(ISC)2
CISSP® Certified Information
Systems Security Professional
Official Study Guide
Eighth Edition
Mike Chapple
James Michael Stewart
Darril Gibson
Development Editor: Kelly Talbot
Technical Editors: Jeff Parker, Bob Sipes, and David Seidl
Copy Editor: Kim Wimpsett
Editorial Manager: Pete Gaughan
Production Manager: Kathleen Wisor
Executive Editor: Jim Minatel
Proofreader: Amy Schneider
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: @Jeremy Woodhouse/Getty Images, Inc.
Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-47593-4
ISBN: 978-1-119-47595-8 (ebk.)
ISBN: 978-1-119-47587-3 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in
any form or by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright
Act, without either the prior written permission of the Publisher, or authorization through
payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher
for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc.,
111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at
http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no
representations or warranties with respect to the accuracy or completeness of the contents of
this work and specifically disclaim all warranties, including without limitation warranties of
fitness for a particular purpose. No warranty may be created or extended by sales or
promotional materials. The advice and strategies contained herein may not be suitable for
every situation. This work is sold with the understanding that the publisher is not engaged in
rendering legal, accounting, or other professional services. If professional assistance is
required, the services of a competent professional person should be sought. Neither the
publisher nor the author shall be liable for damages arising herefrom. The fact that an
organization or Web site is referred to in this work as a citation and/or a potential source of
further information does not mean that the author or the publisher endorses the information
the organization or Web site may provide or recommendations it may make. Further, readers
should be aware that Internet Web sites listed in this work may have changed or disappeared
between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support,
please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the
http://www.wiley.com/go/permissions
U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some
material included with standard print versions of this book may not be included in e-books or
in print-on-demand. If this book refers to media such as a CD or DVD that is not included in
the version you purchased, you may download this material at http://booksupport.wiley.com.
For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2018933561
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered
trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other
countries, and may not be used without written permission. CISSP is a registered trademark of
(ISC)², Inc. All other trademarks are the property of their respective owners. John Wiley &
Sons, Inc. is not associated with any product or vendor mentioned in this book.
http://booksupport.wiley.com
http://www.wiley.com
To Dewitt Latimer, my mentor, friend, and colleague. I miss you
dearly.
—Mike Chapple
To Cathy, your perspective on the world and life often surprises me,
challenges me, and makes me love you even more.
—James Michael Stewart
To Nimfa, thanks for sharing your life with me for the past 26 years
and letting me share mine with you.
—Darril Gibson
Dear Future (ISC)2 Member,
Congratulations on starting your journey to
CISSP® certification. Earning your CISSP is an
exciting and rewarding milestone in your
cybersecurity career. Not only does it demonstrate
your ability to develop and manage nearly all
aspects of an organization’s cybersecurity
operations, but you also signal to employers your
commitment to life-long learning and taking an
active role in fulfilling the (ISC)² vision of
inspiring a safe and secure cyber world.
The material in this study guide is based upon the (ISC)² CISSP
Common Body of Knowledge. It will help you prepare for the exam
that will assess your competency in the following eight domains:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
While this study guide will help you prepare, passing the CISSP exam
depends on your mastery of the domains combined with your ability to
apply those concepts using your real-world experience.
I wish you the best of luck as you continue on your path to become a
CISSP and certified member of (ISC)2.
Sincerely,
David Shearer, CISSP
CEO
(ISC)2
Acknowledgments
We’d like to express our thanks to Sybex for continuing to support this
project. Extra thanks to the eighth edition developmental editor, Kelly
Talbot, and technical editors, Jeff Parker, Bob Sipes, and David Seidl,
who performed amazing feats in guiding us to improve this book.
Thanks as well to our agent, Carole Jelen, for continuing to assist in
nailing down these projects.
—Mike, James, and Darril
Special thanks go to the information security team at the University of
Notre Dame, who provided hours of interesting conversation and
debate on security issues that inspired and informed much of the
material in this book.
I would like to thank the team at Wiley who provided invaluable
assistance throughout the book development process. I also owe a debt
of gratitude to my literary agent, Carole Jelen of Waterside
Productions. My coauthors, James Michael Stewart and Darril Gibson,
were great collaborators. Jeff Parker, Bob Sipes, and David Seidl, our
diligent and knowledgeable technical editors, provided valuable in-
sight as we brought this edition to press.
