CISSP Certification Exam Study Guide: (Cerified Information Systems Security Professional)

By Kumud Kumar

This book has been carefully crafted to delve into each of the 8 CISSP Common Body of Knowledge (CBK) domains with comprehensive detail, ensuring that you gain a solid grasp of the content. The book consists of 8 chapters that form its core.
Here's a breakdown of the domains and the chapters they are covered in:
Chapter 1: Security and Risk Management
Chapter 2: Asset Security
Chapter 3: Security Architecture and Engineering
Chapter 4: Communication and Network Security
Chapter 5: Identity and Access Management (IAM)
Chapter 6: Security Assessment and Testing
Chapter 7: Security Operations
Chapter 8: Software Development Security
This book includes important resources to aid your exam preparation, such as exam essentials, key terms, and review questions. The exam essentials highlight crucial topics that you should focus on for the exam. Throughout the chapters, you will come across specialized terminology, which is also conveniently defined in the glossary at the end of the book. Additionally, review questions are provided to assess your understanding and retention of the chapter's content.

• Language: English
• Publisher: Partridge Publishing Singapore
• Release date: Jul 17, 2023
• ISBN: 9781543774436

Book preview

Copyright © 2023 by Kumud Kumar.

All rights reserved. No part of this book may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, recording, taping or by any information storage retrieval system without the written permission of the author except in the case of brief quotations embodied in critical articles and reviews.

Because of the dynamic nature of the Internet, any web addresses or links contained in this book may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them.

www.partridgepublishing.com/singapore

Table of Contents

Acknowledgments

Introduction

About the Author

Domain 1: Security and Risk Management

1.1 Understand, adhere to, and promote professional ethics

1.1.1 (ISC)² Code of Professional Ethics

1.1.2 Organizational code of ethics

1.2 Understand and apply security concepts

1.2.1 Confidentiality, integrity, and availability, authenticity and nonrepudiation

1.3 Evaluate and apply security governance principles

1.3.1 Alignment of the security function to business strategy, goals, mission, and objectives

1.3.2 Organizational processes (e.g., acquisitions, divestitures, governance committees)

1.3.3 Organizational roles and responsibilities

1.3.4 Security control frameworks

1.3.5 Due care/due diligence

1.4 Determine compliance and other requirements

1.4.1 Contractual, legal, industry standards, and regulatory requirements

1.4.2 Privacy requirements

1.5 Understand legal and regulatory issues that pertain to information security in a holistic context

1.5.1 Cybercrimes and data breaches

1.5.2 Licensing and Intellectual Property (IP) requirements

1.5.3 Import/export controls

1.5.4 Transborder data flow

1.5.5 Privacy

1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)

1.7 Develop, document, and implement security policy, standards, procedures, and guidelines

1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements

1.8.1 Business Impact Analysis (BIA)

1.8.2 Develop and document the scope and the plan

1.9 Contribute to and enforce personnel security policies and procedures

1.9.1 Candidate screening and hiring

1.9.2 Employment agreements and policies

1.9.3 Onboarding, transfers, and termination processes

1.9.4 Vendor, consultant, and contractor agreements and controls

1.9.5 Compliance policy requirements

1.9.6 Privacy policy requirements

1.10 Understand and apply risk management concepts

1.10.1 Identify threats and vulnerabilities

1.10.2 Risk assessment/analysis

1.10.3 Risk response

1.10.4 Countermeasure selection and implementation

1.10.5 Applicable types of controls (e.g., preventive, detective, corrective)

1.10.6 Control assessments (security and privacy)

1.10.7 Monitoring and measurement

1.10.8 Reporting

1.10.9 Continuous improvement (e.g., Risk maturity modeling)

1.10.10 Risk frameworks

1.11 Understand and apply threat modeling concepts and methodologies

1.12 Apply Supply Chain Risk Management (SCRM) concepts

1.12.1 Risks associated with hardware, software, and services

1.12.2 Third-party assessment and monitoring

1.12.3 Minimum security requirements

1.12.4 Service level requirements

1.13 Establish and maintain a security awareness, education, and training program

1.13.1 Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)

1.13.2 Periodic content reviews

1.13.3 Program effectiveness evaluation

Domain 1 Review Questions

Answers to Domain 1 Review Questions

Domain 2: Asset Security

2.1 Identify and classify information and assets

2.1.1 Data classification

2.1.2 Asset Classification

2.2 Establish information and asset handling requirements

2.3 Provision resources securely

2.3.1 Information and asset ownership

2.3.2 Asset inventory (e.g., tangible, intangible)

2.3.3 Asset management

2.4 Manage data lifecycle

2.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)

2.4.2 Data collection

2.4.3 Data location

2.4.4 Data maintenance

2.4.5 Data retention

2.4.6 Data remanence

2.4.7 Data destruction

2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))

