Preface

Information system security is critically important for enterprises as cybercrime continues to grow at a rapid pace. According to Cybercrime Magazine, cyber attackers inflicted damage totaling $6 trillion globally in 2021 and that is expected to grow to $10.5 trillion by 2025 (https://packt.link/8qRsd). As businesses move further with information systems to control various facilities such as water treatment facilities, automobiles, and nuclear plants, they need talented and certified professionals to help them secure these environments because cyberattacks could also be life-threatening.

This need for security has led to a high demand for knowledgeable and talented information system security engineers and architects who can help organizations design, build, and operate secure Information Technology (IT) environments. IT security certifications can help organizations identify and develop critical skills for implementing various cybersecurity initiatives. Certifications can also help individuals demonstrate their technical knowledge, skills, and abilities to potential employers to advance their careers.

The goal of this book is to help you pass the Certified Information Systems Security Professional (CISSP) certification exam by ISC2. The CISSP certification is the most sought-after global credential and represents the highest standard for information system security expertise. It confirms your ability to apply best practices to information system security architecture, design, and operations.

As you progress through this book, you'll engage with practical and straightforward explanations of cybersecurity concepts, designed to educate you on the challenges security professionals face in computing environments. The chapters in this book cover the domains of topics relevant to the CISSP exam, including developing a comprehensive information system security policy, conducting risk assessmentsfor IT deployments, implementing identity and access management solutions, securing data in system storage, and designing disaster recovery plans. Each chapter will guide you through scenarios that test your understanding of the CISSP domains, from architectural considerations to legal and compliance frameworks.

For additional practice questions and exams, acquire the CISSP Certification Practice Exams and Tests book. It includes over 1,000 practice questions critical to successfully passing the CISSP exam on the first try (ISBN: 1800561377).

By the end of this study guide, you'll possess a solid understanding of information system security principles and practices, as well as the confidence needed to apply this knowledge in your current role. You will also be well prepared to pass the CISSP exam the first time!

Who This Book Is For

This book is for those who are preparing to take and pass the CISSP exam. It is recommended that you have at least five years of experience in IT, with two of those years being focused on aspects such as IT security, application security, privacy, or data governance.

What This Book Covers

Chapter 1, Ethics, Security Concepts, and Governance Principles, introduces the most relevant information security concepts, which are the foundation of the entire book. We discuss the importance of ethics, fundamental security concepts, and the difference between due care and due diligence.

Chapter 2, Compliance, Regulation, and Investigations, discusses privacy regulations and country-specific legislation related to PII and PHI. We will review key jurisdictional differences in data privacy.

Chapter 3, Security Policies and Business Continuity, describes the common practices that organizations follow for defining security policies and deploying frameworks that prioritize business continuity.

Chapter 4, Risk Management, Threat Modeling, SCRM, and SETA, discusses the application of key risk management principles. This will include an in-depth look at threat modeling techniques and methodologies, along with Supply Chain Risk Management (SCRM) strategies. Additionally, you'll evaluate Security Education, Training, and Awareness (SETA) programs.

Chapter 5, Asset and Privacy Protection, delves into identifying and classifying information and assets, establishing appropriate handling requirements for them, and ensuring that resources are securely provisioned.

Chapter 6, Information and Asset Handling, further details asset security, focusing on the management of digital assets throughout their life cycle. It covers the usage and destruction phases of information, outlining the key requirements for effective oversight of digital assets.

Chapter 7, Secure Design Principles and Controls, guides you through the fundamental concepts of security models, helping you understand their role in protecting systems. Additionally, it covers the best practices for selecting appropriate security controls based on the specific requirements of a system.

Chapter 8, Architecture Vulnerabilities and Cryptography, discusses how you can assess and mitigate vulnerabilities in security architectures, select and implement cryptographic solutions as per your needs, and explore cryptanalytic attack methods to better recognize and defend against threats.

Chapter 9, Facilities and Physical Security, covers how to apply security principles in the design of buildings and other facilities, ensuring they are safeguarded against potential threats. The chapter will also cover the design and implementation of effective security controls tailored to different areas within a facility, including both restricted zones and general work areas. You will also learn how to incorporate utilities and HVAC systems into the overall security framework.

Chapter 10, Network Architecture Security, provides an overview of the key concepts of network architectures. We discuss network fundamentals, networking devices, and providing security channels around these architectures.

Chapter 11, Securing Communication Channels, discusses how organizations secure communications using various hardware and software solutions.

Chapter 12, Identity, Access Management, and Federation, discusses the implementation of security practices suited to an organization's environment, performing detailed accounting of user and system access, and securely managing the provisioning and deprovisioning of identities to minimize vulnerabilities.

Chapter 13, Identity Management Implementation, focuses on the implementation of effective authentication systems to verify user identities and control access. The chapter will also delve into authentication, authorization, and accounting, explaining how these systems work together to ensure that users are not only verified but also granted appropriate access and that their activities are properly logged.

Chapter 14, Designing and Conducting Security Assessments, discusses how you can develop effective methods to evaluate the security posture of systems and ensure they meet the required standards. The chapter covers how to conduct thorough security control testing, including how to execute and analyze tests to identify vulnerabilities and verify the effectiveness of implemented controls.

Chapter 15, Designing and Conducting Security Testing, reviews the most common ways to conduct audits of IT systems, covering the audit process, the methodologies, and the required adaptations for a cloud environment.

Chapter 16, Planning for Security Operations, discusses investigation procedures and how to comply with them so that all incidents are properly documented and reviewed. The chapter covers logging and monitoring activities that track and help you analyze system events for potential security issues.

Chapter 17, Security Operations, details how you can effectively execute the incident management process. The chapter covers the procedures for responding to and resolving security incidents, and also operating and maintaining both detective and preventive measures to continuously protect systems from threats.

Chapter 18, Disaster Recovery, discusses the specifics of preparing to withstand disasters and business disruptions so that businesses can continue the delivery of products and services within acceptable time frames.

Chapter 19, Business Continuity, Personnel, and Physical Security, teaches you how to actively participate in planning and conducting exercises to test and improve security measures....