets 97

Data Classification and Data Categorization 99

Asset Classification 101

Establish Information and Asset Handling Requirements 104

Marking and Labeling 104

Handling 105

Storage 105

Declassification 106

Provision Resources Securely 108

Information and Asset Ownership 108

Asset Inventory 109

Asset Management 112

Manage Data Lifecycle 115

Data Roles 116

Data Collection 120

Data Location 120

Data Maintenance 121

Data Retention 122

Data Destruction 123

Data Remanence 123

Ensure Appropriate Asset Retention 127

Determining Appropriate Records Retention 129

Records Retention Best Practices 130

Determine Data Security Controls and Compliance Requirements 131

Data States 133

Scoping and Tailoring 135

Standards Selection 137

Data Protection Methods 141

Summary 144

Domain 3: Security Architecture and Engineering 147

Research, Implement, and Manage Engineering Processes Using Secure Design Principles 149

ISO/IEC 19249 150

Threat Modeling 157

Secure Defaults 160

Fail Securely 161

Separation of Duties 161

Keep It Simple 162

Trust, but Verify 162

Zero Trust 163

Privacy by Design 165

Shared Responsibility 166

Defense in Depth 167

Understand the Fundamental Concepts of Security Models 168

Primer on Common Model Components 168

Information Flow Model 169

Noninterference Model 169

Bell-LaPadula Model 170

Biba Integrity Model 172

Clark-Wilson Model 173

Brewer-Nash Model 173

Take-Grant Model 175

Select Controls Based Upon Systems Security Requirements 175

Understand Security Capabilities of Information Systems 179

Memory Protection 180

Secure Cryptoprocessor 182

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 187

Client-Based Systems 187

Server-Based Systems 189

Database Systems 191

Cryptographic Systems 194

Industrial Control Systems 200

Cloud-Based Systems 203

Distributed Systems 207

Internet of Things 208

Microservices 212

Containerization 214

Serverless 215

Embedded Systems 216

High-Performance Computing Systems 219

Edge Computing Systems 220

Virtualized Systems 221

Select and Determine Cryptographic Solutions 224

Cryptography Basics 225

Cryptographic Lifecycle 226

Cryptographic Methods 229

Public Key Infrastructure 243

Key Management Practices 246

Digital Signatures and Digital Certificates 250

Nonrepudiation 252

Integrity 253

Understand Methods of Cryptanalytic Attacks 257

Brute Force 258

Ciphertext Only 260

Known Plaintext 260

Chosen Plaintext Attack 260

Frequency Analysis 261

Chosen Ciphertext 261

Implementation Attacks 261

Side-Channel Attacks 261

Fault Injection 263

Timing Attacks 263

Man-in-the-Middle 263

Pass the Hash 263

Kerberos Exploitation 264

Ransomware 264

Apply Security Principles to Site and Facility Design 265

Design Site and Facility Security Controls 265

Wiring Closets/Intermediate Distribution Facilities 266

Server Rooms/Data Centers 267

Media Storage Facilities 268

Evidence Storage 269

Restricted and Work Area Security 270

Utilities and Heating, Ventilation, and Air Conditioning 272

Environmental Issues 275

Fire Prevention, Detection, and Suppression 277

Summary 281

Domain 4: Communication and Network Security 283

Assess and Implement Secure Design Principles in Network Architectures 283

Open System Interconnection and Transmission Control Protocol/Internet Protocol Models 285

The OSI Reference Model 286

The TCP/IP Reference Model 299

Internet Protocol Networking 302

Secure Protocols 311

Implications of Multilayer Protocols 313

Converged Protocols 315

Microsegmentation 316

Wireless Networks 319

Cellular Networks 333

Content Distribution Networks 334

Secure Network Components 335

Operation of Hardware 335

Repeaters, Concentrators, and Amplifiers 341

Hubs 341

Bridges 342

Switches 342

Routers 343

Gateways 343

Proxies 343

Transmission Media 345

Network Access Control 352

Endpoint Security 354

Mobile Devices 355

Implement Secure Communication Channels According to Design 357

Voice 357

Multimedia Collaboration 359

Remote Access 365

Data Communications 371

Virtualized Networks 373

Third-Party

Connectivity 374

Summary 374

Domain 5: Identity and Access Management 377

Control Physical and Logical Access to Assets 378

Access Control Definitions 378

Information 379

Systems 380

Devices 381

Facilities 383

Applications 386

Manage Identification and Authentication of People, Devices, and Services 387

Identity Management Implementation 388

Single/Multifactor Authentication 389

Accountability 396

Session Management 396

Registration, Proofing, and Establishment of Identity 397

Federated Identity Management 399

Credential Management Systems 399

Single Sign-On 400

Just-In-Time 401

Federated Identity with a Third-Party Service 401

On Premises 402

Cloud 403

Hybrid 403

Implement and Manage Authorization Mechanisms 404

Role-Based Access Control 405

Rule-Based Access Control 405

Mandatory Access Control 406

Discretionary Access Control 406

Attribute-Based Access Control 407

Risk-Based Access Control 408

Manage the Identity and Access Provisioning Lifecycle 408

Account Access Review 409

Account Usage Review 411

Provisioning and Deprovisioning 411

Role Definition 412

Privilege Escalation 413

Implement Authentication Systems 414

OpenID Connect/Open Authorization 414

Security Assertion Markup Language 415

Kerberos 416

Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus 417

Summary 418

Domain 6: Security Assessment and Testing 419

Design and Validate Assessment, Test,...

