Destination CISSP: A Concise Guide, Second Edition
Rob Witcher, John Berti, Lou Hablas, Nick Mitropoulos
CONTENTS
Why This Book
Who is the CISSP meant for?
Value of the CISSP certification
How to best use this book
What are “Core Concepts” and “Expect to be tested on?”
About the Exam
April 2024 exam change summary
Mindset
About the Authors
Rob Witcher
John Berti
Lou Hablas
Nick Mitropoulos
Revision Editor
Josh Lake
Technical Reviewer
Taz Wake
Notes on the Book
What’s up with the mixed case in the titles?
Hey! I found a mistake in the book!
INTRODUCTION
DOMAIN 1: Security and Risk Management
1.1 Understand, adhere to, and promote professional ethics
1.1.1 ISC2 Code of Professional Ethics
1.1.2 Organizational Code of Ethics
1.2 Understand and apply security concepts
1.2.1 Confidentiality, Integrity, Availability, Authenticity, and Nonrepudiation
1.3 Evaluate, apply, and sustain security governance principles
1.3.1 Alignment of the Security Function to Business
Strategy, Goals, Mission, and Objectives
1.3.2 Organizational Processes
1.3.3 Organizational Roles and Responsibilities
1.3.4 Security Control Frameworks
1.3.5 Due Care versus Due Diligence
1.4 Understand legal, regulatory, and compliance issues
that pertain to information in a holistic security context
1.4.1 Cybercrimes and Data Breaches
1.4.2 Licensing and Intellectual Property Requirements
1.4.3 Import/Export Controls
1.4.4 Transborder Data Flow
1.4.5 Issues Related to Privacy
1.4.6 Contractual, Legal, and Industry Standards and
Regulatory Requirements
1.5 Understand requirements for investigation types (i.e.
administrative, criminal, civil, regulatory, industry
standards)
1.6 Develop, document, and implement security policies,
procedures, standards, baselines, and guidelines
1.7 Identify, Analyze, assess, prioritize, and implement
Business Continuity (BC) requirements
1.8 Contribute to and enforce personnel security policies
and procedures
1.8.1 Candidate Screening and Hiring
1.8.2 Employment Agreements and Policy Driven
Requirements
1.9 Understand and apply risk management concepts
1.9.1 Risk Management
1.9.2 Asset Valuation
1.9.3 Risk Analysis
1.9.4 Annualized Loss Expectancy (ALE) Calculation
1.9.5 Risk Response/Treatment
1.9.6 Applicable Types of Controls
1.9.7 Categories of Controls
1.9.8 Functional and Assurance
1.9.9 Selecting Controls
1.9.10 Risk Management Frameworks
1.10 Understand and apply threat modeling concepts and
methodologies
1.11 Apply supply chain risk management (SCRM)
concepts
1.11.1 Risks Associated with the Acquisition of Products
and Services from Suppliers and Providers
1.11.2 Risk Mitigations
1.12 Establish and maintain a security awareness,
education, and training program
1.12.1 Methods and Techniques to Increase Awareness,
Training, and Education
1.12.2 Periodic Content Reviews to Include Emerging
Technologies and Trends
1.12.3 Program Effectiveness Evaluation
MINDMAP REVIEW VIDEOS
REVIEW QUESTIONS
DOMAIN 2: Asset Security
2.1 Identify and classify information and assets
2.1.1 Asset Classification
2.1.2 Classification Process
2.1.3 Classification versus Categorization
2.1.4 Labeling and Marking
2.2 Establish information and asset handling
requirements
2.2.1 Media Handling
2.3 Provision information and assets securely
2.3.1 Data Classification Roles and Responsibilities
2.3.2 Data Classification Policy
2.4 Manage data life cycle
2.4.1 Information Life Cycle
2.4.2 Data Destruction
2.5 Ensure appropriate asset retention
2.5.1 Data Archiving
2.6 Determine data security controls and compliance
requirements
2.6.1 Protecting Data at Rest
2.6.2 Protecting Data in Transit
2.6.3 Protecting Data in Use
2.6.4 Information Obfuscation Methods
2.6.5 Digital Rights Management (DRM)
2.6.6 Data Loss Prevention (DLP)
MINDMAP REVIEW VIDEOS
REVIEW QUESTIONS
DOMAIN 3: Security Architecture and Engineering
3.1 Research, implement, and manage engineering
processes using secure design principles
3.1.1 Security’s Involvement in Design and Build
3.1.2 Determining Appropriate Security Controls
3.2 Understand the fundamental concepts of security
models
3.2.1 Security Models
3.2.2 Enterprise Security Architecture
3.2.3 Layer-based Models
3.2.4 Rule-based Models