2.6 Determine data security controls and compliance requirements

2.6.1 Data states (e.g., in use, in transit, at rest)

2.6.2 Scoping and tailoring

2.6.3 Standards selection

2.6.4 Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))

Domain 2 Review Questions

Answers to Domain 2 Review Questions

Domain 3: Security Architecture and Engineering

3.1 Research, implement and manage engineering processes using secure design principles

3.1.1 Threat modeling

3.1.2 Least privilege

3.1.3 Defense in depth

3.1.4 Secure defaults

3.1.5 Fail securely

3.1.6 Separation of Duties (SoD)

3.1.7 Keep it simple

3.1.8 Zero Trust

3.1.9 Privacy by design

3.1.10 Trust but verify

3.1.11 Shared responsibility

3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)

3.3 Select controls based upon systems security requirements

3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)

3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

3.5.1 Client-based systems

3.5.2 Server-based systems

3.5.3 Database systems

3.5.4 Cryptographic systems

3.5.5 Industrial Control Systems (ICS)

3.5.6 Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

3.5.7 Distributed systems

3.5.8 Internet of Things (IoT)

3.5.9 Microservices

3.5.10 Containerization

3.5.11 Serverless

3.5.12 Embedded systems

3.5.13 High-Performance Computing (HPC) systems

3.5.14 Edge computing systems

3.5.15 Virtualized systems

3.6 Select and determine cryptographic solutions

3.6.1 Cryptographic life cycle (e.g., keys, algorithm selection)

3.6.2 Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)

3.6.3 Public Key Infrastructure (PKI)

3.6.4 Key management practices

3.6.5 Digital signatures and digital certificates

3.6.6 non-repudiation

3.6.7 Integrity (e.g., hashing)

3.7 Understand methods of cryptanalytic attacks

3.7.1 Brute Force

3.7.2 Ciphertext only

3.7.3 Known plaintext

3.7.4 Frequency analysis

3.7.5 Chosen ciphertext

3.7.6 Implementation attacks

3.7.7 Side-channel

3.7.8 Fault injection

3.7.9 Timing

3.7.10 Man-in-the-Middle (MITM)

3.7.11 Pass the hash

3.7.12 Kerberos exploitation

3.7.13 Ransomware

3.8 Apply security principles to site and facility design

3.9 Design site and facility security controls

3.9.1 Wiring closets/intermediate distribution facilities

3.9.2 Server rooms/data centers

3.9.3 Media storage facilities

3.9.4 Evidence storage

3.9.5 Restricted and work area security

3.9.6 Utilities and Heating, Ventilation, and Air Conditioning (HVAC)

3.9.7 Environmental issues

3.9.8 Fire prevention, detection, and suppression

3.9.9 Power (e.g., redundant, backup)

Domain 3 Review Questions

Answers to Domain 3 Review Questions

Domain 4: Communication and Network Security

4.1 Assess and implement secure design principles in network architectures

4.1.1 Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models

4.1.2 Secure protocols

4.1.3 Implications of multilayer protocols

4.1.4 Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP))

4.1.5 Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))

4.1.6 Cellular networks (e.g., 4G, 5G)

4.1.7 Content Distribution Networks (CDN)

4.2 Secure network components

4.2.1 Operation of hardware (e.g., redundant power, warranty, support)

4.2.2 Transmission media

4.2.3 Network Access Control (NAC) devices

4.2.4 Endpoint security

4.3 Implement secure communication channels according to design

4.3.1 Voice

4.3.2 Multimedia collaboration

4.3.3 Remote access

4.3.4 Data communications

4.3.5 Virtualized networks

Domain 4 Review Questions

Answers to Domain 4 Review Questions

Domain 5: Identity and Access Management (IAM)

5.1 Control physical and logical access to assets

5.1.1 Information

5.1.2 Systems

5.1.3 Devices

5.1.4 Facilities

5.1.5 Applications

5.2 Manage identification and authentication of people, devices, and services

5.2.1 Identity Management (IdM) implementation

5.2.2 Single/Multi-Factor Authentication (MFA)

5.2.3 Accountability

5.2.4 Session management

5.2.5 Registration, proofing, and establishment of identity

5.2.6 Federated Identity Management (FIM)

5.2.7 Credential management systems

5.2.8 Single Sign On (SSO)

5.2.9 Just-In-Time (JIT)

5.3 Federated identity with a third-party service

5.3.1 On-premise

5.3.2 Cloud

5.3.3 Hybrid

5.4 Implement and manage authorization mechanisms

5.4.1 Role Based Access Control (RBAC)

5.4.2 Rule based access control

5.4.3 Mandatory Access Control (MAC)

5.4.4 Discretionary Access Control (DAC)

5.4.5 Attribute Based Access Control (ABAC)

5.4.6 Risk based access control

5.5 Manage the identity and access provisioning lifecycle

5.5.1 Account access review (e.g., user, system, service)

5.5.2 Provisioning and deprovisioning (e.g., on /off boarding and transfers)

5.5.3 Role definition (e.g., people assigned to new roles)

5.5.4 Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)

