第1页 / 共1666页
第2页 / 共1666页
第3页 / 共1666页
第4页 / 共1666页
第5页 / 共1666页
第6页 / 共1666页
第7页 / 共1666页
第8页 / 共1666页
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition.pdf
Foreword
Introduction
Editors
Preface
Domain 1 — Security & Risk Management
Confidentiality, Integrity, and Availability
Confidentiality
Integrity
Availability
Security Governance
Goals, Mission, and Objectives of the Organization
Organizational Processes
Security Roles and Responsibilities
Information Security Strategies
The Complete and Effective Security Program
Oversight Committee Representation
Control Frameworks
Due Care
Due Diligence
Compliance
Governance, Risk Management, and Compliance �⠀䜀刀䌀)
Legislative and Regulatory Compliance
Privacy Requirements Compliance
Global Legal and Regulatory Issues
Computer/Cyber Crime
Licensing and Intellectual Property
Import/Export
Trans-Border Data Flow
Privacy
Data Breaches
Relevant Laws and Regulations
Understand Professional Ethics
Regulatory Requirements for Ethics Programs
Topics in Computer Ethics
Common Computer Ethics Fallacies
Hacking and Hacktivism
Ethics Codes of Conduct and Resources
�⠀䤀匀䌀)2 Code of Professional Ethics
Support Organization’s Code of Ethics
Develop and Implement Security Policy
Business Continuity �⠀䈀䌀) & Disaster Recovery �⠀䐀刀) Requirements
Project Initiation and Management
Develop and Document Project Scope and Plan
Conducting the Business Impact Analysis �⠀䈀䤀䄀)
Identify and Prioritize
Assess Exposure to Outages
Recovery Point Objectives �⠀刀倀伀)
Manage Personnel Security
Employment Candidate Screening
Employment Agreements and Policies
Employee Termination Processes
Vendor, Consultant, and Contractor Controls
Privacy
Risk Management Concepts
Organizational Risk Management Concepts
Risk Assessment Methodologies
Identify Threats and Vulnerabilities
Risk Assessment/Analysis
Countermeasure Selection
Implementation of Risk Countermeasures
Types of Controls
Access Control Types
Controls Assessment/Monitoring and Measuring
Tangible and Intangible Asset Valuation
Continuous Improvement
Risk Management Frameworks
Threat Modeling
Determining Potential Attacks and Reduction Analysis
Technologies & Processes to Remediate Threats
Acquisitions Strategy and Practice
Hardware, Software, and Services
Manage Third-Party Governance
Minimum Security and Service-Level Requirements
Security Education, Training, and Awareness
Formal Security Awareness Training
Awareness Activities and Methods – Creating the Culture of Awareness in the Organization
Domain 2 — Asset Security
Data Management: Determine and Maintain Ownership
Data Policy
Roles and Responsibilities
Data Ownership
Data Custodianship
Data Quality
Data Documentation and Organization
Data Standards
Data Lifecycle Control
Data Specification and Modeling
Database Maintenance
Data Audit
Data Storage and Archiving
Longevity and Use
Data Security
Data Access, Sharing, and Dissemination
Data Publishing
Classify Information and Supporting Assets
Asset Management
Software Licensing
Equipment Lifecycle
Protect Privacy
Ensure Appropriate Retention
Media, Hardware, and Personnel
Company “X” Data Retention Policy
Determine Data Security Controls
Data at Rest
Data in Transit
Baselines
Scoping and Tailoring
Standards Selection
United States Resources
International Resources
National Cyber Security Framework Manual
Framework for Improving Critical Infrastructure Cybersecurity
Domain 3 — Security Engineering
The Engineering Lifecycle Using Security Design Principles
Fundamental Concepts of Security Models
Common System Components
How They Work Together
Enterprise Security Architecture
Common Architecture Frameworks
Zachman Framework
Capturing and Analyzing Requirements
Creating and Documenting Security Architecture
Information Systems Security Evaluation Models
Common Formal Security Models
Product Evaluation Models
Industry and International Security Implementation Guidelines
Security Capabilities of Information Systems
Access Control Mechanisms
Secure Memory Management
Vulnerabilities of Security Architectures
Systems
Technology and Process Integration
Single Point of Failure �⠀匀倀伀䘀)
Client-Based Vulnerabilities
Server-Based Vulnerabilities
Database Security
Large Scale Parallel Data Systems