Details
Erscheinungsjahr: 2021
Genre: Importe, Informatik
Rubrik: Naturwissenschaften & Technik
Medium: Buch
Inhalt: 672 S.
ISBN-13: 9781119789994
ISBN-10: 1119789990
Sprache: Englisch
Einband: Gebunden
Autor: Kraus, Aaron
Deane, Arthur J.
Hersteller: John Wiley & Sons Inc
Verantwortliche Person für die EU: Wiley-VCH GmbH, Boschstr. 12, D-69469 Weinheim, amartine@wiley-vch.de
Maße: 240 x 196 x 37 mm
Von/Mit: Aaron Kraus (u. a.)
Erscheinungsdatum: 11.11.2021
Gewicht: 1,262 kg
Artikel-ID: 119653691
Inhaltsverzeichnis

Foreword xix

Introduction xxi

Domain 1: Security and Risk Management 1

Understand, Adhere to, and Promote Professional Ethics 2

(ISC)2 Code of Professional Ethics 2

Organizational Code of Ethics 3

Understand and Apply Security Concepts 4

Confidentiality 4

Integrity 5

Availability 6

Limitations of the CIA Triad 7

Evaluate and Apply Security Governance Principles 8

Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives 9

Organizational Processes 10

Organizational Roles and Responsibilities 14

Security Control Frameworks 15

Due Care and Due Diligence 22

Determine Compliance and Other Requirements 23

Legislative and Regulatory Requirements 23

Industry Standards and Other Compliance Requirements 25

Privacy Requirements 27

Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context 28

Cybercrimes and Data Breaches 28

Licensing and Intellectual Property Requirements 36

Import/Export Controls 39

Transborder Data Flow 40

Privacy 41

Understand Requirements for Investigation Types 48

Administrative 49

Criminal 50

Civil 52

Regulatory 53

Industry Standards 54

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 55

Policies 55

Standards 56

Procedures 57

Guidelines 57

Identify, Analyze, and Prioritize Business Continuity Requirements 58

Business Impact Analysis 59

Develop and Document the Scope and the Plan 61

Contribute to and Enforce Personnel Security Policies and Procedures 63

Candidate Screening and Hiring 63

Employment Agreements and Policies 64

Onboarding, Transfers, and Termination Processes 65

Vendor, Consultant, and Contractor Agreements and Controls 67

Compliance Policy Requirements 67

Privacy Policy Requirements 68

Understand and Apply Risk Management Concepts 68

Identify Threats and Vulnerabilities 68

Risk Assessment 70

Risk Response/Treatment 72

Countermeasure Selection and Implementation 73

Applicable Types of Controls 75

Control Assessments 76

Monitoring and Measurement 77

Reporting 77

Continuous Improvement 78

Risk Frameworks 78

Understand and Apply Threat Modeling Concepts and Methodologies 83

Threat Modeling Concepts 84

Threat Modeling Methodologies 85

Apply Supply Chain Risk Management Concepts 88

Risks Associated with Hardware, Software, and Services 88

Third-Party Assessment and Monitoring 89

Minimum Security Requirements 90

Service-Level

Requirements 90

Frameworks 91

Establish and Maintain a Security Awareness, Education, and Training Program 92

Methods and Techniques to Present Awareness and Training 93

Periodic Content Reviews 94

Program Effectiveness Evaluation 94

Summary 95

Domain 2: Asset Security 97

Identify and Classify Information and Assets 97

Data Classification and Data Categorization 99

Asset Classification 101

Establish Information and Asset Handling Requirements 104

Marking and Labeling 104

Handling 105

Storage 105

Declassification 106

Provision Resources Securely 108

Information and Asset Ownership 108

Asset Inventory 109

Asset Management 112

Manage Data Lifecycle 115

Data Roles 116

Data Collection 120

Data Location 120

Data Maintenance 121

Data Retention 122

Data Destruction 123

Data Remanence 123

Ensure Appropriate Asset Retention 127

Determining Appropriate Records Retention 129

Records Retention Best Practices 130

Determine Data Security Controls and Compliance Requirements 131

Data States 133

Scoping and Tailoring 135

Standards Selection 137

Data Protection Methods 141

Summary 144

Domain 3: Security Architecture and Engineering 147

Research, Implement, and Manage Engineering Processes Using Secure Design Principles 149