5.6 Implement authentication systems

5.6.1 OpenID Connect (OIDC)/Open Authorization (Oauth)

5.6.2 Security Assertion Markup Language (SAML)

5.6.3 Kerberos

5.6.4 Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)

Domain 5 Review Questions

Answers to Domain 5 Review Questions

Domain 6: Security Assessment and Testing

6.1 Design and validate assessment, test, and audit strategies

6.1.1 Internal

6.1.2 External

6.1.3 Third-party

6.2 Conduct security control testing

6.2.1 Vulnerability assessment

6.2.2 Penetration testing

6.2.3 Log reviews

6.2.4 Synthetic transactions

6.2.5 Code review and testing

6.2.6 Misuse case testing

6.2.7 Test coverage analysis

6.2.8 Interface testing

6.2.9 Breach attack simulations

6.2.10 Compliance checks

6.3 Collect security process data (e.g., technical and administrative)

6.3.1 Account management

6.3.2 Management review and approval

6.3.3 Key performance and risk indicators

6.3.4 Backup verification data

6.3.5 Training and awareness

6.3.6 Disaster Recovery (DR) and Business Continuity (BC)

6.4 Analyze test output and generate report

6.4.1 Remediation

6.4.2 Exception handling

6.4.3 Ethical disclosure

6.5 Conduct or facilitate security audits

6.5.1 Internal

6.5.2 External

6.5.3 Third-party

Domain 6 Review Questions

Answers to Domain 6 Review Questions

Domain 7: Security Operations

7.1 Understand and comply with investigations

7.1.1 Evidence collection and handling

7.1.2 Reporting and documentation

7.1.3 Investigative techniques

7.1.4 Digital forensics tools, tactics, and procedures

7.1.5 Artifacts (e.g., computer, network, mobile device)

7.2 Conduct logging and monitoring activities

7.2.1 Intrusion detection and prevention

7.2.2 Security Information and Event Management (SIEM)

7.2.3 Continuous monitoring

7.2.4 Egress monitoring

7.2.5 Log management

7.2.6 Threat intelligence (e.g., threat feeds, threat hunting)

7.2.7 User and Entity Behavior Analytics (UEBA)

7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)

7.4 Apply foundational security operations concepts

7.4.1 Need-to-know/least privilege

7.4.2 Separation of Duties (SoD) and responsibilities

7.4.3 Privileged account management

7.4.4 Job rotation

7.4.5 Service Level Agreements (SLAs)

7.5 Apply resource protection

7.5.1 Media management

7.5.2 Media protection techniques

7.6 Conduct incident management

7.6.1 Detection

7.6.2 Response

7.6.3 Mitigation

7.6.4 Reporting

7.6.5 Recovery

7.6.6 Remediation

7.6.7 Lessons learned

7.7 Operate and maintain detective and preventive measures

7.7.1 Firewalls (e.g., next generation, web application, network)

7.7.2 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

7.7.3 Whitelisting/blacklisting

7.7.4 Third-party provided security services

7.7.5 Sandboxing

7.7.6 Honeypots/honeynets

7.7.7 Anti-malware

7.7.8 Machine learning and Artificial Intelligence (AI) based tools

7.8 Implement and support patch and vulnerability management

7.9 Understand and participate in change management processes

7.10 Implement recovery strategies

7.10.1 Backup storage strategies

7.10.2 Recovery site strategies

7.10.3 Multiple processing sites

7.10.4 System resilience, High Availability (HA), Quality of Service (QoS), and fault tolerance

7.11 Implement Disaster Recovery (DR) processes

7.11.1 Response

7.11.2 Personnel

7.11.3 Communications

7.11.4 Assessment

7.11.5 Restoration

7.11.6 Training and awareness

7.11.7 Lessons learned

7.12 Test Disaster Recovery Plans (DRP)

7.12.1 Read-through/tabletop

7.12.2 Walkthrough

7.12.3 Simulation

7.12.4 Parallel

7.12.5 Full interruption

7.13 Participate in Business Continuity (BC) planning and exercises

7.14 Implement and manage physical security

7.14.1 Perimeter security controls

7.14.2 Internal security controls

7.15 Address personnel safety and security concerns

7.15.1 Travel

7.15.2 Security training and awareness

7.15.3 Emergency management

7.15.4 Duress

Domain 7 Review Questions

Answers to Domain 7 Review Questions

Domain 8: Software Development Security

8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)

8.1.1 Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)

8.1.2 Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))

