The Official (ISC)2 CISSP CBK Reference
Description
Thoroughly updated for 2021 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)² for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)², the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024.
This CBK covers the current eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Revised and updated by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with:
* Common and good practices for each objective
* Common vocabulary and definitions
* References to widely accepted computing standards
* Highlights of successful approaches through case studies
Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.
More details
Other editions
Additional editions
Content
Foreword xix
Introduction xxi
Domain 1: Security and Risk Management 1
Understand, Adhere to, and Promote Professional Ethics 2
(ISC)2 Code of Professional Ethics 2
Organizational Code of Ethics 3
Understand and Apply Security Concepts 4
Confidentiality 4
Integrity 5
Availability 6
Limitations of the CIA Triad 7
Evaluate and Apply Security Governance Principles 8
Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives 9
Organizational Processes 10
Organizational Roles and Responsibilities 14
Security Control Frameworks 15
Due Care and Due Diligence 22
Determine Compliance and Other Requirements 23
Legislative and Regulatory Requirements 23
Industry Standards and Other Compliance Requirements 25
Privacy Requirements 27
Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context 28
Cybercrimes and Data Breaches 28
Licensing and Intellectual Property Requirements 36
Import/Export Controls 39
Transborder Data Flow 40
Privacy 41
Understand Requirements for Investigation Types 48
Administrative 49
Criminal 50
Civil 52
Regulatory 53
Industry Standards 54
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 55
Policies 55
Standards 56
Procedures 57
Guidelines 57
Identify, Analyze, and Prioritize Business Continuity Requirements 58
Business Impact Analysis 59
Develop and Document the Scope and the Plan 61
Contribute to and Enforce Personnel Security Policies and Procedures 63
Candidate Screening and Hiring 63
Employment Agreements and Policies 64
Onboarding, Transfers, and Termination Processes 65
Vendor, Consultant, and Contractor Agreements and Controls 67
Compliance Policy Requirements 67
Privacy Policy Requirements 68
Understand and Apply Risk Management Concepts 68
Identify Threats and Vulnerabilities 68
Risk Assessment 70
Risk Response/Treatment 72
Countermeasure Selection and Implementation 73
pplicable Types of Controls 75
Control Assessments 76
Monitoring and Measurement 77
Reporting 77
Continuous Improvement 78
Risk Frameworks 78
Understand and Apply Threat Modeling Concepts and Methodologies 83
Threat Modeling Concepts 84
Threat Modeling Methodologies 85
Apply Supply Chain Risk Management Concepts 88
Risks Associated with Hardware, Software, and Services 88
Third-Party Assessment and Monitoring 89
Minimum Security Requirements 90
Service-Level
Requirements 90
Frameworks 91
Establish and Maintain a Security Awareness, Education, and Training Program 92
Methods and Techniques to Present Awareness and Training 93
Periodic Content Reviews 94
Program Effectiveness Evaluation 94
Summary 95
Domain 2: Asset Security 97
Identify and Classify Information and Assets 97
Data Classification and Data Categorization 99
Asset Classification 101
Establish Information and Asset Handling Requirements 104
Marking and Labeling 104
Handling 105
Storage 105
Declassification 106
Provision Resources Securely 108
Information and Asset Ownership 108
Asset Inventory 109
Asset Management 112
Manage Data Lifecycle 115
Data Roles 116
Data Collection 120
Data Location 120
Data Maintenance 121
Data Retention 122
Data Destruction 123
Data Remanence 123
Ensure Appropriate Asset Retention 127
Determining Appropriate Records Retention 129
Records Retention Best Practices 130
Determine Data Security Controls and Compliance Requirements 131
Data States 133
Scoping and Tailoring 135
Standards Selection 137
Data Protection Methods 141
Summary 144
Domain 3: Security Architecture and Engineering 147
