Skip to main content


CISSP For Dummies, 6th Edition

Lawrence C. Miller, Peter H. Gregory

ISBN: 978-1-119-50609-6 May 2018 560 Pages


Secure your CISSP certification!

If you’re a security professional seeking your CISSP certification, this book is a perfect way to prepare for the exam. Covering in detail all eight domains, the expert advice inside gives you the key information you'll need to pass the exam. Plus, you'll get tips on setting up a 60-day study plan, tips for exam day, and access to an online test bank of questions. 

CISSP For Dummies is fully updated and reorganized to reflect upcoming changes (ISC)2 has made to the Common Body of Knowledge. Complete with access to an online test bank this book is the secret weapon you need to pass the exam and gain certification.

  • Get key information for all eight exam domains
  • Find test-taking and exam-day tips and tricks
  • Benefit from access to free online practice questions and flash cards
  • Prepare for the CISSP certification in 2018 and beyond

You’ve put in the time as a security professional—and now you can reach your long-term goal of CISSP certification.

Introduction 1

About This Book 2

Foolish Assumptions 3

Icons Used in This Book 4

Beyond the Book 4

Where to Go from Here 5

Part 1: Getting Started with Cissp Certification 7

Chapter 1: (ISC)2 and the CISSP Certification 9

About (ISC)2 and the CISSP Certification 9

You Must Be This Tall to Ride This Ride (and Other Requirements) 10

Preparing for the Exam 12

Studying on your own 12

Getting hands-on experience 13

Getting official (ISC)2 CISSP training 14

Attending other training courses or study groups 14

Take the practice exam 15

Are you ready for the exam? 15

Registering for the Exam 16

About the CISSP Examination 17

After the Examination 20

Chapter 2: Putting Your Certification to Good Use 23

Networking with Other Security Professionals 24

Being an Active (ISC)2 Member 25

Considering (ISC)2 Volunteer Opportunities 26

Writing certification exam questions 26

Speaking at events 26

Helping at (ISC)2 conferences 27

Read and contribute to (ISC)2 publications 27

Support the (ISC)2 Center for Cyber Safety and Education 27

Participating in (ISC)2 focus groups 28

Join the (ISC)2 Community 28

Get involved with a CISSP study group 28

Help others learn more about data security 28

Becoming an Active Member of Your Local Security Chapter 29

Spreading the Good Word about CISSP Certification 30

Wear the colors proudly 31

Lead by example 31

Using Your CISSP Certification to Be an Agent of Change 32

Earning Other Certifications 32

Other (ISC)2 certifications 33

CISSP concentrations 33

Non-(ISC)2 certifications 34

Choosing the right certifications 37

Find a mentor, be a mentor 38

Pursue Security Excellence 38

Part 2: Certification Domains 41

Chapter 3: Security and Risk Management 43

Apply Security Governance Principles 44

Alignment of security function to business strategy, goals, mission, and objectives 44

Organizational processes (security executive oversight) 45

Security roles and responsibilities 46

Control frameworks 48

Due care 50

Due diligence 50

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 51

Confidentiality 51

Integrity 52

Availability 52

Compliance 53

Legislative and regulatory compliance 53

Privacy requirements compliance 57

Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 58

Computer crimes 58

Licensing and intellectual property 72

Import/export controls 74

Trans-border data flow 75

Privacy 75

Data breaches 80

Understand Professional Ethics 82

Exercise the (ISC)2 Code of Professional Ethics 83

Support your organization’s code of ethics 83

Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines 85

Policies 86

Standards (and baselines) 87

Procedures 87

Guidelines 87

Understand Business Continuity Requirements 87

Develop and document project scope and plan 90

Conduct Business Impact Analysis 98

Developing the Business Continuity Plan 106

Implementing the BCP 110

Contribute to Personnel Security Policies 111

Employment candidate screening 112

Employment agreements and policies 114

Employment termination processes 115

Vendor, consultant, and contractor controls 115

Compliance 115

Privacy 116

Understand and Apply Risk Management Concepts 116

Identify threats and vulnerabilities 116

Risk assessment/analysis (treatment) 117

Risk treatment 122

Countermeasure selection 123

Implementation 124

Types of controls 125

Control assessment 127

Monitoring and measurement 129

Asset valuation 129

Reporting 130

Continuous improvement 130

Risk frameworks 131

Understand and Apply Threat Modeling 132

Identifying threats 133

Determining and diagramming potential attacks 134

Performing reduction analysis 135

Technologies and processes to remediate threats 135

Integrate Security Risk Considerations into Supply Chain Management, Mergers, and Acquisitions 136