8.1.3 Operation and maintenance

8.1.4 Change management

8.1.5 Integrated Product Team (IPT)

8.2 Identify and apply security controls in software development ecosystems

8.2.1 Programming languages

8.2.2 Libraries

8.2.3 Tool sets

8.2.4 Integrated Development Environment (IDE)

8.2.5 Runtime

8.2.6 Continuous Integration and Continuous Delivery (CI/CD)

8.2.7 Security Orchestration, Automation, and Response (SOAR)

8.2.8 Software Configuration Management (SCM)

8.2.9 Code repositories

8.2.10 Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST))

8.3 Assess the effectiveness of software security

8.3.1 Auditing and logging of changes

8.3.2 Risk analysis and mitigation

8.4 Assess security impact of acquired software

8.4.1 Commercial-off-the-shelf (COTS)

8.4.2 Open source

8.4.3 Third-party

8.4.4 Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

8.5 Define and apply secure coding guidelines and standards

8.5.1 Security weaknesses and vulnerabilities at the source-code level

8.5.2 Security of Application Programming Interfaces (APIs)

8.5.3 Secure coding practices

8.5.4 Software-defined security

Domain 8 Review Questions

Answers to Domain 8 Review Questions

ACKNOWLEDGMENTS

First and foremost, I want to express my heartfelt gratitude to our incredible friends and family who acted as matchmakers and helped connect us to this project. Your assistance has been invaluable, and we owe you a tremendous debt of gratitude. Seriously, you guys are amazing!

I want to express my deepest gratitude to the individuals who played a pivotal role in kick-starting my career as a writer and trainer: my late mother, Mrs. Prabha Devi, and my father, Mr. Awadh Kumar Singh. I am incredibly grateful to both of you for instilling in me the essential tools that have shaped my journey—a curious mind, exceptional verbal skills, and the uncanny ability to win debates. Your guidance and unwavering support truly deserve gold medals.

Now, let’s give a standing ovation to the one and only Veena Kumari. Not only did you agree to marry me and complete my life, but you have also been a superhero in delivering our two brilliant children, Kushagra Parasar and Kashvi Parasar. Seriously, you are a rockstar, and I will forever be grateful for your incredible efforts and sacrifices. You are the true ruler of my world!

I want to give a heartfelt shoutout to my three incredible sisters and their life partners, Nilam/Vinod, Anima/Ash Narayan, and Ranju/Santosh. You all have been my trusted partners-in-crime, my biggest cheerleaders, and the occasional pranksters. Our sisterly shenanigans have added so much joy and laughter to my life, and I can’t imagine it any other way. Thank you for being the amazing siblings and friends that you are.

Now, it’s time to express our special thanks to Rupinder Singh Kohli, the ultimate foodie extraordinaire. Not only have you treated us to countless gastronomic delights, but you have also served up an endless buffet of brilliant ideas. You are like a Michelin-starred chef of inspiration!

Next, let’s give a round of applause to Vivek Gupta and Perumal Pillai, our unwavering supporters and advisors. You have been our guiding stars throughout this wild journey, always ready to lend a hand or share your wisdom. We owe you a lifetime supply of virtual high-fives.

And last but certainly not least, a massive round of applause for our historical gang—Vipin Prasad, Unni Pillai, Vishal Pandey, Anjali Pandey, Gopal Kumar, Vinod Tiwari, Pankaj Singh, Binod Singh, Ranjeet, Ashutosh, Sujeet Sir, Rajesh Sir, Brajesh Sir, Sanjay Singh, Priya Ranjan, Amrendra, Prem Sir, Pramod Sir, Sanjay Sir, Pathak Sir, Chandra Bhushan, Kumud Pandey, and the CDAC Nagpur folks including Piyush, Mihir, Raman, Ravi, Atul, Alok, Saurav, Vaishali, Ritu, Rupali, Ashish, Labhesh, Santosh, Nikhil, JP, Sameer, Nitin, Soumya, Yashwant, Ranjeet Sir, and Deshpande Sir. You all have been the most incredible companions throughout these unforgettable twenty+ years. We’ve had epic adventures, hilarious moments, and even a few triumphs along the way. Who needs superheroes when we have you? Your awesomeness has made all the difference, and I couldn’t have done it without you!

So, from the bottom of my heart, I want to say thank you, thank you, thank you to each and every one of you. You have made this project journey an absolute blast, and I am forever grateful. Let the virtual confetti fall and the virtual cupcakes pile high! Here’s to all of you, the champions of my heart. Cheers!

So, thank you, thank you, thank you to each and every one of you. You’ve made this project journey an absolute blast, and I’m forever grateful -ending supply of virtual confetti and a mountain of virtual cupcakes! Cheers to all of you, the champions of my heart!

------Kumud Kumar

INTRODUCTION

Welcome to the exciting world of CISSP: Certified Information Systems Security Professional! Congratulations on picking up this book, which shows your readiness to explore the thrilling realm of security and stand up to those pesky hackers. Get ready for an adventure!