Research, Implement, and Manage Engineering Processes Using Secure Design Principles 149
ISO/IEC 19249 150
Threat Modeling 157
Secure Defaults 160
Fail Securely 161
Separation of Duties 161
Keep It Simple 162
Trust, but Verify 162
Zero Trust 163
Privacy by Design 165
Shared Responsibility 166
Defense in Depth 167
Understand the Fundamental Concepts of Security Models 168
Primer on Common Model Components 168
Information Flow Model 169
Noninterference Model 169
Bell-LaPadula Model 170
iba Integrity Model 172
Clark-Wilson Model 173
Brewer-Nash Model 173
Take-Grant Model 175
Select Controls Based Upon Systems Security Requirements 175
Understand Security Capabilities of Information Systems 179
Memory Protection 180
Secure Cryptoprocessor 182
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 187
Client-Based Systems 187
Server-Based Systems 189
Database Systems 191
Cryptographic Systems 194
Industrial Control Systems 200
Cloud-Based Systems 203
Distributed Systems 207
Internet of Things 208
Microservices 212
Containerization 214
Serverless 215
Embedded Systems 216
High-Performance Computing Systems 219
Edge Computing Systems 220
Virtualized Systems 221
Select and Determine Cryptographic Solutions 224
Cryptography Basics 225
Cryptographic Lifecycle 226
Cryptographic Methods 229
Public Key Infrastructure 243
Key Management Practices 246
Digital Signatures and Digital Certificates 250
Nonrepudiation 252
Integrity 253
Understand Methods of Cryptanalytic Attacks 257
Brute Force 258
Ciphertext Only 260
Known Plaintext 260
Chosen Plaintext Attack 260
Frequency Analysis 261
Chosen Ciphertext 261
Implementation Attacks 261
Side-Channel Attacks 261
Fault Injection 263
Timing Attacks 263
Man-in-the-Middle 263
Pass the Hash 263
Kerberos Exploitation 264
Ransomware 264
Apply Security Principles to Site and Facility Design 265
Design Site and Facility Security Controls 265
Wiring Closets/Intermediate Distribution Facilities 266
Server Rooms/Data Centers 267
Media Storage Facilities 268
Evidence Storage 269
Restricted and Work Area Security 270
Utilities and Heating, Ventilation, and Air Conditioning 272
Environmental Issues 275
Fire Prevention, Detection, and Suppression 277
Summary 281
Domain 4: Communication and Network Security 283
Assess and Implement Secure Design Principles in Network Architectures 283
Open System Interconnection and Transmission Control Protocol/Internet Protocol Models 285
The OSI Reference Model 286
The TCP/IP Reference Model 299
Internet Protocol Networking 302
Secure Protocols 311
Implications of Multilayer Protocols 313
Converged Protocols 315
Microsegmentation 316
Wireless Networks 319
Cellular Networks 333
Content Distribution Networks 334
Secure Network Components 335
Operation of Hardware 335
Repeaters, Concentrators, and Amplifiers 341
Hubs 341
Bridges 342
Switches 342
Routers 343
ateways 343
Proxies 343
Transmission Media 345
Network Access Control 352
Endpoint Security 354
Mobile Devices 355
Implement Secure Communication Channels According to Design 357
Voice 357
Multimedia Collaboration 359
Remote Access 365
Data Communications 371
Virtualized Networks 373
Third-Party
Connectivity 374
Summary 374
Domain 5: Identity and Access Management 377
Control Physical and Logical Access to Assets 378
Access Control Definitions 378
Information 379
Systems 380
Devices 381
Facilities 383
Applications 386
Manage Identification and Authentication of People, Devices, and Services 387
Identity Management Implementation 388
Single/Multifactor Authentication 389
Accountability 396
Session Management 396
Registration, Proofing, and Establishment of Identity 397
Federated Identity Management 399
Credential Management Systems 399
Single Sign-On 400
Just-In-Time 401
Federated Identity with a Third-Party Service 401
On Premises 402
Cloud 403
Hybrid 403
Implement and Manage Authorization Mechanisms 404
Role-Based Access Control 405
Rule-Based Access Control 405
Mandatory Access Control 406
Discretionary Access Control 406
Attribute-Based Access Control 407
Risk-Based Access Control 408
Manage the Identity and Access Provisioning Lifecycle 408
Account Access Review 409
Account Usage Review 411
Provisioning and Deprovisioning 411
