Skip to main content

CISSP For Dummies, 5th Edition

CISSP For Dummies, 5th Edition

Lawrence C. Miller, Peter H. Gregory

ISBN: 978-1-119-21023-8

May 2016

504 pages


The fast and easy way to secure your CISSP certification

Are you a security professional seeking the valuable CISSP certification? Good for you! CISSP For Dummies is the ideal starting point on your journey, providing you with a friendly and accessible framework for studying for this highly sought-after certification. Fully updated to reflect the latest iterations of all eight domains covered by the test, it offers helpful study tips, guidance on making a 60-day study plan, 'instant answers' to help you recall key information, practice tests, and much more.

Packed with key information needed to pass the exam—and hints on how to remember it all on test day—this new edition of CISSP For Dummies takes the intimidation out of preparing for getting your certification. Every chapter includes a 'Quick Assessment' test at the beginning and a 'Test Prep' section at the end to help you gauge your progress, while access to randomly generated test questions online gives you the freedom to practice and test your knowledge whenever it's convenient for you.

  • Review the eight domains of security found in the CISSP Common Body of Knowledge
  • Explore security websites and supplementary books
  • Get a feel for the real thing with 250 practice exam questions
  • Learn about exam requirements and find out how to register

If you're a CISSP hopeful or an existing certification-holder looking to renew your certification, CISSP For Dummies is the down-to-earth roadmap to get you there.

Related Resources


Request an Evaluation Copy for this title

Foreword xv

Introduction 1

About This Book 2

How This Book Is Organized 2

Icons Used in This Book 3

Beyond the Book 4

Getting Started 4

Part I: Getting Started With CISSP Certification 5

Chapter 1: (ISC)2 and the CISSP Certification 7

About (ISC)2 and the CISSP Certification 7

You Must Be This Tall to Ride This Ride (and Other Requirements) 8

Preparing for the Exam 9

Studying on your own 10

Getting hands‐on experience 11

Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar 11

Attending other training courses or study groups 12

Take the testing tutorial and practice exam 12

Are you ready for the exam? 13

Registering for the Exam 13

About the CISSP Examination 14

After the Examination 16

Chapter 2: Putting Your Certification to Good Use 19

Being an Active (ISC)2 Member 19

Considering (ISC)2 Volunteer Opportunities 20

Writing certification exam questions 20

Speaking at events 20

Read and contribute to (ISC)2 publications 21

Support the (ISC)2 Center for Cyber Safety and Education 21

Participating in (ISC)2 focus groups 22

Get involved with a CISSP study group 22

Help others learn more about data security 22

Becoming an Active Member of Your Local Security Chapter 23

Spreading the Good Word about CISSP Certification 24

Promoting other certifications 25

Wear the colors proudly 25

Lead by example 25

Using Your CISSP Certification to Be an Agent of Change 26

Earning Other Certifications 26

Other (ISC)2 certifications 27

CISSP concentrations 27

Non‐(ISC)2 certifications 28

Choosing the right certifications 31

Pursue Security Excellence 32

Part II: Certification Domains 33

Chapter 3: Security and Risk Management 35

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 35

Confidentiality 36

Integrity 37

Availability 37

Apply Security Governance Principles 37

Alignment of security function to business strategy, goals, mission and objectives 38