ISO/IEC 19249 150

Threat Modeling 157

Secure Defaults 160

Fail Securely 161

Separation of Duties 161

Keep It Simple 162

Trust, but Verify 162

Zero Trust 163

Privacy by Design 165

Shared Responsibility 166

Defense in Depth 167

Understand the Fundamental Concepts of Security Models 168

Primer on Common Model Components 168

Information Flow Model 169

Noninterference Model 169

Bell-LaPadula Model 170

Biba Integrity Model 172

Clark-Wilson Model 173

Brewer-Nash Model 173

Take-Grant Model 175

Select Controls Based Upon Systems Security Requirements 175

Understand Security Capabilities of Information Systems 179

Memory Protection 180

Secure Cryptoprocessor 182

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 187

Client-Based Systems 187

Server-Based Systems 189

Database Systems 191

Cryptographic Systems 194

Industrial Control Systems 200

Cloud-Based Systems 203

Distributed Systems 207

Internet of Things 208

Microservices 212

Containerization 214

Serverless 215

Embedded Systems 216

High-Performance Computing Systems 219

Edge Computing Systems 220

Virtualized Systems 221

Select and Determine Cryptographic Solutions 224

Cryptography Basics 225

Cryptographic Lifecycle 226

Cryptographic Methods 229

Public Key Infrastructure 243

Key Management Practices 246

Digital Signatures and Digital Certificates 250

Nonrepudiation 252

Integrity 253

Understand Methods of Cryptanalytic Attacks 257

Brute Force 258

Ciphertext Only 260

Known Plaintext 260

Chosen Plaintext Attack 260

Frequency Analysis 261

Chosen Ciphertext 261

Implementation Attacks 261

Side-Channel Attacks 261

Fault Injection 263

Timing Attacks 263

Man-in-the-Middle 263

Pass the Hash 263

Kerberos Exploitation 264

Ransomware 264

Apply Security Principles to Site and Facility Design 265

Design Site and Facility Security Controls 265

Wiring Closets/Intermediate Distribution Facilities 266

Server Rooms/Data Centers 267

Media Storage Facilities 268

Evidence Storage 269

Restricted and Work Area Security 270

Utilities and Heating, Ventilation, and Air Conditioning 272

Environmental Issues 275

Fire Prevention, Detection, and Suppression 277

Summary 281

Domain 4: Communication and Network Security 283

Assess and Implement Secure Design Principles in Network Architectures 283

Open System Interconnection and Transmission Control Protocol/Internet Protocol Models 285

The OSI Reference Model 286

The TCP/IP Reference Model 299

Internet Protocol Networking 302

Secure Protocols 311

Implications of Multilayer Protocols 313

Converged Protocols 315

Microsegmentation 316

Wireless Networks 319

Cellular Networks 333

Content Distribution Networks 334

Secure Network Components 335

Operation of Hardware 335

Repeaters, Concentrators, and Amplifiers 341

Hubs 341

Bridges 342

Switches 342

Routers 343

Gateways 343

Proxies 343

Transmission Media 345

Network Access Control 352

Endpoint Security 354

Mobile Devices 355

Implement Secure Communication Channels According to Design 357

Voice 357

Multimedia Collaboration 359

Remote Access 365

Data Communications 371

Virtualized Networks 373

Third-Party

Connectivity 374

Summary 374

Domain 5: Identity and Access Management 377

Control Physical and Logical Access to Assets 378

Access Control Definitions 378

Information 379

Systems 380

Devices 381

Facilities 383

Applications 386

Manage Identification and Authentication of People, Devices, and Services 387

Identity Management Implementation 388

Single/Multifactor Authentication 389

Accountability 396

Session Management 396

Registration, Proofing, and Establishment of Identity 397

Federated Identity Management 399

Credential Management Systems 399

Single Sign-On 400

Just-In-Time 401

Federated Identity with a Third-Party Service 401

On Premises 402

Cloud 403

Hybrid 403

Implement and Manage Authorization Mechanisms 404

Role-Based Access Control 405

Rule-Based Access Control 405

Mandatory Access Control 406

Discretionary Access Control 406

Attribute-Based Access Control 407

Risk-Based Access Control 408

Manage the Identity and Access Provisioning Lifecycle 408

Account Access Review 409

Account Usage Review 411

Provisioning and Deprovisioning 411

Role Definition 412

Privilege Escalation 413

Implement Authentication Systems 414

OpenID Connect/Open Authorization 414

Security Assertion Markup Language 415

Kerberos 416

Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus 417

Summary 418

Domain 6: Security Assessment and Testing 419

Design and Validate Assessment, Test,...

Details
Erscheinungsjahr: 2021
Genre: Importe, Informatik
Rubrik: Naturwissenschaften & Technik
Medium: Buch
Inhalt: 672 S.
ISBN-13: 9781119789994
ISBN-10: 1119789990
Sprache: Englisch
Einband: Gebunden
Autor: Kraus, Aaron
Deane, Arthur J.
Hersteller: John Wiley & Sons Inc
Verantwortliche Person für die EU: Wiley-VCH GmbH, Boschstr. 12, D-69469 Weinheim, amartine@wiley-vch.de
Maße: 240 x 196 x 37 mm
Von/Mit: Aaron Kraus (u. a.)
Erscheinungsdatum: 11.11.2021
Gewicht: 1,262 kg
Artikel-ID: 119653691
Sicherheitshinweis