Distributed Systems
Cryptographic Systems
Software and System Vulnerabilities and Threats
Web-Based
Vulnerabilities in Mobile Systems
Risks from Remote Computing
Risks from Mobile Workers
Vulnerabilities in Embedded Devices and Cyber-Physical Systems
The Application and Use of Cryptography
The History of Cryptography
Emerging Technology
Core Information Security Principles
Additional Features of Cryptographic Systems
The Cryptographic Lifecycle
Public Key Infrastructure �⠀倀䬀䤀)
Key Management Processes
Creation and Distribution of Keys
Digital Signatures
Digital Rights Management �⠀䐀刀䴀)
Non-Repudiation
Hashing
Simple Hash Functions
Methods of Cryptanalytic Attacks
Site and Facility Design Considerations
The Security Survey
Site Planning
Roadway Design
Crime Prevention through Environmental Design �⠀䌀倀吀䔀䐀)
Windows
Design and Implement Facility Security
Implementation and Operation of Facilities Security
Communications and Server Rooms
Restricted and Work Area Security
Data Center Security
Domain 4 — Communications & Network Security
Secure Network Architecture and Design
OSI and TCP/IP
IP Networking
Directory Services
Implications of Multi-Layer Protocols
Converged Protocols
Implementation
Voice over Internet Protocol �⠀嘀漀䤀倀)
Wireless
Wireless Security Issues
Open System Authentication
Cryptography Used to Maintain Communications Security
Securing Network Components
Hardware
Transmission Media
Network Access Control Devices
End Point Security
Content Distribution Networks
Secure Communication Channels
Voice
Multimedia Collaboration
Open Protocols, Applications, and Services
Remote Access
Data Communications
Virtualized Networks
Network Attacks
The Network as an Enabler or Channel of Attack
The Network as a Bastion of Defense
Network Security Objectives and Attack Modes
Scanning Techniques
Security Event Management �⠀匀䔀䴀)
IP Fragmentation Attacks and Crafted Packets
Denial-of-Service �⠀䐀漀匀) / Distributed-Denial-of Service �⠀䐀䐀漀匀) Attacks
Spoofing
Session Highjack
Domain 5 — Identity & Access Management
Physical and Logical Access to Assets
Identification and Authentication of People and Devices
Identification, Authentication, and Authorization
Identity Management Implementation
Password Management
Account Management
Profile Management
Directory Management
Directory Technologies
Single/Multi-Factor Authentication
Accountability
Session Management
Registration and Proof of Identity
Credential Management Systems
Identity as a Service �⠀䤀䐀愀愀匀)
Integrate Third-Party Identity Services
Implement and Manage Authorization Mechanisms
Role-Based Access Control
Rule-Based Access Control
Mandatory Access Controls �⠀䴀䄀䌀猀)
Discretionary Access Controls �⠀䐀䄀䌀猀)
Prevent or Mitigate Access Control Attacks
Windows PowerShell Equivalent Commands
Identity and Access Provisioning Lifecycle
Provisioning
Review
Revocation
Domain 6 — Security Assessment & Testing
Assessment and Test Strategies
Software Development as Part of System Design
Log Reviews
Synthetic Transactions
Code Review and Testing
Negative Testing/Misuse Case Testing
Interface Testing
Collect Security Process Data
Internal and Third-Party Audits
SOC Reporting Options
Domain 7 — Security Operations
Investigations
The Crime Scene
Policy, Roles, and Responsibilities
Incident Handling and Response
Recovery Phase
Evidence Collection and Handling
Reporting and Documenting
Evidence Collection and Processing
Continuous and Egress Monitoring
Data Leak/Loss Prevention �⠀䐀䰀倀)
Provisioning of Resources through Configuration Management
Foundational Security Operations Concepts
Key Themes
Controlling Privileged Accounts
Managing Accounts Using Groups and Roles
Separation of Duties and Responsibilities
Monitor Special Privileges
Job Rotation
Manage the Information Lifecycle
Service Level Agreements �⠀匀䰀䄀猀)
Resource Protection
Tangible versus Intangible Assets
Hardware
Media Management
Incident Response
Incident Management
Security Measurements, Metrics, and Reporting
Managing Security Technologies
Detection
Response
Reporting
Recovery
Remediation and Review �⠀䰀攀猀猀漀渀猀 䰀攀愀爀渀攀搀)
Preventative Measures against Attacks
Unauthorized Disclosure
Network Intrusion Detection System Architecture
Whitelisting, Blacklisting, and Greylisting… Oh My!
