Description
Instructor Availability 24 × 7 Everything Explained Learn From Experts and Pass your Exam in First Attempt with ConfidenceThe Certified Information Systems Security Professional (CISSP) exam validates an information security professional's deep technical and managerial knowledge. Moreover, being a globally recognized certification in the information security market, the certification test the ability of the candidate to effectively design, engineer, and manage the overall security posture of an organization. Detailed ContentsDomain 1: Security and Risk Management1.1 Understand and apply concepts of confidentiality, integrity and availability1.2 Evaluate and apply security governance principlesAlignment of security function to businessStrategy, goals, mission, and objectivesOrganizational processes (e. g., acquisitions, divestitures, governance committees)Organizational roles and responsibilitiesSecurity control frameworksDue care/due diligence1.3 Determine compliance requirementsContractual, legal, industry standards, and regulatory requirementsPrivacy requirements1.4 Understand legal and regulatory issues that pertain to information security in a global contextCyber crimes and data breachesLicensing and intellectual property requirementsImport/export controlsTrans-border data flowPrivacy1.5 Understand, adhere to, and promote professional ethics(ISC)² Code of Professional EthicsOrganizational code of ethics1.6 Develop, document, and implement security policy, standards, procedures, and guidelines1.7 Identify, analyze, and prioritize Business Continuity (BC) requirementsDevelop and document scope and planBusiness Impact Analysis (BIA)1.8 Contribute to and enforce personnel security policies and proceduresCandidate screening and hiringEmployment agreements and policiesOnboarding and termination processesVendor, consultant, and contractor agreements and controlsCompliance policy requirementsPrivacy policy requirements1.9 Understand and apply risk management conceptsIdentify threats and vulnerabilitiesRisk assessment/analysisRisk responseCountermeasure selection and implementationApplicable types of controls (e. g., preventive, detective, corrective)1.10 Understand and apply threat modeling concepts and methodologiesThreat modeling methodologiesThreat modeling concepts1.11 Apply risk-based management concepts to the supply chainRisks associated with hardware, software, and servicesThird-party assessment and monitoringMinimum security requirementsService-level requirements1.12 Establish and maintain a security awareness, education, and training programMethods and techniques to present awareness and trainingPeriodic content reviewsProgram effectiveness evaluationDomain 2: Asset Security2.1 Identify and classify information and assetsData classificationAsset Classification2.2 Determine and maintain information and asset ownership2.3 Protect privacyData ownersData processersCollection limitationData remanence2.4 Ensure appropriate asset retention2.5 Determine data security controlsUnderstand data statesScoping and tailoringStandards selectionData protection methods2.6 Establish information and asset handling requirementsDomain 3: Security Architecture and Engineering3.1 Implement and manage engineering processes using secure design principles3.2 Understand the fundamental concepts of security models3.3 Select controls based upon systems security requirements3.4 Understand security capabilities of information systems (e. g., memory protection, Trusted Platform Module (TPM), encryption/decryption)3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elementsClient-based systemsServer-based systemsDatabase systemsCryptographic systemsIndustrial Control Systems (ICS)Cloud-based systemsDistributed systemsInternet of Things (IoT)3.6 Assess and mitigate vulnerabilities in web-based systems3.7 Assess and mitigate vulnerabilities in mobile systems3.8 Assess and mitigate vulnerabilities in embedded devices3.9 Apply cryptographyCryptographic life cycle (e. g., key management, algorithm selection)Cryptographic methods (e. g., symmetric, asymmetric, elliptic curves)Public Key Infrastructure (PKI)Key management practicesDigital signaturesNon-repudiationIntegrity (e. g., hashing)Understand methods of cryptanalytic attacksDigital Rights Management (DRM)3.10 Apply security principles to site and facility design3.11 Implement site and facility security controlsWiring closets/intermediate distribution facilitiesServer rooms/data centersMedia storage facilitiesEvidence storageRestricted and work area securityUtilities and Heating, Ventilation, and Air Conditioning (HVAC)Environmental issuesFire prevention, detection, and suppressionDomain 4: Communication and Network Security4.1 Implement secure design principles in network architecturesOpen System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) modelsInternet Protocol (IP) networkingImplications of multilayer protocolsConverged protocolsSoftware-defined networksWireless networks4.2 Secure network componentsOperation of hardwareTransmission mediaNetwork Access Control (NAC) devicesEndpoint securityContent-distribution networks4.3 Implement secure communication channels according to designVoiceMultimedia collaborationRemote accessData communicationsVirtualized networksDomain 5: Identity and Access Management (IAM)5.1 Control physical and logical access to assetsInformationSystemsDevicesFacilities5.2 Manage identification and authentication of people, devices, and servicesIdentity management implementationSingle/multi-factor authenticationAccountabilitySession managementRegistration and proofing of identityFederated Identity Management (FIM)Credential management systems5.3 Integrate identity as a third-party serviceOn-premiseCloudFederated5.4 Implement and manage authorization mechanismsRole Based Access Control (RBAC)Rule-based access controlMandatory Access Control (MAC)Discretionary Access Control (DAC)Attribute Based Access Control (ABAC)5.5 Manage the identity and access provisioning lifecycleUser access reviewSystem account access reviewProvisioning and deprovisioningDomain 6: Security Assessment and Testing6.1 Design and validate assessment, test, and audit strategiesInternalExternalThird-party6.2 Conduct security control testingVulnerability assessmentPenetration testingLog reviewsSynthetic transactionsCode review and testingMisuse case testingTest coverage analysisInterface testing6.3 Collect security process data (e. g., technical and administrative)Account managementManagement review and approvalKey performance and risk indicatorsBackup verification dataTraining and awarenessDisaster Recovery (DR) and Business Continuity (BC)6.4 Analyze test output and generate report6.5 Conduct or facilitate security auditsInternalExternalThird-partyDomain 7: Security Operations7.1 Understand and support investigationsEvidence collection and handlingReporting and documentationInvestigative techniquesDigital forensics tools, tactics, and procedures7.2 Understand requirements for investigation typesAdministrativeCriminalCivilRegulatoryIndustry standards7.3 Conduct logging and monitoring activitiesIntrusion detection and preventionSecurity Information and Event Management (SIEM)Continuous monitoringEgress monitoring7.4 Securely provisioning resourcesAsset inventoryAsset managementConfiguration management7.5 Understand and apply foundational security operations conceptsNeed-to-know/least privilegesSeparation of duties and responsibilitiesPrivileged account managementJob rotationInformation lifecycleService Level Agreements (SLA)7.6 Apply resource protection techniquesMedia managementHardware and software asset management7.7 Conduct incident managementDetectionResponseMitigationReportingRecoveryRemediationLessons learned7.8 Operate and maintain detective and preventative measuresFirewallsIntrusion detection and prevention systemsWhitelisting/blacklistingThird-party provided security servicesSandboxingHoneypots/honeynetsAnti-malware7.9 Implement and support patch and vulnerability management7.10 Understand and participate in change management processes7.11 Implement recovery strategiesBackup storage strategiesRecovery site strategiesMultiple processing sitesSystem resilience, high availability, Quality ofService (QoS), and fault tolerance7.12 Implement Disaster Recovery (DR) processesResponsePersonnelCommunicationsAssessmentRestorationTraining and awareness7.13 Test Disaster Recovery Plans (DRP)Read-through/tabletopWalkthroughSimulationParallelFull interruption7.14 Participate in Business Continuity (BC) planning and exercises7.15 Implement and manage physical securityPerimeter security controlsInternal security controls7.16 Address personnel safety and security concernsTravelSecurity training and awarenessEmergency managementDuressDomain 8: Software Development Security8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)Development methodologiesMaturity modelsOperation and maintenanceChange managementIntegrated product team8.2 Identify and apply security controls in development environmentsSecurity of the software environmentsConfiguration management as an aspect of secure codingSecurity of code repositories8.3 Assess the effectiveness of software securityAuditing and logging of changesRisk analysis and mitigation8.4 Assess security impact of acquired software8.5 Define and apply secure coding guidelines and standardsSecurity weaknesses and vulnerabilities at the source-code levelSecurity of application programming interfacesSecure coding practicesPay one time and ensure your success by practicing exams from exam experts. The price you pay is worth to pay for certification exams again and again. Every concept has been covered and explained. Practice these tests and pass your exam with confidence.