Hardware, software, and services 137

Third-party assessment and monitoring 137

Minimum security requirements 137

Service-level requirements 137

Establish and Manage Information Security Education, Training, and Awareness 138

Appropriate levels of awareness, training and education required within organization 138

Measuring the effectiveness of security training 140

Periodic reviews for content relevancy 141

Chapter 4: Asset Security 143

Classify Information and Supporting Assets 143

Commercial data classification 144

Government data classification 145

Determine and Maintain Ownership 146

Protect Privacy 148

Ensure Appropriate Retention 150

Determine Data Security Controls 151

Baselines 152

Scoping and tailoring 152

Standards selection 153

Cryptography 153

Establish Handling Requirements 154

Chapter 5: Security Architecture and Engineering 155

Implement and Manage Engineering Processes Using Secure Design Principles 155

Understand the Fundamental Concepts of Security Models 157

Confidentiality 158

Integrity 158

Availability 159

Access control models 160

Select Controls Based upon Systems Security Requirements 162

Evaluation criteria 163

System certification and accreditation 167

Security controls and countermeasures 169

Understand Security Capabilities of Information Systems 173

Computer architecture 173

Trusted Computing Base (TCB) 180

Trusted Platform Module (TPM) 181

Secure modes of operation 181

Open and closed systems 182

Protection rings 183

Security modes 183

Recovery procedures 184

Vulnerabilities in security architectures 184

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 185

Client-based systems 185

Server-based systems 186

Database systems 187

Large-scale parallel data systems 187

Distributed systems 188

Cryptographic systems 189

Industrial control systems 189

Cloud-based systems 190

Internet of Things 192

Assess and Mitigate Vulnerabilities in Web-Based Systems 193

Assess and Mitigate Vulnerabilities in Mobile Systems 194

Assess and Mitigate Vulnerabilities in Embedded Devices 195

Apply Cryptography 196

Cryptographic lifecycle 198

Plaintext and ciphertext 199

Encryption and decryption 199

Cryptography alternatives 205

Not quite the metric system: Symmetric and asymmetric key systems 206

Message authentication 216

Public Key Infrastructure (PKI) 219

Key management functions 220

Key escrow and key recovery 221

Methods of attack 221

Apply Security Principles to Site and Facility Design 224

Choosing a secure location 226

Designing a secure facility 226

Implement Site and Facility Security Controls 229

Wiring closets, server rooms, media storage facilities, and evidence storage 229

Restricted and work area security 230

Utilities and HVAC considerations 231

Water issues 234

Fire prevention, detection, and suppression 234

Chapter 6: Communication and Network Security 239

Implement Secure Design Principles in Network Architectures 239

OSI and TCP/IP models 241

Cryptography used to maintain communication security 279

Secure Network Components 280

Operation of hardware 280

Transmission media 280

Network access control devices 282

Endpoint security 292

Content distribution networks 294

Physical devices 294

Design and Establish Secure Communication Channels 295

Voice 295

Email 296

Web 300

Facsimile 302

Multimedia collaboration 302

Remote access 303

Data communications 308

Virtualized networks 309

Virtualization 309

Prevent or Mitigate Network Attacks 310

Bluejacking and bluesnarfing 310

ICMP flood 311

Smurf 311

Fraggle 311

DNS Server Attacks 311

Man-in-the-Middle 311

Session hijacking (spoofing) 312

Session hijacking (session token interception) 312

SYN flood 312

Teardrop 312

UDP flood 313

Eavesdropping 313

Chapter 7: Identity and Access Management 315

Control Physical and Logical Access to Assets 316

Information 316

Systems and devices 316

Facilities 317

Life safety 318

Manage Identification and Authentication of People, Devices, and Services 319

Identity management implementation 319

Single/multi-factor authentication 328

Accountability 343

Session management 344

Registration and proofing of identity 344

Federated identity management 346

Credential management systems 346

Integrate Identity-as-a-Service 347