Third-party Security Services, Sandboxing, Anti-malware, Honeypots and Honeynets
Patch and Vulnerability Management
Security and Patch Information Sources
Change and Configuration Management
Configuration Management
Recovery Site Strategies
Multiple Processing Sites
System Resilience and Fault Tolerance Requirements
The Disaster Recovery Process
Documenting the Plan
Response
Personnel
Communications
Employee Notification
Assessment
Restoration
Provide Training
Exercise, Assess, and Maintain the Plan
Test Plan Review
Tabletop Exercise/Structured Walk-Through Test
Walk-Through Drill/Simulation Test
Functional Drill/Parallel Test
Full-Interruption/Full-Scale Test
Update and Maintenance of the Plan
Business Continuity and Other Risk Areas
Implementation and Operation of Perimeter Security
Access Control
Card Types
Closed Circuit TV
Internal Security
Interior Intrusion Detection Systems
Building and Inside Security
Doors
Personnel Safety
Privacy
Travel
Duress
Domain 8 — Security in the Software Development Life Cycle
Software Development Security Outline
Development Life Cycle
Maturity Models
Operation and Maintenance
Change Management
Integrated Product Team �⠀攀⸀最⸀Ⰰ 䐀攀瘀伀瀀猀)
Environment and Security Controls
Software Development Methods
The Database and Data Warehousing Environment
Database Vulnerabilities and Threats
DBMS Controls
Knowledge Management
Web Application Environment
Security of the Software Environment
Applications Development and Programming Concepts
The Software Environment
Libraries & Toolsets
Security Issues in Source Code
Malicious Software �⠀䴀愀氀眀愀爀攀)
Malware Protection
Software Protection Mechanisms
Security Kernels, Reference Monitors, and the TCB
Configuration Management
Security of Code Repositories
Security of Application Programming Interfaces �⠀䄀倀䤀)
Assess the Effectiveness of Software Security
Certification and Accreditation
Auditing and Logging of Changes
Risk Analysis and Mitigation
Assess Software Acquisition Security
Appendix A — Answers to Domain Review Questions
Appendix B — Domain 1 Materials
Appendix C — Domain 2 Materials
Appendix D — Domain 3 Materials
Appendix E — Domain 4 Materials
Appendix F — Domain 5 Materials
Appendix G — Domain 6 Materials
Appendix H — Domain 7 Materials
Appendix I — Domain 8 Materials
Appendix J — Glossary
Appendix K — Index
Foreword
Introduction
Editors
Preface
Domain 1 — Security & Risk Management
Confidentiality, Integrity, and Availability
Confidentiality
Integrity
Availability
Security Governance
Goals, Mission, and Objectives of the Organization
Organizational Processes
Security Roles and Responsibilities
Information Security Strategies
The Complete and Effective Security Program
Oversight Committee Representation
Control Frameworks
Due Care
Due Diligence
Compliance
Governance, Risk Management, and Compliance (GRC)
Legislative and Regulatory Compliance
Privacy Requirements Compliance
Global Legal and Regulatory Issues
Computer/Cyber Crime
Licensing and Intellectual Property
Import/Export
Trans-Border Data Flow
Privacy
Data Breaches
Relevant Laws and Regulations
Understand Professional Ethics
Regulatory Requirements for Ethics Programs
Topics in Computer Ethics
Common Computer Ethics Fallacies
Hacking and Hacktivism
Ethics Codes of Conduct and Resources
(ISC)2 Code of Professional Ethics
Support Organization’s Code of Ethics
Develop and Implement Security Policy
Business Continuity (BC) & Disaster Recovery (DR) Requirements
Project Initiation and Management
Develop and Document Project Scope and Plan
Conducting the Business Impact Analysis (BIA)
Identify and Prioritize
Assess Exposure to Outages
Recovery Point Objectives (RPO)
Manage Personnel Security
Employment Candidate Screening
Employment Agreements and Policies
Employee Termination Processes
Vendor, Consultant, and Contractor Controls