Role Definition 412
Privilege Escalation 413
Implement Authentication Systems 414
OpenID Connect/Open Authorization 414
Security Assertion Markup Language 415
Kerberos 416
Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus 417
Summary 418
Domain 6: Security Assessment and Testing 419
Design and Validate Assessment, Test, and Audit Strategies 420
Internal 421
External 422
Third-Party 423
Conduct Security Control Testing 423
Vulnerability Assessment 423
Penetration Testing 428
Log Reviews 435
Synthetic Transactions 435
Code Review and Testing 436
Misuse Case Testing 437
Test Coverage Analysis 438
Interface Testing 439
Breach Attack Simulations 440
Compliance Checks 441
Collect Security Process Data 442
Technical Controls and Processes 443
Administrative Controls 443
Account Management 444
Management Review and Approval 445
Management Reviews for Compliance 446
Key Performance and Risk Indicators 447
Backup Verification Data 450
Training and Awareness 450
Disaster Recovery and Business Continuity 451
Analyze Test Output and Generate Report 452
Typical Audit Report Contents 453
Remediation 454
Exception Handling 455
Ethical Disclosure 456
Conduct or Facilitate Security Audits 458
Designing an Audit Program 458
Internal Audits 459
External Audits 460
Third-Party Audits 460
Summary 461
Domain 7: Security Operations 463
Understand and Comply with Investigations 464
Evidence Collection and Handling 465
Reporting and Documentation 467
Investigative Techniques 469
Digital Forensics Tools, Tactics, and Procedures 470
Artifacts 475
Conduct Logging and Monitoring Activities 478
Intrusion Detection and Prevention 478
Security Information and Event Management 480
Continuous Monitoring 481
Egress Monitoring 483
Log Management 484
Threat Intelligence 486
User and Entity Behavior Analytics 488
Perform Configuration Management 489
Provisioning 490
Asset Inventory 492
aselining 492
Automation 493
Apply Foundational Security Operations Concepts 494
Need-to-Know/Least Privilege 494
Separation of Duties and Responsibilities 495
Privileged Account Management 496
Job Rotation 498
Service-Level
Agreements 498
Apply Resource Protection 499
Media Management 500
Media Protection Techniques 501
Conduct Incident Management 502
Incident Management Plan 503
Detection 505
Response 506
Mitigation 507
Reporting 508
Recovery 510
Remediation 510
Lessons Learned 511
Operate and Maintain Detective and Preventative Measures 511
Firewalls 512
Intrusion Detection Systems and Intrusion Prevention Systems 514
Whitelisting/Blacklisting 515
Third-Party-Provided Security Services 515
Sandboxing 517
Honeypots/Honeynets 517
Anti-malware 518
Machine Learning and Artificial Intelligence Based Tools 518
Implement and Support Patch and Vulnerability Management 519
Patch Management 519
Vulnerability Management 521
Understand and Participate in Change Management Processes 522
Implement Recovery Strategies 523
Backup Storage Strategies 524
Recovery Site Strategies 527
Multiple Processing Sites 527
System Resilience, High Availability, Quality of Service, and Fault Tolerance 528
Implement Disaster Recovery Processes 529
Response 529
Personnel 530
Communications 531
Assessment 532
Restoration 533
Training and Awareness 534
Lessons Learned 534
Test Disaster Recovery Plans 535
Read-through/Tabletop 536
Walkthrough 536
Simulation 537
Parallel 537
Full Interruption 537
Participate in Business Continuity Planning and Exercises 538
Implement and Manage Physical Security 539
Perimeter Security Controls 541
Internal Security Controls 543
Address Personnel Safety and Security Concerns 545
Travel 545
Security Training and Awareness 546
Emergency Management 546
Duress 547
Summary 548
Domain 8: Software Development Security 549
Understand and Integrate Security in the Software Development Life Cycle (SDLC) 550
Development Methodologies 551
Maturity Models 561
Operation and Maintenance 567
Change Management 568
Integrated Product Team 571
Identify and Apply Security Controls in Software Development Ecosystems 572
Programming Languages 572
Libraries 577
Toolsets 578
Integrated Development Environment 579
Runtime 580
Continuous Integration and Continuous Delivery 581
