The Official (ISC)2 Guide to the CISSP CBK Reference

The only official, comprehensive reference guide to the CISSP

All new for 2019 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)² for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)², the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.

This CBK covers the new eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Written by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:

• Common and good practices for each objective

• Common vocabulary and definitions

• References to widely accepted computing standards

• Highlights of successful approaches through case studies

Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.

Autorentext
This common body of knowledge is written and reviewed by a collection of experienced CISSP experts from a range of information security roles and organizations.

Klappentext

"The opportunity has never been greater for dedicated men and women to carve out a meaningful career and make a difference in their organizations. The CISSP CBK will be your constant companion in protecting and securing the critical data assets of your organization that will serve you for years to come." David Shearer, CISSP, CEO of (ISC)2 Information security professionals play a pivotal role in protecting the essential fabric of business, finance, communications, and virtually all aspects of 21st century daily life. This all-new, authoritative Common Body of Knowledge (CBK®) from (ISC)2 provides a resource for IT professionals who are designing, engineering, implementing, and managing information security programs to protect their organizations from increasingly sophisticated attacks. With exhaustive coverage of all eight domains of CISSP, this book provides a comprehensive guide to applying these principles in everyday practice. The 300+ CISSP objectives and sub-objectives are covered in a format that supplies common practices for each, a common lexicon with definitions, and appropriate references to both widely accepted computing standards and case studies that highlight successful approaches to problems. Written and reviewed by a team of highly knowledgeable CISSPs representing a variety of organizations and roles, it explains and defines all things related to CISSP. Explored in depth are Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Asset Management, Security Assessment and Testing, Security Operations, and Software Development Security. From understanding essential security concepts to the exercise of due care, legal compliance, professional ethics, and practical defense against an ever-growing variety of attacks, this book constitutes a vital reference that will serve you well throughout your career.

Zusammenfassung
The only official, comprehensive reference guide to the CISSP

All new for 2019 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)2 for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)2, the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.

This CBK covers the new eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Written by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:

• Common and good practices for each objective
• Common vocabulary and definitions
• References to widely accepted computing standards
• Highlights of successful approaches through case studies
  Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.

Inhalt

Foreword xxv

Introduction xxvii

Domain 1: Security and Risk Management 1

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2

Information Security 3

Evaluate and Apply Security Governance Principles 6

Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6

Vision, Mission, and Strategy 6

Governance 7

Due Care 10

Determine Compliance Requirements 11

Legal Compliance 12

Jurisdiction 12

Legal Tradition 12

Legal Compliance Expectations 13

Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13

Cyber Crimes and Data Breaches 14

Privacy 36

Understand, Adhere to, and Promote Professional Ethics 49

Ethical Decision-Making 49

Established Standards of Ethical Conduct 51

(ISC)² Ethical Practices 56

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57

Organizational Documents 58

Policy Development 61

Policy Review Process 61

Identify, Analyze, and Prioritize Business Continuity Requirements 62

Develop and Document Scope and Plan 62

Risk Assessment 70

Business Impact Analysis 71

Develop the Business Continuity Plan 73

Contribute to and Enforce Personnel Security Policies and Procedures 80

Key Control Principles 80

Candidate Screening and Hiring 82

Onboarding and Termination Processes 91

Vendor, Consultant, and Contractor Agreements and Controls 96

Privacy in the Workplace 97

Understand and Apply Risk Management Concepts 99

Risk 99

Risk Management Frameworks 99

Risk Assessment Methodologies 108

Understand and Apply Threat Modeling Concepts and Methodologies 111

Threat Modeling Concepts 111

Threat Modeling Methodologies 112

Apply Risk-Based Management Concepts to the Supply Chain 116

Supply Chain Risks 116

Supply Chain Risk Management 119

Establish and Maintain a Security Awareness, Education, and Training Program 121

Security Awareness Overview 122

Developing an Awareness Program 123

Training 127

Summary 128

Domain 2: Asset Security 131

Asset Security Concepts 131

Data Policy 132

Data Governance 132

Data Quality 133

Data Documentation 134

Data Organization 136

Identify and Classify Information and Assets 139

Asset Classification 141

Determine and Maintain Information and Asset Ownership 145

Asset Management Lifecycle 146

Software Asset Management 148

Protect Privacy 152

Cross-Border Privacy and Data Flow Protection 153

Data Owners 161

Data Controllers 162

Data Processors 163

Data Stewards 164

Data Custodians 164

Data Remanence 164

Data Sovereignty 168

Data Localization or Residency 169

Government and Law Enforcement Access to Data 171

Collection Limitation 172

Understanding Data States 173

Data Issues with Emerging Technologies 173

Ensure Appropriate Asset Retention 175

Retention of Records 178

Determining Appropriate Records Retention 178

Retention of Records in Data Lifecycle 179

Records Retention Best Practices 180

Determine Data Security Controls 181

Technical, Administrative, and Physical Controls 183

Establis…