Privacy
Risk Management Concepts
Organizational Risk Management Concepts
Risk Assessment Methodologies
Identify Threats and Vulnerabilities
Risk Assessment/Analysis
Countermeasure Selection
Implementation of Risk Countermeasures
Types of Controls
Access Control Types
Controls Assessment/Monitoring and Measuring
Tangible and Intangible Asset Valuation
Continuous Improvement
Risk Management Frameworks
Threat Modeling
Determining Potential Attacks and Reduction Analysis
Technologies & Processes to Remediate Threats
Acquisitions Strategy and Practice
Hardware, Software, and Services
Manage Third-Party Governance
Minimum Security and Service-Level Requirements
Security Education, Training, and Awareness
Formal Security Awareness Training
Awareness Activities and Methods – Creating the Culture of Awareness in the
Organization
Domain 2 — Asset Security
Data Management: Determine and Maintain Ownership
Data Policy
Roles and Responsibilities
Data Ownership
Data Custodianship
Data Quality
Data Documentation and Organization
Data Standards
Data Lifecycle Control
Data Specification and Modeling
Database Maintenance
Data Audit
Data Storage and Archiving
Longevity and Use
Data Security
Data Access, Sharing, and Dissemination
Data Publishing
Classify Information and Supporting Assets
Asset Management
Software Licensing
Equipment Lifecycle
Protect Privacy
Ensure Appropriate Retention
Media, Hardware, and Personnel
Company “X” Data Retention Policy
Determine Data Security Controls
Data at Rest
Data in Transit
Baselines
Scoping and Tailoring
Standards Selection
United States Resources
International Resources
National Cyber Security Framework Manual
Framework for Improving Critical Infrastructure Cybersecurity
Domain 3 — Security Engineering
The Engineering Lifecycle Using Security Design Principles
Fundamental Concepts of Security Models
Common System Components
How They Work Together
Enterprise Security Architecture
Common Architecture Frameworks
Zachman Framework
Capturing and Analyzing Requirements
Creating and Documenting Security Architecture
Information Systems Security Evaluation Models
Common Formal Security Models
Product Evaluation Models
Industry and International Security Implementation Guidelines
Security Capabilities of Information Systems
Access Control Mechanisms
Secure Memory Management
Vulnerabilities of Security Architectures
Systems
Technology and Process Integration
Single Point of Failure (SPOF)
Client-Based Vulnerabilities
Server-Based Vulnerabilities
Database Security
Large Scale Parallel Data Systems
Distributed Systems
Cryptographic Systems
Software and System Vulnerabilities and Threats
Web-Based
Vulnerabilities in Mobile Systems
Risks from Remote Computing
Risks from Mobile Workers
Vulnerabilities in Embedded Devices and Cyber-Physical Systems
The Application and Use of Cryptography
The History of Cryptography
Emerging Technology
Core Information Security Principles
Additional Features of Cryptographic Systems
The Cryptographic Lifecycle
Public Key Infrastructure (PKI)
Key Management Processes
Creation and Distribution of Keys
Digital Signatures
Digital Rights Management (DRM)
Non-Repudiation
Hashing
Simple Hash Functions
Methods of Cryptanalytic Attacks
Site and Facility Design Considerations
The Security Survey
Site Planning
Roadway Design
Crime Prevention through Environmental Design (CPTED)
Windows
Design and Implement Facility Security
Implementation and Operation of Facilities Security
Communications and Server Rooms
Restricted and Work Area Security
Data Center Security
Domain 4 — Communications & Network Security
Secure Network Architecture and Design
OSI and TCP/IP
IP Networking
Directory Services
Implications of Multi-Layer Protocols
Converged Protocols
Implementation
Voice over Internet Protocol (VoIP)
Wireless