I’d also like to thank the many people who participated in the
production of this book but whom I never had the chance to meet: the
graphics team, the production staff, and all of those involved in
bringing this book to press.
—Mike Chapple
Thanks to Mike Chapple and Darril Gibson for continuing to
contribute to this project. Thanks also to all my CISSP course students
who have provided their insight and input to improve my training
courseware and ultimately this tome. To my adoring wife, Cathy:
Building a life and a family together has been more wonderful than I
could have ever imagined. To Slayde and Remi: You are growing up so
fast and learning at an outstanding pace, and you continue to delight
and impress me daily. You are both growing into amazing individuals.
To my mom, Johnnie: It is wonderful to have you close by. To Mark:
No matter how much time has passed or how little we see each other, I
have been and always will be your friend. And finally, as always, to
Elvis: You were way ahead of the current bacon obsession with your
peanut butter/banana/bacon sandwich; I think that’s proof you
traveled through time!
—James Michael Stewart
Thanks to Jim Minatel and Carole Jelen for helping get this update in
place before (ISC)2 released the objectives. This helped us get a head
start on this new edition, and we appreciate your efforts. It’s been a
pleasure working with talented people like James Michael Stewart and
Mike Chapple. Thanks to both of you for all your work and
collaborative efforts on this project. The technical editors, Jeff Parker,
Bob Sipes, and David Seidl, provided us with some outstanding
feedback, and this book is better because of their efforts. Thanks to the
team at Sybex (including project managers, editors, and graphics
artists) for all the work you did helping us get this book to print. Last,
thanks to my wife, Nimfa, for putting up with my odd hours as I
worked on this book.
—Darril Gibson
About the Authors
Mike Chapple, CISSP, PhD, Security+, CISA, CySA+, is an associate
teaching professor of IT, analytics, and operations at the University of
Notre Dame. In the past, he was chief information officer of Brand
Institute and an information security researcher with the National
Security Agency and the U.S. Air Force. His primary areas of expertise
include network intrusion detection and access controls. Mike is a
frequent contributor to TechTarget’s SearchSecurity site and the
author of more than 25 books including the companion book to this
study guide: CISSP Official (ISC)2 Practice Tests, the CompTIA CSA+
Study Guide, and Cyberwarfare: Information Operations in a
Connected World. Mike offers study groups for the CISSP, SSCP,
Security+, and CSA+ certifications on his website at
www.certmike.com.
James Michael Stewart, CISSP, CEH, ECSA, CHFI, Security+,
Network+, has been writing and training for more than 20 years, with
a current focus on security. He has been teaching CISSP training
courses since 2002, not to mention other courses on Internet security
and ethical hacking/penetration testing. He is the author of and
contributor to more than 75 books and numerous courseware sets on
security certification, Microsoft topics, and network administration,
including the Security+ (SY0-501) Review Guide. More information
about Michael can be found at his website at www.impactonline.com.
Darril Gibson, CISSP, Security+, CASP, is the CEO of YCDA (short
for You Can Do Anything), and he has authored or coauthored more
than 40 books. Darril regularly writes, consults, and teaches on a wide
variety of technical and security topics and holds several certifications.
He regularly posts blog articles at
http://blogs.getcertifiedgetahead.com/ about certification topics and
uses that site to help people stay abreast of changes in certification
exams. He loves hearing from readers, especially when they pass an
exam after using one of his books, and you can contact him through
the blogging site.
http://www.impactonline.com
http://blogs.getcertifiedgetahead.com/
About the Technical Editors
Jeff T. Parker, CISSP, is a technical editor and reviewer across many
focuses of information security. Jeff regularly contributes to books,
adding experience and practical know-how where needed. Jeff’s
experience comes from 10 years of consulting with Hewlett-Packard in
Boston and from 4 years with Deutsche-Post in Prague, Czech
Republic. Now residing in Canada, Jeff teaches his and other middle-
school kids about building (and destroying) a home lab. He recently
coauthored Wireshark for Security Professionals and is now
authoring CySA+ Practice Exams. Keep learning!