This study guide will be your helpful companion as you strive to become a certified security expert. If you aspire to earn that impressive CISSP certification and become a true guardian of digital fortresses, you’ve come to the right place. We’ve got your back!

Before you dive into the pages of wisdom, let’s make sure you’ve covered the basics. It’s important to have a basic understanding of IT and security. To be eligible for the CISSP certification, candidates must meet certain experience requirements. Refer experience section for more details on this.

(ISC)2, the organization behind the CISSP exam, has some additional resources and information for you. You can find all the juicy details in the next section. They’re like the cool kids in the security world, and you want to know what they have to offer.

So, dear aspiring CISSP conqueror, get ready for an adventure of a lifetime! This book is your secret weapon to prepare for the CISSP exam and enhance your security skills. Remember, knowledge is power, and with great power comes great job opportunities (and maybe even a stylish cape). Best of luck on your brave journey!

(ISC)2

(ISC)2, also known as the International Information Systems Security Certification Consortium, Inc., is the organization that governs the CISSP exam. This global not-for-profit organization has four primary goals:

1. Maintaining the Common Body of Knowledge (CBK) for the field of information systems security.

2. Providing certification for professionals and practitioners in the field of information systems security.

3. Offering certification training and administering the certification exams.

4. Overseeing the accreditation of qualified certification candidates through continued education.

The operations of (ISC)2 are managed by a board of directors elected from among its certified practitioners. If you’d like to learn more about (ISC)2, you can visit their website at www.isc2.org.

CISSP

The CISSP (Certified Information Systems Security Professional) certification holds a prestigious status as the most widely recognized certification in the information security industry. It serves as validation for professionals who possess extensive technical and managerial knowledge and experience in effectively designing, engineering, and managing an organization’s overall security.

The CISSP certification covers a wide range of topics, ensuring its relevance across various disciplines within the field of information security. Successful candidates demonstrate competence in the following eight domains:

1. Security and Risk Management

2. Asset Security

3. Security Architecture and Engineering

4. Communication and Network Security

5. Identity and Access Management (IAM)

6. Security Assessment and Testing

7. Security Operations

8. Software Development Security

Experience

To qualify for the CISSP certification, candidates must fulfill specific experience criteria. This entails having a minimum of five years of paid work experience in two or more of the eight domains covered by the CISSP Common Body of Knowledge (CBK). If a candidate holds a four-year college degree or an approved additional credential from (ISC)², it can substitute for one year of the required experience. However, it’s important to note that educational credits can only fulfill one year of the experience requirement.

For individuals who don’t possess the necessary experience for full CISSP certification, there is an alternative path. By successfully passing the CISSP examination, they can become an Associate of (ISC)². As an Associate, they will have a six-year period to acquire the mandatory five years of relevant experience. If you’re interested, you can find further details about the CISSP experience requirements and how to account for part-time work and internships.

Accreditation

CISSP holds the distinction of being the pioneering credential in the information security domain to fulfill the rigorous criteria outlined by ANSI/ISO/IEC Standard 17024.

CISSP CAT Examination Information

The CISSP exam follows Computerized Adaptive Testing (CAT) for English exams, while exams in other languages are conducted as linear, fixed-form exams.

Here are some key details about the CISSP exam:

• Exam Duration: 4 hours

• Number of Items: 125 - 175

• Item Format: Multiple choice and advanced innovative items

• Passing Grade: 700 out of 1000 points

• Available Language for Exam: English

• Testing Centers: (ISC)² Authorized PPC and PVTC Select Pearson VUE Testing Centers

The CISSP CAT Examination Weights are as follows:

CISSP Exam Questions

There are 125 – 175 multiple choice questions and advanced innovative items.

Here’s what you need to know:

• The exam length varies, with a minimum of 125 items and a maximum of 175 items.

• To pass or fail, you must answer at least 75 operational (scored) items, but not more than 125 operational items.

• Each exam includes 50 pre-test (unscored) items, which are being evaluated for future exams.

• You won’t know which items are operational or pre-test, so give your best shot at each one based on the information provided.

The CISSP exam focuses on eight weighted domains, as outlined in the exam outline: https://www.isc2.org/Certifications/cissp/Certification-Exam-Outline. It’s an adaptive exam, meaning it adjusts to your performance, allowing you to demonstrate your mastery of concepts in each domain.

Passing the exam at 125 items shows your proficiency across all domains. If you don’t pass at 125 items, it means you haven’t demonstrated enough proficiency in multiple domains to reach the minimum passing score. Going beyond 125 items provides you with the chance to prove your proficiency in other domains and achieve that passing score. So keep pushing forward and show those domains who’s boss!

Candidates are advised to regularly consult the up-to-date exam content outline and the certification section of the (ISC)² website at https://www.isc2.org/Certifications/CISSP. All the necessary information pertaining to registration, scheduling, and taking the CISSP exam can be found there. It is crucial for candidates to refer to these resources for the most accurate and relevant information.

