31,19 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
The CISSP exam is for security professionals who understand that poor security can put a company out of business. The exam covers eight important security domains - risk management, security architecture, data security, network security, identity management, auditing, security operations, and software development security. Designed to cover all the concepts tested in the CISSP exam, CISSP (ISC)2 Certification Practice Exams and Tests will assess your knowledge of information security and introduce you to the tools you need to master to pass the CISSP exam (version May 2021). With more than 100 questions for every CISSP domain, this book will test your understanding and fill the gaps in your knowledge with the help of descriptive answers and detailed explanations. You'll also find two complete practice exams that simulate the real CISSP exam, along with answers.
By the end of this book, you'll be ready to take and pass the (ISC)2 CISSP exam and achieve the Certified Information Systems Security Professional certification putting you in the position to build a career as a security engineer, security manager, or chief information security officer (CISO)
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 452
Veröffentlichungsjahr: 2021
Ähnliche
CISSP (ISC)2 Certification Practice Exams and Tests
Over 1,000 practice questions and explanations covering all 8 CISSP domains for the May 2021 exam version
Ted Jordan, MSc, CISSP
BIRMINGHAM—MUMBAI
CISSP (ISC)2 Certification Practice Exams and Tests
Copyright © 2021 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Wilson D'souza
Publishing Product Manager: Shrilekha Malpani
Senior Editor: Arun Nadar
Content Development Editor: Mrudgandha Kulkarni
Technical Editor: Nithik Cheruvakodan
Copy Editor: Safis Editing
Project Coordinator: Shagun Saini
Proofreader: Safis Editing
Indexer: Pratik Shirodkar
Production Designer: Nilesh Mohite
First published: August 2021
Production reference: 1220721
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80056-137-3
www.packt.com
Thank you Cheryl, Theo, and Aria for allowing Daddy time to complete this work.Thanks to Cass Tech HS teachers Max Green and Walter Downs, a Tuskegee Airman who felled 6½ WWII enemy aircraft, for giving me my "serious fun" teaching style.Dr. Green and Dr. McKeachie of Kettering U showed me how to simplify tough concepts for students.Dr. Stark and Dr. Tomizuka of UC Berkeley introduced me to UNIX, which has taken me further than I imagined.
Contributors
About the author
Ted Jordan, MSc, CISSP, CSSLP, CEH, Security+, Cloud+, CTT+, Linux+, has over 30 years of cybersecurity experience. He studied info security at UC Berkeley and Kettering U. As an engineer, he used agile SDLC principles at GM, SGI, CAVE AR/VR, and SUN.
He is president of the successful start-up JordanTeam, which provides ethical hacking and education solutions. He has trained hundreds to attain their CISSP, CSSLP, CEH, Security+, and other certifications at Training Camp, ACI, NetCom, Training Assoc, Learning Tree, Global Knowledge, TechnoTraining, iKue, and more.
Follow him on Twitter and YouTube at @JordanTeamLearn.
This book is dedicated to my parents, Gwen and Ted Jordan, who helped me find my passion and teach others "how to fish."
About the reviewers
Dharam Chhatbar is a seasoned InfoSec professional with more than 11 years of experience in various verticals of InfoSec, delivering impactful and high-quality risk-reducing work. He has helped secure many banks and retail firms, and is currently working in a Fortune 500 company. He holds a master's degree, is a fervent learner, and has earned several global certifications, such as CISSP, GSLC (GIAC), CCSP, CSSLP, GMOB, and some certifications related to the cloud, such as Azure (AZ500), GCP (PCSE), and AWS (SAA). His key competencies include vulnerability management, application security, cloud security, VA/PT, and managing teams/vendors. Reach him on LinkedIn at @dharamm.
I would like to thank my parents, Bina and Jagdish; my wife, Chaitali; and my sister, Hina, for their continued support and encouragement with everything that I do, and for motivating me to always achieve my ambitions.
Wade Henderson holds an MBA in international business and several IT, project management, and business-related certifications. His career spans over 15 years in the project management field, as well as mentoring and teaching in these areas. Wade is a professional project management consultant and has provided services to a wide range of business types, from multinational corporations to start-ups. Being a lifelong learner, he is continuously involved in many forms of education as a daily pursuit of personal development.
