- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
The fast and easy way to secure your CISSP certification Are you a security professional seeking the valuable CISSP certification? Good for you! CISSP For Dummies is the ideal starting point on your journey, providing you with a friendly and accessible framework for studying for this highly sought-after certification. Fully updated to reflect the latest iterations of all eight domains covered by the test, it offers helpful study tips, guidance on making a 60-day study plan, 'instant answers' to help you recall key information, practice tests, and much more. Packed with key information needed to pass the exam and hints on how to remember it all on test day this new edition of CISSP For Dummies takes the intimidation out of preparing for getting your certification. Every chapter includes a 'Quick Assessment' test at the beginning and a 'Test Prep' section at the end to help you gauge your progress, while access to randomly generated test questions online gives you the freedom to practice and test your knowledge whenever it's convenient for you. Review the eight domains of security found in the CISSP Common Body of KnowledgeExplore security websites and supplementary booksGet a feel for the real thing with 250 practice exam questionsLearn about exam requirements and find out how to registerIf you're a CISSP hopeful or an existing certification-holder looking to renew your certification, CISSP For Dummies is the down-to-earth roadmap to get you there.
Contents
Foreword xvIntroduction 1About This Book 2How This Book Is Organized 2Icons Used in This Book 3Beyond the Book 4Getting Started 4Part I: Getting Started With CISSP Certification 5Chapter 1: (ISC)2 and the CISSP Certification 7About (ISC)2 and the CISSP Certification 7You Must Be This Tall to Ride This Ride (and Other Requirements) 8Preparing for the Exam 9Studying on your own 10Getting hands on experience 11Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar 11Attending other training courses or study groups 12Take the testing tutorial and practice exam 12Are you ready for the exam? 13Registering for the Exam 13About the CISSP Examination 14After the Examination 16Chapter 2: Putting Your Certification to Good Use 19Being an Active (ISC)2 Member 19Considering (ISC)2 Volunteer Opportunities 20Writing certification exam questions 20Speaking at events 20Read and contribute to (ISC)2 publications 21Support the (ISC)2 Center for Cyber Safety and Education 21Participating in (ISC)2 focus groups 22Get involved with a CISSP study group 22Help others learn more about data security 22Becoming an Active Member of Your Local Security Chapter 23Spreading the Good Word about CISSP Certification 24Promoting other certifications 25Wear the colors proudly 25Lead by example 25Using Your CISSP Certification to Be an Agent of Change 26Earning Other Certifications 26Other (ISC)2 certifications 27CISSP concentrations 27Non (ISC)2 certifications 28Choosing the right certifications 31Pursue Security Excellence 32Part II: Certification Domains 33Chapter 3: Security and Risk Management 35Understand and Apply Concepts of Confidentiality, Integrity, and Availability 35Confidentiality 36Integrity 37Availability 37Apply Security Governance Principles 37Alignment of security function to business strategy, goals, mission and objectives 38Organizational processes (security executive oversight) 39Security roles and responsibilities 40Control frameworks 41Due care 43Due diligence 44Compliance 44Legislative and regulatory compliance 44Privacy requirements compliance 49Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 49Computer crimes 50Licensing and intellectual property 60Import/export controls 63Trans border data flow 63Privacy 63Data breaches 69Understand Professional Ethics 70Exercise the (ISC)2 Code of Professional Ethics 71Support your organization s code of ethics 72Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines 73Policies 74Standards (and baselines) 75Procedures 75Guidelines 75Understand Business Continuity Requirements 76Develop and document project scope and plan 78Conduct Business Impact Analysis 86Developing the Business Continuity Plan 93Implementing the BCP 96Contribute to Personnel Security Policies 98Employment candidate screening 98Employment agreements and policies 100Employment termination processes 101Vendor, consultant and contractor controls 101Compliance 102Privacy 102Understand and Apply Risk Management Concepts 102Identify threats and vulnerabilities 103Risk assessment/analysis (treatment) 103Risk assignment/acceptance 108Countermeasure selection 108Implementation 110Types of controls 110Control assessment 112Monitoring and measurement 114Asset valuation 114Reporting 115Continuous improvement 115Risk frameworks 116Understand and Apply Threat Modeling 117Identifying threats 117Determining and diagramming potential attacks 118Performing reduction analysis 119Technologies and processes to remediate threats 119Integrate Security Risk Considerations into AcquisitionStrategy and Practice 120Hardware, software, and services 121Third party assessment and monitoring 121Minimum security requirements 121Service level requirements 122Establish and Manage Information Security Education,Training, and Awareness 122Appropriate levels of awareness, training andeducation required within organization 122Periodic reviews for content relevancy 124Chapter 4: Asset Security 125Classify Information and Supporting Assets 125Commercial data classification 126Government data classification 126Determine and Maintain Ownership 128Protect Privacy 129Ensure Appropriate Retention 131Determine Data Security Controls 132Baselines 133Scoping and tailoring 134Standards selection 134Cryptography 135Establish Handling Requirements 135Chapter 5: Security Engineering 137Implement and Manage Engineering Processes UsingSecure Design Principles 137Understand the Fundamental Concepts of Security Models 139Confidentiality 139Integrity 140Availability 140Access control models 141Select Controls and Countermeasures based upon Systems Security Evaluation Models 144Evaluation criteria 144System certification and accreditation 149Security controls and countermeasures 151Understand Security Capabilities of Information Systems 154Computer architecture 154Trusted Computing Base (TCB) 161Trusted Platform Module (TPM) 