Security Orchestration, Automation, and Response 583
Software Configuration Management 585
Code Repositories 586
Application Security Testing 588
Assess the Effectiveness of Software Security 590
Auditing and Logging of Changes 590
Risk Analysis and Mitigation 595
Assess Security Impact of Acquired Software 599
Commercial Off-the-Shelf 599
Open Source 601
Third-Party 602
Managed Services (SaaS, IaaS, PaaS) 602
Define and Apply Secure Coding Guidelines and Standards 604
Security Weaknesses and Vulnerabilities at the Source-Code Level 605
Security of Application Programming Interfaces 613
API Security Best Practices 613
Secure Coding Practices 618
Software-Defined Security 621
Summary 624
Index 625
Introduction
THE CERTIFIED INFORMATION SYSTEMS Security Professional (CISSP) certification identifies a professional who has demonstrated skills, knowledge, and abilities across a wide array of security practices and principles. The exam covers eight domains of practice, which are codified in the CISSP Common Body of Knowledge (CBK). The CBK presents topics that a CISSP can use in their daily role to identify and manage security risks to data and information systems and is built on a foundation comprising fundamental security concepts of confidentiality, integrity, availability, nonrepudiation, and authenticity (CIANA), as well as privacy and security (CIANA+PS). A variety of controls can be implemented for both data and systems, with the goal of either safeguarding or mitigating security risks to each of these foundational principles.
Global professionals take many paths into information security, and each candidate's experience must be combined with variations in practice and perspective across industries and regions due to the global reach of the certification. For most security practitioners, achieving CISSP requires study and learning new disciplines, and professionals are unlikely to work across all eight domains on a daily basis. The CISSP CBK is a baseline standard of security knowledge to help security practitioners deal with new and evolving risks, and this guide provides easy reference to aid practitioners in applying security topics and principles. This baseline must be connected with the reader's own experience and the unique operating environment of the reader's organization to be effective. The rapid pace of change in security also demands that practitioners continuously maintain their knowledge, so CISSP credential holders are also expected to maintain their knowledge via continuing education. Reference materials like this guide, along with other content sources such as industry conferences, webinars, and research are vital to maintaining this knowledge.
The domains presented in the CBK are progressive, starting with a foundation of basic security and risk management concepts in Chapter 1, "Security and Risk Management," as well as fundamental topics of identifying, valuing, and applying proper risk mitigations for asset security in Chapter 2,"Asset Security." Applying security to complex technology environments can be achieved by applying architecture and engineering concepts, which are presented in Chapter 3, "Security Architecture and Engineering." Chapter 4, "Communication and Network Security," details both the critical risks to as well as the critical defensive role played by communications networks, and Chapter 5, "Identity and Access Management," covers the crucial practices of identifying users (both human and nonhuman) and controlling their access to systems, data, and other resources. Once a security program is designed, it is vital to gather information about and assess its effectiveness, which is covered in Chapter 6, "Security Assessment and Testing," and keep the entire affair running - also known as security operations or SecOps, which is covered in Chapter 7, "Security Operations." Finally, the vital role played by software is addressed in Chapter 8, "Software Development Security," which covers both principles of securely developing software as well as risks and threats to software and development environments. The following presents overviews for each of these chapters in a little more detail.