Advice on Taking the Exam

The CISSP exam content and passing standard remain the same.

Here’s what you need to know:

• The exam format doesn’t affect your preparation strategy. Stick to your study plan regardless of whether it’s a linear or CAT version.

• Time management is crucial. Use it wisely to provide well-thought-out responses to meet the minimum item requirement.

• Be prepared for challenging questions. It’s normal for candidates to feel like they didn’t perform well because the expectation is to answer about 50% of the items correctly. This phenomenon is common in CAT exams, where fixed-form exams typically result in a higher proportion of correct answers due to inefficiencies. Remember, it’s not about the number of items you answer correctly, but rather the difficulty level of the items you answer correctly that matters for passing the exam.

• Stay confident, stay focused, and keep in mind that everyone faces the same challenge. Your ability to tackle the difficult questions will be the key to your success!

Completing the Certification Process

Once you’ve received confirmation that you’ve successfully passed the CISSP certification, there’s one final step before you officially become a CISSP-certified professional. This step is called endorsement, and it involves having someone who is familiar with your work history sign and submit an endorsement form on your behalf.

The endorsement form will be sent to you as an attachment in the email notifying you of your exam success. All you need to do is send the form to a manager, supervisor, or another CISSP, along with your resume. The endorser will review your resume, verify that you have sufficient experience in the 8 CISSP domains, and then submit the signed form to (ISC)² via fax or mail.

It’s important to complete the endorsement process within 90 days after receiving the confirmation email of passing the exam. Once (ISC)² receives your endorsement form, the final steps will be taken to award you the CISSP certification label. Congratulations on reaching this stage of the certification process!

Notes on This Book’s Organization

This book has been carefully crafted to delve into each of the 8 CISSP Common Body of Knowledge (CBK) domains with comprehensive detail, ensuring that you gain a solid grasp of the content. The book consists of 8 chapters that form its core.

Here’s a breakdown of the domains and the chapters they are covered in:

Chapter 1: Security and Risk Management

Chapter 2: Asset Security

Chapter 3: Security Architecture and Engineering

Chapter 4: Communication and Network Security

Chapter 5: Identity and Access Management (IAM)

Chapter 6: Security Assessment and Testing

Chapter 7: Security Operations

Chapter 8: Software Development Security

This book includes important resources to aid your exam preparation, such as exam essentials, key terms, and review questions. The exam essentials highlight crucial topics that you should focus on for the exam. Throughout the chapters, you will come across specialized terminology, which is also conveniently defined in the glossary at the end of the book. Additionally, review questions are provided to assess your understanding and retention of the chapter’s content.

ABOUT THE AUTHOR

image1.jpg

Kumud Kumar, a highly esteemed professional holding an impressive array of certifications including CISSP, CISA, C|CISO, VCP, MCSE, CCNA, CCSA, and ITIL, has made significant contributions to the fields of information technology and information security. Currently serving as the Chief Information Security Officer (CISO) of a reputable organization in Singapore, Kumud brings extensive experience and expertise to his role.

He is an active member of esteemed organizations such as ISC2, ISACA, and EC-Council Singapore Chapter. Throughout his illustrious career, he has held various positions in organizations worldwide, showcasing his versatility and adaptability in diverse environments. As an Information Technologist and information security professional, he has played a pivotal role in ensuring the confidentiality, integrity, and availability of critical data and systems.

Driven by his passion for research, He continuously explores cutting-edge technologies and stays at the forefront of industry trends. His inquisitive nature and commitment to continuous learning empower him to develop innovative solutions for complex challenges in the realm of information security.

Academically, He holds a master’s degree in electronics from Magadh University, Bodh Gaya. This educational background equips him with a strong foundation in understanding the intricacies of electronic systems and their applications in the modern digital landscape. Beyond his technical expertise, He is highly regarded for his exceptional ability to effectively communicate complex concepts. As a teacher, he generously shares his knowledge and insights with aspiring professionals, aiding them in building their skills and understanding in the field of information security.

His expertise has also made him a sought-after speaker at industry conferences and events. His captivating presentations and engaging discussions inspire audiences, shedding light on emerging trends, best practices, and the utmost importance of information security in today’s interconnected world.

As a mentor, He has guided and mentored numerous individuals, sharing his experiences, and providing valuable guidance to help them navigate their careers in information technology and security. Additionally, He possesses exceptional writing skills, enabling him to articulate complex concepts in a clear and concise manner. His contributions to the field through articles, research papers, and publications further establish his reputation as an excellent writer and a thought leader in the industry.

Overall, Kumud Kumar, with his impressive array of certifications including CISSP, CISA, C|CISO, VCP, MCSE, CCNA, CCSA, and ITIL, is a well-rounded professional who excels as a Chief Information Officer. Moreover, his commitment to advancing the field of information security, coupled with his contributions through teaching, speaking engagements, mentorship, and writing, make him a highly respected and influential figure in the industry.