Organizational processes (security executive oversight) 39

Security roles and responsibilities 40

Control frameworks 41

Due care 43

Due diligence 44

Compliance 44

Legislative and regulatory compliance 44

Privacy requirements compliance 49

Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 49

Computer crimes 50

Licensing and intellectual property 60

Import/export controls 63

Trans‐border data flow 63

Privacy 63

Data breaches 69

Understand Professional Ethics 70

Exercise the (ISC)2 Code of Professional Ethics 71

Support your organization’s code of ethics 72

Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines 73

Policies 74

Standards (and baselines) 75

Procedures 75

Guidelines 75

Understand Business Continuity Requirements 76

Develop and document project scope and plan 78

Conduct Business Impact Analysis 86

Developing the Business Continuity Plan 93

Implementing the BCP 96

Contribute to Personnel Security Policies 98

Employment candidate screening 98

Employment agreements and policies 100

Employment termination processes 101

Vendor, consultant and contractor controls 101

Compliance 102

Privacy 102

Understand and Apply Risk Management Concepts 102

Identify threats and vulnerabilities 103

Risk assessment/analysis (treatment) 103

Risk assignment/acceptance 108

Countermeasure selection 108

Implementation 110

Types of controls 110

Control assessment 112

Monitoring and measurement 114

Asset valuation 114

Reporting 115

Continuous improvement 115

Risk frameworks 116

Understand and Apply Threat Modeling 117

Identifying threats 117

Determining and diagramming potential attacks 118

Performing reduction analysis 119

Technologies and processes to remediate threats 119

Integrate Security Risk Considerations into Acquisition

Strategy and Practice 120

Hardware, software, and services 121

Third‐party assessment and monitoring 121

Minimum security requirements 121

Service‐level requirements 122

Establish and Manage Information Security Education,

Training, and Awareness 122

Appropriate levels of awareness, training and

education required within organization 122

Periodic reviews for content relevancy 124

Chapter 4: Asset Security 125

Classify Information and Supporting Assets 125

Commercial data classification 126

Government data classification 126

Determine and Maintain Ownership 128

Protect Privacy 129

Ensure Appropriate Retention 131

Determine Data Security Controls 132

Baselines 133

Scoping and tailoring 134

Standards selection 134

Cryptography 135

Establish Handling Requirements 135

Chapter 5: Security Engineering 137

Implement and Manage Engineering Processes Using

Secure Design Principles 137

Understand the Fundamental Concepts of Security Models 139

Confidentiality 139

Integrity 140

Availability 140

Access control models 141

Select Controls and Countermeasures based upon Systems Security Evaluation Models 144