3.2.5 Certification and Accreditation
3.2.6 Evaluation Criteria (ITSEC and TCSEC)
3.2.7 Common Criteria
3.3 Select controls based upon systems security
requirements
3.3.1 Security Control Frameworks
3.4 Understand security capabilities of information
systems
3.4.1 RMC, Security Kernel, and TCB
3.4.2 Processors (CPUs)
3.4.3 Process Isolation
3.4.4 Types of Storage
3.4.5 System Kernel
3.4.6 Privilege Levels
3.4.7 Middleware
3.4.8 Abstraction and Virtualization
3.4.9 Layering/Defense-in-Depth
3.4.10 Trusted Platform Modules (TPM)
3.5 Assess and mitigate the vulnerabilities of security
architectures, designs, and solution elements
3.5.1 Vulnerabilities in Systems
3.5.2 Hardening
3.5.3 Risk in Mobile Systems
3.5.4 OWASP Mobile Top 10
3.5.5 Distributed Systems
3.5.6 Inference and Aggregation
3.5.7 Industrial Control Systems (ICS)
3.5.8 Internet of Things (IoT)
3.5.9 Cloud Service and Deployment Models
3.5.10 Compute in the Cloud
3.5.11 Cloud Forensics
3.5.12 Cloud Computing Roles
3.5.13 Cloud Identities
3.5.14 Cloud Migration
3.5.15 Edge Computing
3.5.16 XSS and CSRF
3.5.17 SQL Injection
3.5.18 Input Validation
3.6 Select and determine cryptographic solutions
3.6.1 Introduction to Cryptography
3.6.2 Cryptographic Terminology
3.6.3 Substitution and Transposition
3.6.4 Steganography and Null Ciphers
3.6.5 Symmetric Cryptography
3.6.6 Asymmetric Cryptography
3.6.7 Hybrid Key Exchange
3.6.8 Message Integrity Controls
3.6.9 Digital Signatures
3.6.10 Digital Certificates
3.6.11 Public Key Infrastructure (PKI)
3.6.12 Key Management
3.6.13 S/MIME
3.7 Understand methods of cryptanalytic attacks
3.7.1 Cryptanalysis
3.7.2 Cryptanalytic Attacks Overview
3.7.3 Cryptographic Attacks
3.8 Apply security principles to site and facility design
3.8.1 Intro to Physical Security
3.8.2 Layered Defense Model
3.9 Design site and facility security controls
3.9.1 Security Survey
3.9.2 Perimeter
3.9.3 Closed-circuit TV (CCTV)
3.9.4 Passive Infrared Devices
3.9.5 Lighting
3.9.6 Doors and Mantraps
3.9.7 Locks
3.9.8 Card Access/Biometrics
3.9.9 Windows
3.9.10 Walls
3.9.11 Automated Teller Machine (ATM) Skimming
3.9.12 Power
3.9.13 Heating Ventilation and Air Conditioning (HVAC)
3.9.14 Fire
3.10 Manage the Information System Lifecycle
MINDMAP REVIEW VIDEOS
PRACTICE QUESTIONS
Domain 4 Communication & Network Security
4.1 Implement secure design principles in network
architectures
4.1.1 Open System Interconnection (OSI) Model
4.1.2 Layer 1: Physical
4.1.3 Layer 2: Data Link
4.1.4 Authentication Protocols
4.1.5 Layer 3: Network
4.1.6 Logical Addressing
4.1.7 Layer 4: Transport
4.1.8 Layer 5: Session
4.1.9 Layer 6: Presentation
4.1.10 Layer 7: Application
4.1.11 Network Administrator
4.1.12 Convergence and Voice Over IP (VOIP)
4.1.13 Network Security Attacks
4.1.14 Wireless
4.1.15 VLAN and SDN
4.1.16 Wide Area Networks (WAN)
4.2 Secure network components
4.2.1 Network Architecture
4.2.2 Firewall Technologies
4.2.3 Firewall Architectures
4.2.4 IDS and IPS
4.2.5 Sandbox
4.2.6 Honeypots and Honeynets
4.2.7 Endpoint Security (e.g., host-based)
4.3 Implement secure communication channels
according to design
4.3.1 Tunneling and VPNs
4.3.2 IPsec
4.3.3 SSL/TLS
4.3.4 Remote Authentication
MINDMAP REVIEW VIDEOS
PRACTICE QUESTIONS
DOMAIN 5: Identity & Access Management (IAM)
5.1 Control physical and logical access to assets
5.1.1 Access Control
5.1.2 Administration Approaches
5.2 Design identification and authentication strategy
5.2.1 Access Control Services
5.2.2 Identification
5.2.3 Authentication by Knowledge
5.2.4 Authentication by Ownership
5.2.5 Authentication by Characteristics
5.2.6 Factors of Authentication
5.2.7 Credential Management Systems
5.2.8 Single Sign-on (SSO)
5.2.9 CAPTCHA
5.2.10 Session Management
5.2.11 Registration and Proofing of Identity
5.2.12 Authenticator Assurance Levels (AAL)
5.2.13 Federated Identity Management (FIM)
5.2.14 Federated Access Standards
5.2.15 Accountability = Principle of Access Control
5.2.16 Just-in-time (JIT) Access
5.3 Federated identity with a third-party service
5.3.1 Identity as a Service (IDaaS)
5.4 Implement and manage authorization mechanisms
5.4.1 Discretionary Access Control (DAC)
5.4.2 Mandatory Access Control (MAC)
5.4.3 Non-discretionary Access Control