DOMAIN 1

Security and Risk Management

1.1 Understand, adhere to, and promote

professional ethics

1.1.1 (ISC)² Code of Professional Ethics

The (ISC) Code of Professional Ethics is a set of principles and guidelines that define the ethical standards and expectations for information security professionals who hold (ISC)² certifications, such as the CISSP, CCSP, and CSSLP.

The (ISC)² Code of Professional Ethics is based on four main canons:

• Protect society, the common good, necessary public trust and confidence, and the infrastructure: This canon emphasizes the importance of protecting the public interest by safeguarding critical infrastructure and information systems from threats and vulnerabilities. They can apply this principle by implementing robust security measures, such as firewalls, intrusion detection systems, and access controls, to safeguard critical infrastructure and sensitive data.

• Act honorably, honestly, justly, responsibly, and legally: This canon emphasizes the importance of acting with integrity, honesty, and fairness, while complying with all relevant laws and regulations. They can apply this principle by avoiding conflicts of interest, reporting any unethical behavior or misconduct, and being transparent about their activities and findings.

• Provide diligent and competent service to principals: This canon emphasizes the importance of providing high-quality, professional services to clients and stakeholders, while maintaining confidentiality and respecting privacy. They can apply this principle by conducting thorough risk assessments, providing accurate and timely reports to management, and ensuring that security policies and procedures are followed.

• Advance and protect the profession: This canon emphasizes the importance of promoting and maintaining the reputation of the information security profession, while contributing to the development of the field through research, education, and professional development. They can apply this principle by sharing their knowledge and expertise with colleagues, participating in industry associations and events, and contributing to the development of best practices and standards for the field.

By following these canons, information security professionals who hold (ISC)² certifications are expected to uphold high standards of professional conduct and promote the trust and confidence of stakeholders in the profession. Failure to adhere to the (ISC)² Code of Professional Ethics may result in disciplinary action, including the revocation of certification.

1.1.2 Organizational code of ethics

An organizational code of ethics is a set of guidelines and principles that outlines the values, standards, and behaviors expected of employees within an organization. The purpose of an organizational code of ethics is to promote ethical conduct, integrity, and professionalism among employees, as well as to protect the interests of the organization, its stakeholders, and the wider society.

An organizational code of ethics typically covers a wide range of topics, such as conflict of interest, confidentiality, data protection, anti-bribery and corruption, workplace safety, and environmental protection. It may also address issues related to social responsibility, diversity and inclusion, and human rights.

An effective organizational code of ethics should be clear, concise, and communicated to all employees, as well as regularly reviewed and updated to reflect changing circumstances and expectations. Organizations that adhere to a strong code of ethics are more likely to maintain a positive reputation, retain talented employees, and avoid legal and regulatory penalties associated with unethical behavior.

1.2 Understand and apply security concepts

1.2.1 Confidentiality, integrity, and availability,

authenticity and nonrepudiation

Confidentiality, integrity, and availability (CIA) are the three primary objectives of information security, while authenticity and non-repudiation are additional objectives.

Extract1.jpg

Figure 1: CIA Framework

Confidentiality refers to the protection of sensitive information from unauthorized disclosure or access. It ensures that only authorized individuals or systems can access confidential information.

Confidentiality is important for protecting sensitive data such as trade secrets, financial information, or personal identifiable information (PII). Confidentiality can be achieved through various methods such as access control, encryption, and secure data storage. Access control mechanisms like user authentication, authorization, and multi-factor authentication can ensure that only authorized personnel can access the data. Encryption techniques can be used to protect data in transit or at rest by making it unreadable to anyone who does not have the key to decrypt it. Secure data storage involves ensuring that sensitive data is stored in a secure location that is protected against unauthorized access.

Here are some examples of tools and techniques used to implement the principles of confidentiality:

• Encryption: This is a technique used to protect data by converting it into a coded language that can only be deciphered with the correct key. Tools that provide encryption include OpenSSL, BitLocker, and VeraCrypt.

• Access Controls: This is a method used to restrict access to sensitive information to only authorized personnel. Access control can be implemented through techniques such as password authentication, two-factor authentication, biometric authentication, and role-based access control. Tools that provide access control include Microsoft Active Directory, Okta, and Duo.

Integrity refers to the protection of data from unauthorized modification, destruction, or deletion. It ensures that data is accurate, complete, and trustworthy.

Integrity is essential for ensuring that data is accurate, trustworthy, and has not been tampered with. The integrity of data can be maintained by using data validation checks, data backups, and data access controls. Data validation checks ensure that data is complete, accurate, and in the right format. Data backups ensure that data is safe from accidental deletion, data corruption, or system failures. Data access controls ensure that data can only be accessed by authorized personnel.