Bob Sipes, CISSP, is an enterprise security architect and account
security officer at DXC Technology providing tactical and strategic
leadership for DXC clients. He holds several certifications, is actively
involved in security organizations including ISSA and Infragard, and is
an experienced public speaker on topics including cybersecurity,
communications, and leadership. In his spare time, Bob is an avid
antiquarian book collector with an extensive library of 19th and early
20th century boys’ literature. You can follow Bob on Twitter at
@bobsipes.
David Seidl, CISSP, is the senior director for Campus Technology
Services at the University of Notre Dame, where he has also taught
cybersecurity and networking in the Mendoza College of Business.
David has written multiple books on cybersecurity certification and
cyberwarfare, and he has served as the technical editor for the sixth,
seventh, and eighth editions of CISSP Study Guide. David holds a
master’s degree in information security and a bachelor’s degree in
communication technology from Eastern Michigan University, as well
as CISSP, GPEN, GCIH, and CySA+ certifications.
Contents
Introduction
Overview of the CISSP Exam
Notes on This Book’s Organization
Assessment Test
Answers to Assessment Test
Chapter 1 Security Governance Through Principles and Policies
Understand and Apply Concepts of Confidentiality, Integrity,
and Availability
Evaluate and Apply Security Governance Principles
Develop, Document, and Implement Security Policy, Standards,
Procedures, and Guidelines
Understand and Apply Threat Modeling Concepts and
Methodologies
Apply Risk-Based Management Concepts to the Supply Chain
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 2 Personnel Security and Risk Management Concepts
Personnel Security Policies and Procedures
Security Governance
Understand and Apply Risk Management Concepts
Establish and Maintain a Security Awareness, Education, and
Training Program
Manage the Security Function
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 3 Business Continuity Planning
Planning for Business Continuity
Project Scope and Planning
Business Impact Assessment
Continuity Planning
Plan Approval and Implementation
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 4 Laws, Regulations, and Compliance
Categories of Laws
Laws
Compliance
Contracting and Procurement
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 5 Protecting Security of Assets
Identify and Classify Assets
Determining Ownership
Using Security Baselines
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 6 Cryptography and Symmetric Key Algorithms
Historical Milestones in Cryptography
Cryptographic Basics
Modern Cryptography
Symmetric Cryptography
Cryptographic Lifecycle
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 7 PKI and Cryptographic Applications
Asymmetric Cryptography
Hash Functions
Digital Signatures
Public Key Infrastructure
Asymmetric Key Management
Applied Cryptography
Cryptographic Attacks
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 8 Principles of Security Models, Design, and Capabilities
Implement and Manage Engineering Processes Using Secure
Design Principles
Understand the Fundamental Concepts of Security Models
Select Controls Based On Systems Security Requirements
Understand Security Capabilities of Information Systems
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 9 Security Vulnerabilities, Threats, and Countermeasures
Assess and Mitigate Security Vulnerabilities
Client-Based Systems
Server-Based Systems
Database Systems Security
Distributed Systems and Endpoint Security
Internet of Things
Industrial Control Systems
Assess and Mitigate Vulnerabilities in Web-Based Systems
Assess and Mitigate Vulnerabilities in Mobile Systems
Assess and Mitigate Vulnerabilities in Embedded Devices and
Cyber-Physical Systems
Essential Security Protection Mechanisms
Common Architecture Flaws and Security Issues
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 10 Physical Security Requirements
Apply Security Principles to Site and Facility Design
Implement Site and Facility Security Controls
Implement and Manage Physical Security
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 11 Secure Network Architecture and Securing Network
Components
OSI Model
TCP/IP Model
Converged Protocols
Wireless Networks