5.4.4 Access Policy Enforcement
5.5 Manage the identity and access provisioning life cycle
5.5.1 Vendor Access
5.5.2 Identity Life Cycle
5.5.3 User Access Review
5.5.4 Privilege Escalation
5.5.3 Service Account Management
5.6 Implement Authentication Systems
5.6.1 Authentication Systems
MINDMAP REVIEW VIDEOS
PRACTICE QUESTIONS
DOMAIN 6: Security Assessment and Testing
6.1 Design and validate assessment, test, and audit
strategies
6.1.1 Validation and Verification
6.1.2 Effort to Invest in Testing
6.2 Conduct security control testing
6.2.0 Testing Overview
6.2.1 Testing Techniques
6.2.2 Vulnerability Assessment and Penetration Testing
6.2.3 Vulnerability Management
6.2.4 Vulnerability Scanning
6.2.5 Log Review and Analysis
6.2.6 Limiting Log Sizes
6.2.7 Operational Testing—Synthetic Transactions and
RUM
6.2.8 Regression Testing
6.2.9 Compliance Checks
6.3 Collect security process data (e.g., technical and
administrative)
6.3.1 Key Risk and Performance Indicators
6.4 Analyze test output and generate report
6.4.1 Test Output
6.5 Conduct or facilitate security audits
6.5.1 Audit Process
6.5.2 System Organization Controls (SOC) Reports
6.5.3 Audit Roles and Responsibilities
MINDMAP REVIEW VIDEOS
PRACTICe QUESTIONS
DOMAIN 7: Security Operations
7.1 Understand and comply with investigations
7.1.1 Securing the Scene
7.1.2 Evidence Collection and Handling
7.1.3 Locard’s Exchange Principle
7.1.4 Digital/Computer Forensics
7.1.5 Chain of Custody
7.1.6 Five Rules of Evidence
7.1.7 Types of Investigations
7.2 Conduct logging and monitoring activities
7.2.1 Security Information and Event Management (SIEM)
7.2.2 Continuous Monitoring and Tuning
7.2.3 Security Orchestration, Automation, and Response
(SOAR)
7.3 Perform configuration management (CM)
7.3.1 Asset Inventory
7.3.2 Configuration Management
7.4 Apply foundational security operations concepts
7.4.1 Foundational Security Operations Concepts
7.5 Apply resource protection techniques
7.5.1 Protecting Media
7.6 Conduct incident management
7.6.1 Incident Response Process
7.7 Operate and maintain detective and preventive
measures
7.7.1 Malware
7.7.2 Anti-malware
7.8 Implement and support patch and vulnerability
management
7.8.1 Patch Management
7.9 Understand and participate in change management
processes
7.9.1 Change Management
7.10 Implement recovery strategies
7.10.1 Failure Modes
7.10.2 Backup Storage Strategies
7.10.3 Spare Parts
7.10.4 Redundant Array of Independent Disks (RAID)
7.10.6 Recovery Site Strategies
7.11 Implement disaster recovery (DR) processes
7.11.1 BCM, BCP, and DRP
7.11.2 RPO, RTO, WRT, and MTD
7.11.3 Business Impact Analysis (BIA)
7.11.4 Disaster Response Process
7.11.5 Restoration Order
7.12 Test disaster recovery plans (DRP)
7.12.1 BCP and DRP Testing
7.13 Participate in business continuity (BC) planning and
exercises
7.13.1 Goals of Business Continuity Management (BCM)
7.14 Implement and manage physical security
7.15 Address personnel safety and security concerns
MINDMAP REVIEW VIDEOS
PRACTICe QUESTIONS
DOMAIN 8: Software Development Security
8.1 Understand and integrate security in the software
development life cycle (SDLC)
8.1.1 Security’s Involvement in Development
8.1.2 SDLC and SLC
8.1.3 Development Methodologies
8.1.4 Maturity Models
8.1.5 DevOps
8.1.6 Canary Testing and Deployments
8.2 Identify and apply security controls in software
development ecosystems
8.2.1 Software Development Overview
8.2.2 Code Obfuscation
8.2.3 DBMS, Concurrency, and Lock Controls
8.2.4 Metadata
8.2.5 Development Ecosystems
8.3 Assess the effectiveness of software security
8.3.1 Software Security Assessment Methods
8.4 Assess security impact of acquired software
8.4.1 Acquiring Software
8.5 Define and apply secure coding guidelines and
standards
8.5.1 Secure Coding Guidelines
8.5.2 Buffer Overflow
8.5.3 Application Programming Interfaces (APIs)
8.5.4 Secure Coding Practices
8.5.5 Software Development Vulnerabilities
MINDMAP REVIEW VIDEOS
PRACTICE QUESTIONS
REFERENCES AND FURTHER READING
ACRONYMS
INDEX
PROVEN EXAM STRATEGIES
The CISSP Exam — What to Expect
How to Read and Understand the Question
How to Select the BEST Answer
The CISSP Mindset
Final Preparations and Exam Day