Here are some examples of tools and techniques used to implement the principles of Integrity:

• Hashing: This is a technique used to ensure that data has not been tampered with or altered in any way. A hash function generates a unique code for each piece of data, and any change to the data will result in a different hash code. Tools that provide hashing include SHA-256, SHA-512, and MD5.

• Digital Signatures: This is a technique used to ensure that a document or message has not been tampered with during transmission. Digital signatures use public-key cryptography to provide authentication, integrity, and non-repudiation. Tools that provide digital signatures include GnuPG, OpenPGP, and Adobe Sign.

Availability refers to the timely access to information and computing resources. It ensures that authorized users have access to the information they need when they need it.

Availability is important for ensuring that authorized personnel have timely access to the data when they need it. Availability can be achieved by ensuring that systems and networks are up and running, that data is backed up, and that there are sufficient resources to handle the workload. System uptime can be achieved through redundancy, failover systems, and load balancing.

Here are some examples of tools and techniques used to implement the principles of Availability:

• Redundancy: This is a technique used to ensure that data or services are always available, even in the event of hardware or software failures. Redundancy can be implemented through techniques such as clustering, load balancing, and RAID (redundant array of independent disks). Tools that provide redundancy include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.

• Disaster Recovery: This is a plan that outlines the steps to be taken in the event of a system failure, natural disaster, or other emergency. Disaster recovery plans include data backup and restoration, redundant systems, and off-site data storage. Tools that provide disaster recovery include Veeam Backup & Replication, Zerto, and Rubrik.

Authenticity refers to the ability to verify the identity of a user or system. It ensures that the user or system is who they claim to be.

Authenticity is important for verifying the identity of the user or system that is accessing data. This is important in preventing unauthorized access to sensitive data or systems. Authentication mechanisms like passwords, biometrics, or multi-factor authentication can be used to verify the identity of users or systems.

Here are some examples of tools and techniques used to implement the principles of Authenticity:

• Multi-Factor Authentication (MFA): This is a technique used to verify the identity of a user by requiring them to provide multiple forms of identification. MFA can be implemented through techniques such as password authentication, smart cards, biometric authentication, and token authentication. Tools that provide MFA include Microsoft Authenticator, Google Authenticator, and RSA SecurID.

• Public Key Infrastructure (PKI): This is a system used to verify the identity of users and devices on a network. PKI uses digital certificates and public-key cryptography to provide authentication, integrity, and non-repudiation. Tools that provide PKI include OpenSSL, Microsoft Certificate Services, and Red Hat Certificate System.

Non-repudiation refers to the ability to prove the origin of a message or communication and prevent its denial. It ensures that a user cannot deny that they sent a message or performed an action.

Non-repudiation is important for ensuring that a user cannot deny that they sent a message or performed an action. This can be achieved through digital signatures, audit trails, and time-stamping.

Here are some examples of tools and techniques used to implement the principles of non-repudiation:

• Audit Logs: This is a method used to track user activity and system events. Audit logs provide an audit trail that can be used to verify that certain actions were taken and by whom. Tools that provide audit logs include Windows Event Viewer, Syslog, and Elastic Stack.

• Digital Certificates: This is a method used to verify the authenticity of a user or device on a network. Digital certificates use public-key cryptography to provide authentication, integrity, and non-repudiation. Tools that provide digital certificates include OpenSSL, Microsoft Certificate Services, and Red Hat Certificate System.

In summary, these principles are essential for ensuring the security of sensitive data and protecting against unauthorized access or alteration. By implementing security controls and measures that address these principles, organizations can ensure that their data is secure, trustworthy, and available to authorized users when and where they need it.

1.3 Evaluate and apply security governance

principles

1.3.1 Alignment of the security function to business

strategy, goals, mission, and objectives

Aligning the security function to business strategy involves understanding the organization’s objectives and ensuring that security goals support and align with those objectives. The process requires collaboration between security and business leaders to identify and prioritize security risks and develop strategies that mitigate those risks while supporting business objectives.

The alignment process involves several key steps:

• Conducting a risk assessment: A risk assessment helps identify the organization’s critical assets and potential security risks. The assessment should identify the impact of security incidents on the organization’s business operations, reputation, and financial stability.

• Developing a security strategy: Based on the results of the risk assessment, the security function should develop a comprehensive security strategy that addresses the identified risks. The strategy should prioritize security investments and efforts based on the potential impact of security incidents on the organization’s business objectives.

• Establishing policies and procedures: The security function should establish policies and procedures that support the security strategy and ensure that employees and other stakeholders understand their roles and responsibilities.

• Implementing security controls: The security function should implement appropriate security controls to protect critical assets and mitigate identified risks. This may include implementing access controls, intrusion detection systems, encryption, or other technical controls.

• Measuring performance: To ensure that the security function is aligned with the organization’s