Secure Network Components
Cabling, Wireless, Topology, Communications, and
Transmission Media Technology
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 12 Secure Communications and Network Attacks
Network and Protocol Security Mechanisms
Secure Voice Communications
Multimedia Collaboration
Manage Email Security
Remote Access Security Management
Virtual Private Network
Virtualization
Network Address Translation
Switching Technologies
WAN Technologies
Miscellaneous Security Control Characteristics
Security Boundaries
Prevent or Mitigate Network Attacks
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 13 Managing Identity and Authentication
Controlling Access to Assets
Comparing Identification and Authentication
Implementing Identity Management
Managing the Identity and Access Provisioning Lifecycle
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 14 Controlling and Monitoring Access
Comparing Access Control Models
Understanding Access Control Attacks
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 15 Security Assessment and Testing
Building a Security Assessment and Testing Program
Performing Vulnerability Assessments
Testing Your Software
Implementing Security Management Processes
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 16 Managing Security Operations
Applying Security Operations Concepts
Securely Provisioning Resources
Managing Configuration
Managing Change
Managing Patches and Reducing Vulnerabilities
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 17 Preventing and Responding to Incidents
Managing Incident Response
Implementing Detective and Preventive Measures
Logging, Monitoring, and Auditing
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 18 Disaster Recovery Planning
The Nature of Disaster
Understand System Resilience and Fault Tolerance
Recovery Strategy
Recovery Plan Development
Training, Awareness, and Documentation
Testing and Maintenance
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 19 Investigations and Ethics
Investigations
Major Categories of Computer Crime
Ethics
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 20 Software Development Security
Introducing Systems Development Controls
Establishing Databases and Data Warehousing
Storing Data and Information
Understanding Knowledge-Based Systems
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 21 Malicious Code and Application Attacks
Malicious Code
Password Attacks
Application Attacks
Web Application Security
Reconnaissance Attacks
Masquerading Attacks
Summary
Exam Essentials
Written Lab
Review Questions
Appendix A Answers to Review Questions
Chapter 1: Security Governance Through Principles and Policies
Chapter 2: Personnel Security and Risk Management Concepts
Chapter 3: Business Continuity Planning
Chapter 4: Laws, Regulations, and Compliance
Chapter 5: Protecting Security of Assets
Chapter 6: Cryptography and Symmetric Key Algorithms
Chapter 7: PKI and Cryptographic Applications
Chapter 8: Principles of Security Models, Design, and
Capabilities
Chapter 9: Security Vulnerabilities, Threats, and
Countermeasures
Chapter 10: Physical Security Requirements
Chapter 11: Secure Network Architecture and Securing Network
Components
Chapter 12: Secure Communications and Network Attacks
Chapter 13: Managing Identity and Authentication
Chapter 14: Controlling and Monitoring Access
Chapter 15: Security Assessment and Testing
Chapter 16: Managing Security Operations
Chapter 17: Preventing and Responding to Incidents
Chapter 18: Disaster Recovery Planning
Chapter 19: Investigations and Ethics
Chapter 20: Software Development Security
Chapter 21: Malicious Code and Application Attacks
Appendix B Answers to Written Labs
Chapter 1: Security Governance Through Principles and Policies
Chapter 2: Personnel Security and Risk Management Concepts
Chapter 3: Business Continuity Planning
Chapter 4: Laws, Regulations, and Compliance
Chapter 5: Protecting Security of Assets
Chapter 6: Cryptography and Symmetric Key Algorithms
Chapter 7: PKI and Cryptographic Applications
Chapter 8: Principles of Security Models, Design, and
Capabilities
Chapter 9: Security Vulnerabilities, Threats, and
Countermeasures
Chapter 10: Physical Security Requirements
Chapter 11: Secure Network Architecture and Securing Network
Components
Chapter 12: Secure Communications and Network Attacks
