CISSP Best Practices Guide to the Basics of Certified Information Systems Security Professional

197 pages

English

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

CISSP Best Practices Guide to the Basics of Certified Information Systems Security Professional , livre ebook

Emereo Publishing - Ivanka Menken

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

197 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

The Certified Information System Security Professional (CISSP®) credential is the global benchmark for information system security professionals. It gives you the technical know-how and full understanding of IS issues to perform information security functions for your organization.

This book provides the full foundation for your CISSP knowledge: Protect and serve your business at your very best.

The Certification That Inspires Utmost Confidence: If you plan to build a career in information security - one of today's most visible professions - then the CISSP® credential should be your next career goal.

The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement.

This book covers the following CISSP domains:

* Access Control

* Application Security

* Business Continuity and Disaster Recovery Planning

* Cryptography

* Information Security and Risk Management

* Legal, Regulations, Compliance and Investigations

* Operations Security

* Physical (Environmental) Security CISSP

* Security Architecture and Design

* Telecommunications and Network Security

This guide has an amazing amount of coverage over the concepts ISC2 indicates in their outline of topics that is on the exam. 10-12 Books have been combined into one Guide and Overview , which makes it a lot easier to understand and digest.

Sujets

Computers

Informatique

Security

Informations

Publié par	Emereo Publishing
Date de parution	24 octobre 2012
Nombre de lectures	0
EAN13	9781486454877
Langue	English

Informations légales : prix de location à la page 0,1518€. Cette information est donnée uniquement à titre indicatif conformément à la législation en vigueur.

Extrait

Certification for Information System Security Professional (CISSP)

©The Art of Service

Copyright ©Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Notice of Liability The information in this book is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book.

©The Art of Service

Certification for Information System Security Professional (CISSP)

TABLE OF CONTENTS

INTRODUCTION

1.1 INTRODUCTION TOCISSP 9 1.2WHERE DIDCISSPCOME FROM? 10 1.3WHAT ISCISSP? 12 1.4HISTORY OFINFORMATIONSECURITY14 1.5WHAT ISINFORMATIONSECURITY? 16 1.6UNDERSTANDING THECIATRIAD18 1.6.1CONFIDENTIALITY1.6.2INTEGRITY1.6.3AVAILABILITY1.6.4LIMITATIONS TOCIATRIAD1.7WHY CERTIFY FORCISSP? 21 1.8COMPANIESUSINGCISSP 23

18192021

2DOMAIN ONE – INFORMATION SECURITY AND RISK MANAGEMENT 27

2.1EXPECTATIONS FORCISSP 27 2.2UNDERSTANDINGSECURITYPOLICIES,PROCEDURES, STANDARDS,GUIDELINES ANDBASELINES29 2.3WHAT ARE THECOMPLIANCEFRAMEWORKS? 31 2.3.1COSO 2.3.2ITIL 2.3.3COBIT 2.3.4ISO17799/BS7799 2.4CHANGINGORGANIZATIONALBEHAVIOR35 2.5 RESPONSIBILITIES OF THEINFORMATIONSECURITY OFFICER37 2.6CREATING ANENTERPRISESECURITYOVERSIGHT

31323233

Certification for Information System Security Professional (CISSP)

2.72.8

COMMITTEE39 WHYSECURITYAWARENESSTRAINING? 42 UNDERSTANDINGRISKMANAGEMENT43

DOMAIN TWO – ACCESS CONTROL

3.1PRINCIPLES OFACCESSCONTROL49 3.2INFORMATIONCLASSIFICATION50 3.3CREATING ADATACLASSIFICATIONPROGRAM52 3.4UNDERSTANDINGCATEGORIES TOACCESSCONTROL55 3.5UNDERSTANDINGACCESSCONTROLTYPES57 3.6LOOKINGMORE ATADMINISTRATIONACCESSCONTROLS59 3.7UNDERSTANDINGCHANGECONTROL61 3.8UNDERSTANDINGBUSINESSCONTINUITYANDDISASTERRECOVERY63 3.9UNDERSTANDING THEPERFORMANCEMANAGEMENT, CONFIGURATIONMANAGEMENT,LIFECYCLEMANAGEMENTANDNETWORKMANAGEMENT65 3.10UNDERSTANDINGVULNERABILITYMANAGEMENT67 3.11UNDERSTANDINGUSERMANAGEMENT68 3.12 UNDERSTANDINGPRIVILEGEMANAGEMENT71 3.13UNDERSTANDINGTECHNICALCONTROLS72 3.14UNDERSTANDINGACCESSCONTROLTHREATS75 3.15EMPLOYINGDIFFERENTTYPES OFIDENTIFICATION78 3.16EMPLOYINGDIFFERENTTYPES OFAUTHENTICATION80 3.17UNDERSTANDINGMEMORYCARDS ANDSMARTCARDS83 3.18USINGBIOMETRICS85 3.19PERFORMINGAUDITS87