Security and Risk Management
The foundation of the CISSP CBK is the assessment and management of risk to data and the information systems that process it. The Security and Risk Management domain introduces the foundational CIANA+PS concepts needed to build a risk management program. Using these concepts, a security practitioner can build a program for governance, risk, and compliance (GRC), which allows the organization to design a system of governance needed to implement security controls. These controls should address the risks faced by the organization as well as any necessary legal and regulatory compliance obligations.
Risk management principles must be applied throughout an organization's operations, so topics of business continuity (BC), personnel security, and supply chain risk management are also introduced in this domain. Ensuring that operations can continue in the event of a disruption supports the goal of availability, while properly designed personnel security controls require training programs and well-documented policies and other security guidance.
One critical concept is presented in this domain: the (ISC)2 code of professional ethics. All CISSP candidates must agree to be bound by the code as part of the certification process, and credential holders face penalties up to and including loss of their credentials for violating the code. Regardless of what area of security a practitioner is working in, the need to preserve the integrity of the profession by adhering to a code of ethics is critical to fostering trust in the security profession.
Asset Security
Assets are anything that an organization uses to generate value, including ideas, processes, information, and computing hardware. Classifying and categorizing assets allows organizations to prioritize limited security resources to achieve a proper balance of costs and benefits, and this domain introduces important concepts of asset valuation, classification and categorization, and asset handling to apply appropriate protection based on an asset's value. The value of an asset dictates the level of protection it requires, which is often expressed as a security baseline or compliance obligation that the asset owner must meet.
CISSP credential holders will spend a large amount of their time focused on data and information security concerns. The data lifecycle is introduced in this domain to provide distinct phases for determining data security requirements. Protection begins by defining roles and processes for handling data, and once the data is created, these processes must be followed. This includes managing data throughout creation, use, archival, and eventual destruction when no longer needed, and it focuses on data in three main states: in use, in transit, and at rest.
Handling sensitive data for many organizations will involve legal or regulatory obligations to protect specific data types, such as personally identifiable information (PII) or transactional data related to payment cards. Payment card data is regulated by the Payment Card Industry (PCI) Council, and PII often requires protections to comply with regional or local laws like the European Union General Data Protection Regulation (EU GDPR). Both compliance frameworks dictate specific protection obligations an organization must meet when collecting, handling, and using the regulated data.
Security Architecture and Engineering
The Security Architecture and Engineering domain covers topics relevant to implementing and managing security controls across a variety of systems. Secure design principles are introduced that are used to build a security program, such as secure defaults, zero trust, and privacy by design. Common security models are also covered in this domain, which provide an abstract way of viewing a system or environment and allow for identification of security requirements related to the CIANA+PS principles. Specific system types are discussed in detail to highlight the application of security controls in a variety of architectures, including client- and server-based systems, industrial control systems (ICSs), Internet of Things (IoT), and emerging system types like microservices and containerized applications.
This domain presents the foundational details of cryptography and introduces topics covering basic definitions of encryption, hashing, and various cryptographic methods, as well as attacks against cryptography known as cryptanalysis. Applications of cryptography are integrated throughout all domains where relevant, such as the use of encryption in secure network protocols, which is covered in Chapter 4. Physical architecture security - including fire suppression and detection, secure facility design, and environmental control - is also introduced in this domain.
Communication and Network Security
One major value of modern information systems lies in their ability to share and exchange data, so fundamentals of networking are presented in the Communication and Network Security domain along with details of implementing adequate security protections for these communications. This domain introduces common models used for network services, including the Open Systems Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models. These layered abstractions provide a method for identifying specific security risks and control capabilities to safeguard data, and the domain presents fundamentals, risks, and countermeasures available at each level of the OSI and TCP/IP models.
Properly securing networks and communications requires strategic planning to ensure proper architectural choices are made and implemented. Concepts of secure network design - such as planning and segmentation, availability of hardware, and network access control (NAC) - are introduced in this domain. Common network types and their specific security risks are introduced as well, including software-defined networks...
