Certified Information System Security Professional (CISSP) is a coveted certification for an information security professional to achieve. Certified individuals are considered experienced and knowledgeable information security professionals. This is due to the fact that the certification's requirements are that the candidate not only has to pass the exam, but have 4 to 5 years of relevant practical experience in one or two domains of information security.
The exam is conducted by the International Information System Security Certification Consortium (ISC)²®, a nonprofit consortium that is the globally recognized Gold Standard for certifying information security professionals throughout their careers. (ISC)²® was founded in 1989 by industry leaders and has certified over 1,00,000 information security professionals across the globe.
While preparing for CISSP™, a candidate has to study many books and references. There are many books that cover the CISSP™ CBK™ domains in depth and provide a starting point for a thorough preparation for the exam. References to such books are covered in the references chapter at the end of this book. However, since there are many concepts spread across the eight security domains, it is an important starting point as a guide to explore deeper concepts, as well as refresh many concepts that need to be revised before the exam. This book addresses the requirements of the initial preparation for the exam, as well as revisiting the key concepts in these eight domains. To facilitate such a need core concept, the eight CISSP information security domains are explained in a short, simple, and lucid form.
Chapter 1, Day 1 – Security and Risk Management - Security, Compliance, and Policies, covers the foundational concepts in information security, such as Confidentiality, Integrity, and Availability (CIA) from the first domain of CISSP Common Body of Knowledge (CBK)®.
Chapter 2, Day2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education, covers risk management practices that include the identification of risks through risk analysis and assessment, and mitigation techniques such as reduction, moving, transferring, and avoiding risks. An overview of business continuity requirements, developing and documenting project scopes and plans, and conducting business impact analyses is provided. Further more policies and practices pertaining to personnel security are covered.
Chapter 3, Day 3 – Asset Security - Information and Asset Classification, covers the classification of information and supporting assets; the collection of information, its handling and protection throughout its lifecycle, and ownership of information and its privacy; and data retention requirements and methods.
Chapter 4, Day 4 – Asset Security - Data Security Controls and Handling, covers data security controls that include Data Loss Prevention strategies, such as data at rest, data in transit, data in use, and data handling requirements for sensitive information.
Chapter 5, Day 5 – Exam Cram and Practice Questions, covers important concepts and information from the first two domains of the CISSP CBK, namely Security and Risk Management and Asset Security. They are provided in an exam-cram format for fast review and serve to reinforce of the two domains covered in the previous four chapters.
Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models, and Vulnerability Mitigation, covers concepts for using secure design principles while implementing and managing engineering processes. Information security models and system security evaluation models with controls and countermeasures, and security capabilities in information systems, are also covered. Also, vulnerability assessment and mitigation strategies in information systems, web-based systems, mobile systems, and embedded and cyber-physical systems are covered in detail.
Chapter 7, Day 7 – Security Engineering - Cryptography, covers the application of cryptography in information security requirements. Various concepts such as the cryptographic life cycle, types of cryptography, public key infrastructure, and so on are covered with illustrations. The methods of cryptanalytic attack are covered in detail with suitable examples.
Chapter 8, Day 8 – Communication and Network Security - Network Security, covers foundational concepts in network architecture and network security. IP and non-IP protocols, and their applications and vulnerabilities, are covered in detail, along with wireless networks and their security requirements. Application of cryptography in communication security, with illustrations and concepts related to securing network components.
Chapter 9, Day 9 – Communication and Network Security - Communication Security, covers communication channels such as voice, multimedia, remote access, data communications, virtualized networks, and so on, and their security requirements. Preventing or mitigating network attacks is also covered, with illustrations.
Chapter 10, Day 10 – Exam Cram and Practice Questions, covers important concepts and information from the third and fourth domains of the CISSP CBK, namely security engineering and communication and network security. They are provided in an exam cram format for fast review and serve to reinforce the two domains covered in the previous four chapters.
Chapter 11, Day 11 – Identity and Access Management - Identity Management, covers provisioning and managing the identities and the access used in the interaction between humans and information systems. Core concepts of identification, authentication, authorization, and accountability, are covered in detail. Concepts related to identity as a service or cloud-based third-party identity services are covered, as well as security requirements in such services, with illustrations.
Chapter 12, Day 12 – Identity and Access Management - Access Management, Provisioning, and Attacks, focuses on access control concepts, methods, attacks, and countermeasures in detail.
Chapter 13, Day 13 – Security Assessment and Testing - Designing and Performing Security Assessment and Tests, covers tools, methods, and techniques for identifying and mitigating risks due to architectural issues using systematic security assessment and testing of information assets and associated infrastructure. Security control requirements and their effectiveness assessment are also covered.
Chapter 14, Day 14 – Security Assessment and Testing - Controlling, Analyzing, Auditing, and Reporting, covers management and operational controls pertaining to security process data. Analyzing and reporting test outputs, either automated or through manual methods, and conducting or facilitating internal and third-party audits, are covered in detail.
Chapter 15, Day 15 – Exam Cram and Practice Questions, covers important concepts and information from the fifth and sixth domains of the CISSP CBK, namely Identity and Access Management and security assessment and testing. They are provided in an exam cram format for fast review and serve to reinforce the two domains covered in the previous four chapters.
Chapter 16, Day 16 – Security Operations - Foundational Concepts, covers physical security strategies that include secure facility and website design, data center security, hazards, and media storage. Concepts on logging and monitoring activities, investigations, security in the provision of resources, operations security, and resource protection techniques are covered in detail.
Chapter 17, Day 17 – Security Operations - Incident Management and Disaster Recovery, covers incident management, disaster recovery, and business continuity-related concepts that pertains to security operations.
Chapter 18, Day 18 – Software Development Security - Security in Software Development Life Cycle, covers the application of security concepts and the best practices for the production and development of software environments. Security in the software development life cycle is also covered in detail.
Chapter 19, Day 19 – Software Development Security - Assessing Effectiveness of Software Security, covers assurance requirements in software and ways to assess the effectiveness of software security. It also covers the different methods and techniques to assess the security impact of acquired software.
Chapter 20, Day 20 – Exam Cram and Practice Questions, covers important concepts and information from the seventh and eighth domains of the CISSP CBK®, namely security operations and software development security. They are provided in an exam cram format for fast review and serve to reinforce the two domains covered in the previous four chapters.
Chapter 21, Day 21 – Exam Cram and Mock Test, consists of an exam cram from all the eight domains in CISSP CBK®.
There are no software/hardware requirements for this quick reference and revision guide. You only need to build your confidence with the systematic study and revision of the concepts in the information security domain to crack the CISSP examination.
This book is for all aspirants who are planning to take the CISSP examination and obtain the coveted CISSP certification that is considered the "Gold Standard" in Information Security personal certification.
It assumes that the candidate already has sufficient knowledge in all the eight domains of the CISSP CBK by way of work experience and knowledge gained from other study books. This book provides concise explanations of the core concepts that are covered in the exam.
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "In a three-way handshake, first the client (workstation) sends a request to the server (for example, www.some_website.com
)."
New terms and important words are shown in bold.
Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from http://www.packtpub.com/sites/default/files/downloads/CISSPin21DaysSecondEdition_ColorImages.pdf.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at [email protected] with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.