Table of Contents
Preface
Chapter I: Scheduling the CISSP Exam
Creating an (ISC)² account
Finding a nearby Pearson Vue testing center
Exam day has arrived
The exam is over
Maintaining your CISSP certification
The CISSP experiential requirements
Domain 1: Security and Risk Management
Domain 2: Asset Security
Domain 3: Security Architecture and Engineering
Domain 4: Communication and Network Security
Domain 5: Identity and Access Management (IAM)
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8: Software Development Security
How to use this book
Summary
Chapter 1: Security and Risk Management Domain 1 Practice Questions
Questions
Quick answer key
Answers with explanations
Chapter 2: Asset Security Domain 2 Practice Questions
Questions
Quick Answer Key
Answers with explanations
Chapter 3: Security Architecture and Engineering Domain 3 Practice Questions
Questions
Quick answer key
Answers with explanations
Chapter 4: Communication and Network Security Domain 4 Practice Questions
Questions
Quick Answer Key
Answers with explanations
Chapter 5: Identity and Access Management Domain 5 Practice Questions
Questions
Quick answer key
Answers with explanations
Chapter 6: Security Assessment and Testing Domain 6 Practice Questions
Questions
Quick answer key
Answers with explanations
Chapter 7: Security Operations Domain 7 Practice Questions
Questions
Quick answer key
Answers with explanations
Chapter 8: Software Development Security Domain 8 Practice Questions
Questions
Quick answer key
Answers with explanations
Chapter 9: Full Practice Exam Exam 1
Questions
Answer key
Domain key
Chapter 10: Full Practice Exam Exam 2
Questions
Answer key
Other Books You May Enjoy
Preface
Congratulations on taking this next step toward completing your International Information System Security Certification Consortium, or (ISC)², Certified Information Systems Security Professional (CISSP) certification. This certification preparation guide contains over 1,000 practice questions covering all eight domains of the CISSP exam. The content is complete, up to date, and covers the latest CISSP exam topics released on May 1, 2021. Take the exam with confidence, fully equipped to pass the first time.
Who this book is for
This book is for the information technology professional who seeks to gain the (ISC)² CISSP certification.
You should have at least 2 years of experience in one of the following areas: governance, risk, and compliance (GRC), change management, network administration, systems administration, physical security, database management, or software development.
What this book covers
Chapter I, Scheduling the CISSP Exam, is where you will learn about where to schedule and take the exam.
Chapter 1, Security and Risk Management Domain 1 Practice Questions, has 100 practice questions covering GRC management and security requirements.
Chapter 2, Asset Security Domain 2 Practice Questions, has 100 practice questions covering asset handling and the data life cycle.
Chapter 3, Security Architecture and Engineering Domain 3 Practice Questions, has 100 practice questions covering security models, systems security, encryption, and physical security.
Chapter 4, Communication and Network Security Domain 4 Practice Questions, has 100 practice questions covering network architecture security and network component security.
Chapter 5, Identity and Access Management Domain 5 Practice Questions, has 100 practice questions covering multi-factor authentication, single sign-on, and federation.
Chapter 6, Security Assessment and Testing Domain 6 Practice Questions, has 100 practice questions covering vulnerability assessments, penetration testing, disaster recovery, and business continuity.
Chapter 7, Security Operations Domain 7 Practice Questions, has 100 practice questions covering investigative techniques, threat intelligence, foundational security concepts, and incident management.
Chapter 8, Software Development Security Domain 8 Practice Questions, has 100 practice questions covering the software development life cycle, software configuration management, open source software, and secure coding practices.
Chapter 9, Full Practice Exam 1, has 100 practice questions as an exam simulation covering all eight domains.
Chapter 10, Full Practice Exam 2, is an exam simulation, to be timed like a real exam, with 100 practice questions.
To get the most out of this book
The use of a timer is very important while taking practice questions. The goal is to read and correctly answer each question within 60 seconds.
Access to the internet and a web browser is important to research scenarios and get more details as to why specific answers are correct. The web browser can be run from a computer or tablet.
Candidates without 5 years of work experience should continue accruing security experience to complete their CISSP and move toward getting the Associate of (ISC)² certification. As an associate, you have 6 years to fulfill the 5-year requirement.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The sudoers file is a database of users allowed to use sudo and which elevated commands they can run."
Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "Two-factor authentication (2FA) asks for two different types of verification."
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you've read CISSP (ISC)2 Certification Practice Exams and Tests, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.