Integrate Third-Party Identity Services 348

Implement and Manage Authorization Mechanisms 348

Access control techniques 349

Prevent or Mitigate Access Control Attacks 353

Manage the Identity and Access Provisioning Lifecycle 355

Chapter 8: Security Assessment and Testing 357

Design and Validate Assessment and Test Strategies 357

Conduct Security Control Testing 359

Vulnerability assessments 359

Penetration testing 361

Log reviews 365

Synthetic transactions 367

Code review and testing 368

Misuse case testing 368

Test coverage analysis 370

Interface testing 370

Collect Security Process Data 371

Account management 371

Management review 372

Key performance and risk indicators 373

Backup verification data 374

Training and awareness 375

Disaster recovery and business continuity 375

Analyze Test Output and Generate Reports 376

Conduct or Facilitate Security Audits 376

Chapter 9: Security Operations 379

Understand and Support Investigations 379

Evidence collection and handling 379

Reporting and documentation 386

Investigative techniques 387

Digital forensics tools, tactics, and procedures 389

Understand Requirements for Investigation Types 390

Conduct Logging and Monitoring Activities 391

Intrusion detection and prevention 391

Security information and event management 393

Continuous monitoring 393

Egress monitoring 394

Securely Provisioning Resources 394

Understand and Apply Foundational Security Operations Concepts 396

Need-to-know and least privilege 396

Separation of duties and responsibilities 397

Privileged account management 398

Job rotation 400

Information lifecycle 402

Service-level agreements 402

Apply Resource Protection Techniques 405

Media management 406

Hardware and software asset management 407

Conduct Incident Management 407

Operate and Maintain Detective and Preventive Measures 409

Implement and Support Patch and Vulnerability Management 411

Understand and Participate in Change Management Processes 412

Implement Recovery Strategies 412

Backup storage strategies 413

Recovery site strategies 413

Multiple processing sites 413

System resilience, high availability, quality of service, and fault tolerance 414

Implement Disaster Recovery (DR) Processes 415

Response 419

Personnel 421

Communications 421

Assessment 422

Restoration 423

Training and awareness 423

Test Disaster Recovery Plans 423

Read-through 424

Walkthrough or tabletop 424

Simulation 424

Parallel 425

Full interruption (or cutover) 426

Participate in Business Continuity (BC) Planning and Exercises 427

Implement and Manage Physical Security 427

Address Personnel Safety and Security Concerns 428

Chapter 10: Software Development Security 429

Understand and Integrate Security in the Software Development Lifecycle 429

Development methodologies 430

Maturity models 437

Operation and maintenance 438

Change management 439

Integrated product team 439

Identify and Apply Security Controls in Development Environments 440

Security of the software environments 440

Configuration management as an aspect of secure coding 442

Security of code repositories 443

Assess the Effectiveness of Software Security 444

Auditing and logging of changes 444

Risk analysis and mitigation 445

Acceptance testing 446

Assess Security Impact of Acquired Software 447

Define and Apply Secure Coding Guidelines and Standards 448

Security weaknesses and vulnerabilities at the source-code level 448

Security of application programming interfaces 450

Secure coding practices 451

Part 3: The Part of Tens 453

Chapter 11: Ten Test-Planning Tips 455

Know Your Learning Style 455

Get a Networking Certification First 456

Register Now! 456

Make a 60-Day Study Plan 456

Get Organized and Read! 457

Join a Study Group 458

Take Practice Exams 458

Take a CISSP Training Seminar 458

Adopt an Exam-Taking Strategy 459

Take a Breather 459

Chapter 12: Ten Test-Day Tips 461

Get a Good Night’s Rest 461

Dress Comfortably 461

Eat a Good Meal 462

Arrive Early 462

Bring a Photo ID 462

Bring Snacks and Drinks 462

Bring Prescription and Over-the-Counter Medications 463

Leave Your Mobile Devices Behind 463

Take Frequent Breaks 463

Guess — as a Last Resort 464

Glossary 465

Index 509 Activate the online test!