161Secure modes of operation 162Open and closed systems 163Protection rings 163Security modes 163Recovery procedures 164Vulnerabilities in security architectures 165Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 166Client based 166Server based 167Database security 167Large scale parallel data systems 168Distributed systems 168Cryptographic systems 169Industrial control systems 170Assess and Mitigate Vulnerabilities in Web Based Systems 171Assess and Mitigate Vulnerabilities in Mobile Systems 172Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber Physical Systems 173Apply Cryptography 174Cryptographic Life Cycle 176Plaintext and ciphertext 177Encryption and decryption 177Cryptography alternatives 183Not quite the metric system: Symmetric and asymmetric key systems 184Message authentication 193Public Key Infrastructure (PKI) 196Key management functions 197Key escrow and key recovery 198Methods of attack 198Apply Secure Principles to Site and Facility Design 201Choosing a secure location 202Designing a secure facility 203Design and Implement Physical Security 205Wiring closets, server rooms, media storagefacilities, and evidence storage 206Restricted and work area security 207Utilities and HVAC considerations 207Water issues 211Fire prevention, detection and suppression 211Chapter 6: Communication and Network Security 215Apply Secure Design Principles to Network Architecture 215OSI and TCP/IP models 219Cryptography used to maintain communication security 251Secure Network Components 251Operation of hardware 252Transmission media 252Network access control devices 254Endpoint security 262Content distribution networks 264Physical devices 265Design and Establish Secure Communication Channels 265Voice 266Email 266Web 270Facsimile 271Multimedia collaboration 272Remote access 272Data communications 277Virtualized networks 277Prevent or Mitigate Network Attacks 279Bluejacking and bluesnarfing 279Fraggle 279Smurf 279DNS Server Attacks 280Man in the Middle 280ICMP flood 280Session hijacking (spoofing) 280Session hijacking (session token interception) 280SYN flood 281Teardrop 281UDP flood 281Chapter 7: Identity and Access Management 283Control Physical and Logical Access to Assets 284Information 284Systems and devices 284Facilities 285Manage Identification and Authentication of People and Devices 285Identity management implementation 286Single/multi factor authentication 295Accountability 309Session management 309Registration and proofing of identity 310Federated identity management 311Credential management systems 312Integrate Identity as a Service 312Integrate Third Party Identity Services 314Implement and Manage Authorization Mechanisms 314Access control techniques 314Prevent or Mitigate Access Control Attacks 318Manage the Identity and Access Provisioning Lifecycle 320Chapter 8: Security Assessment and Testing 323Design and Validate Assessment and Test Strategies 323Conduct Security Control Testing 324Vulnerability assessment 324Penetration testing 324Log reviews 326Synthetic transactions 328Code review and testing 328Misuse case testing 329Test coverage analysis 329Interface testing 329Collect Security Process Data 330Account management 330Management review 331Key performance and risk indicators 331Backup verification data 331Training and awareness 332Disaster recovery and business continuity 332Analyze and Report Test Outputs 332Conduct or Facilitate Internal and Third Party Audits 332Chapter 9: Security Operations 335Understand and Support Investigations 335Evidence collection and handling 335Reporting and documenting 342Investigative techniques 342Digital forensics 344Understand Requirements for Investigation Types 345Conduct Logging and Monitoring Activities 346Intrusion detection and prevention 347Security information and event management 348Continuous monitoring 348Egress monitoring 349Secure the Provisioning of Resources 349Understand and Apply Foundational Security Operations Concepts 351Need to know and least privilege 351Separation of duties and responsibilities 352Monitor special privileges 353Job rotation 355Information lifecycle 356Service level agreements 357Employ Resource Protection Techniques 359Media management 359Hardware and software asset management 361Conduct Incident Management 361Operate and Maintain Preventative Measures 363Implement and Support Patch and Vulnerability Management 364Participate in and Understand Change Management Processes 365Implement Recovery Strategies 366Backup storage strategies 366Recovery site strategies 366Multiple processing sites 367System resilience, high availability, and fault tolerance 367Quality of Service (QoS) 367Implement Disaster Recovery Processes 368Response 372Personnel 373Communications 374Assessment 375Restoration 375Training and awareness 376Test Disaster Recovery Plans 376Read through 376Walkthrough 377Simulation 377Parallel 378Full interruption (or cutover) 379Participate in Business Continuity Planning and Exercises 379Implement and Manage Physical Security 380Participate in Addressing Personnel Safety Concerns 380Chapter 10: Software Development Security 381Understand and Apply Security in the Software Development Lifecycle 381Development methodologies 382Maturity models 388Operation and maintenance 389Change management 390Integrated product team 391Enforce Security Controls in Development Environments 392Security of the software environments 392Configuration management as an aspect of secure coding 394Security of code repositories 395Security of application programming interfaces 395Assess the Effectiveness of Software Security 396Auditing and logging of changes 397Risk analysis and mitigation 397Acceptance testing 398Assess Security Impact of Acquired Software 399Part III: The Part of Tens 401Chapter 11: Ten (Okay, Nine) Test-Planning Tips 403Know Your Learning Style 403Get a Networking Certification First 403Register NOW! 404Make a 60 Day Study Plan 404Get Organized and READ! 405Join a Study Group 405Take Practice Exams 406Take a CISSP Review Seminar 406Take a Breather 406Chapter 12: Ten Test Day Tips 407Get a Good Night s Rest 407Dress Comfortably 407Eat a Good Breakfast 407Arrive Early 408Bring a Photo ID 408Bring Snacks and Drinks 408Bring Prescription and Over the Counter Medications 408Leave Your Electronic Devices Behind 409Take Frequent Breaks 409Guess as a Last Resort 409Glossary 411Index 455