Chapter 13: Managing Identity and Authentication
Chapter 14: Controlling and Monitoring Access
Chapter 15: Security Assessment and Testing
Chapter 16: Managing Security Operations
Chapter 17: Preventing and Responding to Incidents
Chapter 18: Disaster Recovery Planning
Chapter 19: Investigations and Ethics
Chapter 20: Software Development Security
Chapter 21: Malicious Code and Application Attacks
Advert
EULA
List of Tables
Chapter 2
Table 2.1
Table 2.2
Chapter 5
Table 5.1
Table 5.2
Table 5.3
Chapter 6
Table 6.1
Table 6.2
Chapter 7
Table 7.1
Chapter 8
Table 8.1
Table 8.2
Table 8.3
Table 8.4
Chapter 9
Table 9.1
Chapter 10
Table 10.1
Table 10.2
Chapter 11
Table 11.1
Table 11.2
Table 11.3
Table 11.4
Table 11.5
Table 11.6
Table 11.7
Table 11.8
Table 11.9
Table 11.10
Table 11.11
Chapter 12
Table 12.1
Table 12.2
Table 12.3
Table 12.4
Chapter 18
Table 18.1
List of Illustrations
Chapter 1
FIGURE 1.1 The CIA Triad
FIGURE 1.2 The five elements of AAA services
FIGURE 1.3 Strategic, tactical, and operational plan timeline
comparison
FIGURE 1.4 Levels of government/military classification
FIGURE 1.5 Commercial business/private sector classification
levels
FIGURE 1.6 The comparative relationships of security policy
components
FIGURE 1.7 An example of diagramming to reveal threat
concerns
FIGURE 1.8 An example of diagramming to reveal threat
concerns
Chapter 2
FIGURE 2.1 An example of separation of duties related to five
admin tasks and seven administrators
FIGURE 2.2 An example of job rotation among management
positions
FIGURE 2.3 Ex-employees must return all company property
FIGURE 2.4 The elements of risk
FIGURE 2.5 The six major elements of quantitative risk
analysis
FIGURE 2.6 The categories of security controls in a defense-
in-depth implementation
FIGURE 2.7 The six steps of the risk management framework
Chapter 3
FIGURE 3.1 Earthquake hazard map of the United States
Chapter 5
FIGURE 5.1 Data classifications
FIGURE 5.2 Clearing a hard drive
Chapter 6
FIGURE 6.1 Challenge-response authentication protocol
FIGURE 6.2 The magic door
FIGURE 6.3 Symmetric key cryptography
FIGURE 6.4 Asymmetric key cryptography
Chapter 7
FIGURE 7.1 Asymmetric key cryptography
FIGURE 7.2 Steganography tool
FIGURE 7.3 Image with embedded message
Chapter 8
FIGURE 8.1 The TCB, security perimeter, and reference
monitor
FIGURE 8.2 The Take-Grant model’s directed graph
FIGURE 8.3 The Bell-LaPadula model
FIGURE 8.4 The Biba model
FIGURE 8.5 The Clark-Wilson model
FIGURE 8.6 The levels of TCSEC
Chapter 9
FIGURE 9.1 In the commonly used four-ring model,
protection rings segregate the operating system into kernel,
components, and drivers in rings 0 through 2 and applications
and programs run at ring 3.
FIGURE 9.2 The process scheduler
Chapter 10
FIGURE 10.1 A typical wiring closet
FIGURE 10.2 The fire triangle
FIGURE 10.3 The four primary stages of fire
FIGURE 10.4 A secure physical boundary with a mantrap and
a turnstile
Chapter 11
FIGURE 11.1 Representation of the OSI model
FIGURE 11.2 Representation of OSI model encapsulation
FIGURE 11.3 Representation of the OSI model peer layer
logical channels
FIGURE 11.4 OSI model data names
FIGURE 11.5 Comparing the OSI model with the TCP/IP
model
FIGURE 11.6 The four layers of TCP/IP and its component
protocols
FIGURE 11.7 The TCP three-way handshake
FIGURE 11.8 Single-, two-, and three-tier firewall deployment
architectures
FIGURE 11.9 A ring topology
FIGURE 11.10 A linear bus topology and a tree bus topology
FIGURE 11.11 A star topology
FIGURE 11.12 A mesh topology
Chapter 13
FIGURE 13.1 Graph of FRR and FAR errors indicating the
CER point
Chapter 14
FIGURE 14.1 Defense in depth with layered security
FIGURE 14.2 Role Based Access Control
FIGURE 14.3 A representation of the boundaries provided by
lattice-based access controls
FIGURE 14.4 Wireshark capture
Chapter 15
FIGURE 15.1 Nmap scan of a web server run from a Linux
system
FIGURE 15.2 Default Apache server page running on the
server scanned in Figure 15.1
FIGURE 15.3 Nmap scan of a large network run from a Mac
system using the Terminal utility
FIGURE 15.4 Network vulnerability scan of the same web
server that was port scanned in Figure 15.1
FIGURE 15.5 Web application vulnerability scan of the same
web server that was port scanned in Figure 15.1 and network
vulnerability scanned in Figure 15.2.