Wireless Security Issues
Open System Authentication
Cryptography Used to Maintain Communications Security
Securing Network Components
Hardware
Transmission Media
Network Access Control Devices
End Point Security
Content Distribution Networks
Secure Communication Channels
Voice
Multimedia Collaboration
Open Protocols, Applications, and Services
Remote Access
Data Communications
Virtualized Networks
Network Attacks
The Network as an Enabler or Channel of Attack
The Network as a Bastion of Defense
Network Security Objectives and Attack Modes
Scanning Techniques
Security Event Management (SEM)
IP Fragmentation Attacks and Crafted Packets
Denial-of-Service (DoS) / Distributed-Denial-of Service (DDoS) Attacks
Spoofing
Session Highjack
Domain 5 — Identity & Access Management
Physical and Logical Access to Assets
Identification and Authentication of People and Devices
Identification, Authentication, and Authorization
Identity Management Implementation
Password Management
Account Management
Profile Management
Directory Management
Directory Technologies
Single/Multi-Factor Authentication
Accountability
Session Management
Registration and Proof of Identity
Credential Management Systems
Identity as a Service (IDaaS)
Integrate Third-Party Identity Services
Implement and Manage Authorization Mechanisms
Role-Based Access Control
Rule-Based Access Control
Mandatory Access Controls (MACs)
Discretionary Access Controls (DACs)
Prevent or Mitigate Access Control Attacks
Windows PowerShell Equivalent Commands
Identity and Access Provisioning Lifecycle
Provisioning
Review
Revocation
Domain 6 — Security Assessment & Testing
Assessment and Test Strategies
Software Development as Part of System Design
Log Reviews
Synthetic Transactions
Code Review and Testing
Negative Testing/Misuse Case Testing
Interface Testing
Collect Security Process Data
Internal and Third-Party Audits
SOC Reporting Options
Domain 7 — Security Operations
Investigations
The Crime Scene
Policy, Roles, and Responsibilities
Incident Handling and Response
Recovery Phase
Evidence Collection and Handling
Reporting and Documenting
Evidence Collection and Processing
Continuous and Egress Monitoring
Data Leak/Loss Prevention (DLP)
Provisioning of Resources through Configuration Management
Foundational Security Operations Concepts
Key Themes
Controlling Privileged Accounts
Managing Accounts Using Groups and Roles
Separation of Duties and Responsibilities
Monitor Special Privileges
Job Rotation
Manage the Information Lifecycle
Service Level Agreements (SLAs)
Resource Protection
Tangible versus Intangible Assets
Hardware
Media Management
Incident Response
Incident Management
Security Measurements, Metrics, and Reporting
Managing Security Technologies
Detection
Response
Reporting
Recovery
Remediation and Review (Lessons Learned)
Preventative Measures against Attacks
Unauthorized Disclosure
Network Intrusion Detection System Architecture
Whitelisting, Blacklisting, and Greylisting… Oh My!
Third-party Security Services, Sandboxing, Anti-malware, Honeypots and Honeynets
Patch and Vulnerability Management
Security and Patch Information Sources
Change and Configuration Management
Configuration Management
Recovery Site Strategies
Multiple Processing Sites
System Resilience and Fault Tolerance Requirements
The Disaster Recovery Process
Documenting the Plan
Response
Personnel
Communications
Employee Notification
Assessment
Restoration
Provide Training
Exercise, Assess, and Maintain the Plan
Test Plan Review
Tabletop Exercise/Structured Walk-Through Test
Walk-Through Drill/Simulation Test
Functional Drill/Parallel Test
Full-Interruption/Full-Scale Test
Update and Maintenance of the Plan
Business Continuity and Other Risk Areas
Implementation and Operation of Perimeter Security
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