Evaluation criteria 144

System certification and accreditation 149

Security controls and countermeasures 151

Understand Security Capabilities of Information Systems 154

Computer architecture 154

Trusted Computing Base (TCB) 161

Trusted Platform Module (TPM) 161

Secure modes of operation 162

Open and closed systems 163

Protection rings 163

Security modes 163

Recovery procedures 164

Vulnerabilities in security architectures 165

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 166

Client‐based 166

Server‐based 167

Database security 167

Large‐scale parallel data systems 168

Distributed systems 168

Cryptographic systems 169

Industrial control systems 170

Assess and Mitigate Vulnerabilities in Web‐Based Systems 171

Assess and Mitigate Vulnerabilities in Mobile Systems 172

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber‐Physical Systems 173

Apply Cryptography 174

Cryptographic Life Cycle 176

Plaintext and ciphertext 177

Encryption and decryption 177

Cryptography alternatives 183

Not quite the metric system: Symmetric and asymmetric key systems 184

Message authentication 193

Public Key Infrastructure (PKI) 196

Key management functions 197

Key escrow and key recovery 198

Methods of attack 198

Apply Secure Principles to Site and Facility Design 201

Choosing a secure location 202

Designing a secure facility 203

Design and Implement Physical Security 205

Wiring closets, server rooms, media storage

facilities, and evidence storage 206

Restricted and work area security 207

Utilities and HVAC considerations 207

Water issues 211

Fire prevention, detection and suppression 211

Chapter 6: Communication and Network Security 215

Apply Secure Design Principles to Network Architecture 215

OSI and TCP/IP models 219

Cryptography used to maintain communication security 251

Secure Network Components 251

Operation of hardware 252

Transmission media 252

Network access control devices 254

Endpoint security 262

Content distribution networks 264

Physical devices 265

Design and Establish Secure Communication Channels 265

Voice 266

Email 266

Web 270

Facsimile 271

Multimedia collaboration 272

Remote access 272

Data communications 277

Virtualized networks 277

Prevent or Mitigate Network Attacks 279

Bluejacking and bluesnarfing 279

Fraggle 279

Smurf 279

DNS Server Attacks 280

Man‐in‐the‐Middle 280

ICMP flood 280

Session hijacking (spoofing) 280

Session hijacking (session token interception) 280

SYN flood 281

Teardrop 281

UDP flood 281

Chapter 7: Identity and Access Management 283

Control Physical and Logical Access to Assets 284

Information 284

Systems and devices 284

Facilities 285

Manage Identification and Authentication of People and Devices 285

Identity management implementation 286

Single/multi‐factor authentication 295

Accountability 309

Session management 309

Registration and proofing of identity 310

Federated identity management 311

Credential management systems 312

Integrate Identity‐as‐a‐Service 312

Integrate Third‐Party Identity Services 314

Implement and Manage Authorization Mechanisms 314

Access control techniques 314

Prevent or Mitigate Access Control Attacks 318

Manage the Identity and Access Provisioning Lifecycle 320

Chapter 8: Security Assessment and Testing 323

Design and Validate Assessment and Test Strategies 323

Conduct Security Control Testing 324

Vulnerability assessment 324

Penetration testing 324

Log reviews 326

Synthetic transactions 328

Code review and testing 328

Misuse case testing 329

Test coverage analysis 329

Interface testing 329

Collect Security Process Data 330

Account management 330

Management review 331

Key performance and risk indicators 331

Backup verification data 331

Training and awareness 332

Disaster recovery and business continuity 332

Analyze and Report Test Outputs 332

Conduct or Facilitate Internal and Third Party Audits 332

Chapter 9: Security Operations 335

Understand and Support Investigations 335

Evidence collection and handling 335

Reporting and documenting 342

Investigative techniques 342

Digital forensics 344

Understand Requirements for Investigation Types 345

Conduct Logging and Monitoring Activities 346

Intrusion detection and prevention 347

Security information and event management 348

Continuous monitoring 348

Egress monitoring 349

Secure the Provisioning of Resources 349

Understand and Apply Foundational Security Operations Concepts 351

Need‐to‐know and least privilege 351

Separation of duties and responsibilities 352

Monitor special privileges 353

Job rotation 355

Information lifecycle 356

Service‐level agreements 357

Employ Resource Protection Techniques 359

Media management 359

Hardware and software asset management 361

Conduct Incident Management 361

Operate and Maintain Preventative Measures 363

Implement and Support Patch and Vulnerability Management 364

Participate in and Understand Change Management Processes 365

Implement Recovery Strategies 366

Backup storage strategies 366

Recovery site strategies 366

Multiple processing sites 367

System resilience, high availability, and fault tolerance 367

Quality of Service (QoS) 367

Implement Disaster Recovery Processes 368

Response 372

Personnel 373

Communications 374

Assessment 375

Restoration 375

Training and awareness 376

Test Disaster Recovery Plans 376

Read‐through 376

Walkthrough 377

Simulation 377

Parallel 378

Full interruption (or cutover) 379

Participate in Business Continuity Planning and Exercises 379

Implement and Manage Physical Security 380

Participate in Addressing Personnel Safety Concerns 380

Chapter 10: Software Development Security 381

Understand and Apply Security in the Software Development Lifecycle 381

Development methodologies 382

Maturity models 388

Operation and maintenance 389

Change management 390

Integrated product team 391

Enforce Security Controls in Development Environments 392

Security of the software environments 392

Configuration management as an aspect of secure coding 394

Security of code repositories 395

Security of application programming interfaces 395

Assess the Effectiveness of Software Security 396

Auditing and logging of changes 397

Risk analysis and mitigation 397

Acceptance testing 398

Assess Security Impact of Acquired Software 399

Part III: The Part of Tens 401

Chapter 11: Ten (Okay, Nine) Test-Planning Tips 403

Know Your Learning Style 403

Get a Networking Certification First 403

Register NOW! 404

Make a 60‐Day Study Plan 404

Get Organized and READ! 405

Join a Study Group 405

Take Practice Exams 406

Take a CISSP Review Seminar 406

Take a Breather 406

Chapter 12: Ten TestDay Tips 407

Get a Good Night’s Rest 407

Dress Comfortably 407

Eat a Good Breakfast 407

Arrive Early 408

Bring a Photo ID 408

Bring Snacks and Drinks 408

Bring Prescription and Over‐the‐Counter Medications 408

Leave Your Electronic Devices Behind 409

Take Frequent Breaks 409

Guess — as a Last Resort 409

Glossary 411

Index 455

ChapterPageDetailsDatePrint Run
33Errata in Text
Location: Part II, front of Parts Page
Instructions: Remove the "Web Extras" icon.
Remove the line that says "Visit for great Dummies content online".

34Errata in Text
Location: Part II, back of Parts Page
Instructions: Remove the first two bullets under "In this part...".
Remove the last bullet from "In this part...".