Certification for Information System Security Professional (CISSP)

4.14.24.34.44.54.6

5.15.25.35.4

DOMAIN THREE - CRYPTOGRAPHY

HISTORY OFCRYPTOGRAPHY91 METHODS OFCRYPTOGRAPHY92 TYPES OFCIPHERS94 UNDERSTANDINGENCRYPTIONMANAGEMENT96 USINGPUBLICKEYINFRASTRUCTURES(PKI) 97 IDENTIFYINGATTACKS TOCRYPTOGRAPHY99

DOMAIN 4 – PHYSICAL (ENVIRONMENT) SECURITY 101

IDENTIFYINGTHREATS ANDVULNERABILITIES TOPHYSICALSECURITY103 USING THELAYEREDDEFENCEMODEL105 IMPLEMENTING ALAYEREDDEFENCEMODEL107 UNDERSTANDINGINFORMATIONPROTECTION ANDMANAGEMENT109

DOMAIN FIVE – SECURITY ARCHITECTURE AND DESIGN 113

6.1UNDERSTANDINGDESIGNPRINCIPLES115 6.1.1HARDWARE6.1.2SOFTWARE6.2SECURITYMODELS ANDARCHITECTURETHEORY121 6.3SECURITYPRODUCTEVALUATIONMETHODS AND CRITERIA124

117120

7DOMAIN SIX – BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING 127

7.1

CONCERNS OFCONTINUITYPLANNING129

Certification for Information System Security Professional (CISSP)

7.27.37.47.5

PROJECTINITIATIONPHASE131 CURRENTSTATEASSESSMENTPHASE133 DEVELOPMENTPHASE135 IMPLEMENTATION ANDMANAGEMENTPHASES137

8DOMAIN SEVEN – TELECOMMUNICATIONS AND NETWORK SECURITY 139

8.18.28.38.48.58.6

9.19.29.39.49.5

LAYER1–PHYSICALLAYER141LAYER2–DATA-LINKLAYER143LAYER3–NETWORKLAYER144LAYER4–TRANSPORTLAYER146LAYER5–SESSIONLAYER147LAYERS6&7–PRESENTATION ANDAPPLICATIONLAYERS149

DOMAIN EIGHT – APPLICATION SECURITY

USINGPROGRAMMINGEFFECTIVELY155 PROTECTING THESOFTWAREENVIRONMENT156 ENFORCINGSECURITYPROTECTION ANDCONTROLS158 IDENTIFYINGMALWARE160 DATABASEMANAGEMENTSYSTEM(DBMS)ARCHITECTURE162

10DOMAIN NINE – OPERATIONS SECURITY

10.1

MANAGINGTHREATS TOOPERATIONS166

153

165

11DOMAIN TEN – LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS 169

11.1

INFORMATIONTECHNOLOGYLAWS ANDREGULATIONS171

Certification for Information System Security Professional (CISSP)

11.2

UNDERSTANDINGCOMPUTERCRIMES,PRIVACYANDLIABILITY172

12REFERENCES

175

Certification for Information System Security Professional (CISSP)

1 Introduction

1.1 Introduction to CISSP Today’s businesses are faced with security threats which are becoming more complex. The use of mobile devices is becoming more widespread; the more mobile the populace, the harder to manage assets and the information on those assets. As a result, companies are increasingly concerned with the security surrounding those assets and information. In addition, the implementation of Sarbanes-Oxley is the U.S. has required focused attention on the security of financial information for companies. And finally, the worldwide scrutiny on security across the board has increased due to global concerns. Because of these reasons, companies are placing more focus on their Information Technology (IT). The IT Governance Global Status Report-200b, compiled by the IT Governance Institute (ITGI), showed 93 percent of corporate executives believed that IT was somewhat to very important to their overall corporate strategy or vision. This was a 6 percent increase from ITGI’s 2005 survey. IT, telecom, and financial service-based companies are much more concerned with IT than other business sectors with 71% and 77% respectively. The bottom line: companies are putting more attention on their IT solutions. Security management and the processes supporting security

Certification for Information System Security Professional (CISSP)

management is one of the top concerns of this increasing attention. Information Security Certifications are becoming more valuable for IT security professionals and companies 2 concerned with IT. According to the 2008 (ISC) Global 2 Information Security Workforce Study, compiled by (ISC) , 78% of respondents involved in the hiring process claim certifications are either “Very Important” or “Somewhat Important”. This is a diverse change from twenty, even ten years ago when securing a network was a new discipline and not well-understood. According to the 2008 survey, 15 different security certifications were available, which is in contrast to the 40 vendor-neutral and more than 25 vendor-specific certifications available in the marketplace. Of all these certifications, the Certification for Information System Security Professional (CISSP) has become highly recognized.

1.2 Where did CISSP come from? The Certification for Information System Security Professional is administered by the International Information Systems Security Certification Consortium 2 (ISC) . First available in 1989, the certification demonstrates the qualifications of information systems security practitioners.