FIGURE 15.6 Scanning a database-backed application with
sqlmap
FIGURE 15.7 Penetration testing process
FIGURE 15.8 The Metasploit automated system exploitation
tool allows attackers to quickly execute common attacks against
target systems.
FIGURE 15.9 Fagan inspections follow a rigid formal process,
with defined entry and exit criteria that must be met before
transitioning between stages.
FIGURE 15.10 Prefuzzing input file containing a series of 1s
FIGURE 15.11 The input file from Figure 15.10 after being run
through the zzuf mutation fuzzing tool
Chapter 16
FIGURE 16.1 A segregation of duties control matrix
FIGURE 16.2 Creating and deploying images
FIGURE 16.3 Web server and database server
Chapter 17
FIGURE 17.1 Incident response
FIGURE 17.2 SYN flood attack
FIGURE 17.3 A man-in-the-middle attack
FIGURE 17.4 Intrusion prevention system
FIGURE 17.5 Viewing a log entry
Chapter 18
FIGURE 18.1 Flood hazard map for Miami–Dade County,
Florida
FIGURE 18.2 Failover cluster with network load balancing
Chapter 20
FIGURE 20.1 Security vs. user-friendliness vs. functionality
FIGURE 20.2 The waterfall lifecycle model
FIGURE 20.3 The spiral lifecycle mode
FIGURE 20.4 The IDEAL model
FIGURE 20.5 Gantt chart
FIGURE 20.6 The DevOps model
FIGURE 20.7 Hierarchical data model
FIGURE 20.8 Customers table from a relational database
FIGURE 20.9 ODBC as the interface between applications
and a backend database system
Chapter 21
FIGURE 21.1 Social Security phishing message
FIGURE 21.2 Typical database-driven website architecture
kindle:embed:0007?mime=image/jpg
Introduction
The (ISC)2 CISSP: Certified Information Systems Security
Professional Official Study Guide, Eighth Edition, offers you a solid
foundation for the Certified Information Systems Security Professional
(CISSP) exam. By purchasing this book, you’ve shown a willingness to
learn and a desire to develop the skills you need to achieve this
certification. This introduction provides you with a basic overview of
this book and the CISSP exam.
This book is designed for readers and students who want to study for
the CISSP certification exam. If your goal is to become a certified
security professional, then the CISSP certification and this study guide
are for you. The purpose of this book is to adequately prepare you to
take the CISSP exam.
Before you dive into this book, you need to have accomplished a few
tasks on your own. You need to have a general understanding of IT
and of security. You should have the necessary five years of full-time
paid work experience (or four years if you have a college degree) in two
or more of the eight domains covered by the CISSP exam. If you are
qualified to take the CISSP exam according to (ISC)2, then you are
sufficiently prepared to use this book to study for it. For more
information on (ISC)2, see the next section.
(ISC)2 also allows for a one-year reduction of the five-year experience
requirement if you have earned one of the approved certifications from
the (ISC)2 prerequisite pathway. These include certifications such as
CAP, CISM, CISA, CCNA Security, Security+, MCSA, MCSE, and many
of the GIAC certifications. For a complete list of qualifying
certifications, visit
https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway.
Note: You can use only one of the experience reduction measures,
either a college degree or a certification, not both.
(ISC)2
https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway
The CISSP exam is governed by the International Information Systems
Security Certification Consortium (ISC)2. (ISC)2 is a global not-for-
profit organization. It has four primary mission goals:
Maintain the Common Body of Knowledge (CBK) for the field of
information systems security.
Provide certification for information systems security professionals
and practitioners.
Conduct certification training and administer the certification
exams.
Oversee the ongoing accreditation of qualified certification
candidates through continued education.
The (ISC)2 is operated by a board of directors elected from the ranks of
its certified practitioners.
(ISC)2 supports and provides a wide variety of certifications, including
CISSP, SSCP, CAP, CSSLP, CCFP, HCISPP, and CCSP. These
certifications are designed to verify the knowledge and skills of IT
security professionals across all industries. You can obtain more
information about (ISC)2 and its other certifications from its website
at www.isc2.org.
The Certified Information Systems Security Professional (CISSP)
credential is for security professionals responsible for designing and
maintaining security infrastructure within an organization.
Topical Domains
The CISSP certification covers material from the eight topical
domains. These eight domains are as follows:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
…
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more