Chapter I: Scheduling the CISSP Exam
The CISSP exam is seen as one of the world's most respected cyber security certifications. Fortune 1000 companies, the US Federal Government, and the US Department of Defense require individuals to have the certification to advance their career in cyber security. The United Kingdom's National Academic Recognition Information Centre states that the CISSP qualification assessment of knowledge and skills is as good as a master's degree (learn more here: https://www.mercurysolutions.co/blog/cissp-certification-is-equivalent-to-masters-degree-now).
In this introductory chapter, we provide the steps to schedule the exam, find a testing center, and best use this book to put you in the greatest situation for passing and achieving the CISSP certification. We will cover the following:
Creating an (ISC)2 accountFinding a nearby Pearson Vue testing centerMaintaining your CISSP certificationThe CISSP experiential requirementsHow to use this bookCreating an (ISC)² account
The first step to scheduling the exam is to create an account with the testing provider, Pearson Vue Testing Services. Pearson Vue has over 25 years of certification testing experience and works with (ISC)² so that you can schedule and take your exam at one of their many partner testing provider centers.
The first step is to create an account with (ISC)² on the Pearson Vue partner page here: https://home.pearsonvue.com/isc2.
Finding a nearby Pearson Vue testing center
After your Pearson Vue/(ISC)² account is created, log in and select View Exams, and then select the CISSP: Certified Information Systems Security Professional exam to schedule. (There is an option for Online Exams to take at home, but this is not available for the CISSP exam.)
Select your preferred language, and review the testing policies as needed. These will contain information pertaining to COVID-19 and mask-wearing while at the testing center. Also, the candidate needs to bring two pieces of identification to the testing center; otherwise, the candidate is failed without a refund.
Look your best at the testing center because, as stated in the testing policies, they will take a photograph and a palm vein scan that stays with your (ISC)² account.
The testing policies also include information about rescheduling and cancellation fees. Find the full list of terms and conditions here: https://www.isc2.org/uploadedFiles/Certification_Programs/CBT-Examination-Agreement.pdf.
If you need an accommodation, let them know ahead of time as stated in the testing policies. For example, let (ISC)² know before you arrive if you have mechanical parts on your body, for example, for dialysis; otherwise, you may not be able to take the test on your scheduled day. To request an accommodation, visit this link: https://www.isc2.org/Register-for-Exam.
Next, complete the exam eligibility form with employer information, your address, languages, degrees attained, and whether you are selecting the Associate option.
After this step, choose a convenient testing center. A calendar will pop up for you to choose a convenient date and time to take the exam.
Pay the US$749 exam fee at the checkout and you will then be scheduled to take your exam.
Exam day has arrived
You have studied, taken hundreds of practice questions, and are now ready to sit the CISSP exam. Arrive at the testing center at least 30 minutes early. There may be others taking exams, so the Pearson Vue proctors may need time to check you in.
They will ask you for two pieces of identification. A driver's license and a signed credit card are fine. They will also accept a passport or common access card.
You are not allowed to take anything into the testing room, so they will ask you to turn your phone off, and put it in a locker with your keys, wallet, and study notes. They will provide earplugs if desired.
They provide a sheet or two of notepaper to use, but you have to return it to them at the end of the exam.
They will inspect your glasses, pants pockets, mask, and might ask you to frisk yourself.
Next, you enter the exam room and sit at a computer where the exam is displayed. The first screen shown is the terms and conditions. You must accept the terms and conditions before the 25-minute timer runs out; otherwise, you'll fail without a refund.Avoid T&C failure (terms and conditions) by reading them before taking the exam on the (ISC)² website: https://www.isc2.org/Exams/Exam-Agreement.
The exam is over
You will get your score after you exit the testing room. Once you have provisionally passed, you still need to provide (ISC)² with a sponsor that can vouch for your security experience. If you have trouble finding one, (ISC)² can assist, but check your LinkedIn account first for fellow (ISC)² members.
Within 4 to 6 weeks, you will receive your Certified Information Systems Security Professional certification diploma in the mail. Also included in the shipment will be the following:
A welcome letterInformation about joining your local (ISC)² chapterInformation about where and how to obtain Continuing Professional Education hoursInformation about assisting as an exam developer for future examsA list of member benefitsA certified membership identification cardA certified membership pinNow that you have received your diploma, you can publicly let the world know that you are an official certified CISSP!
Maintaining your CISSP certification
The certification is not a lifetime credential and expires after 3 years. There are two options to retain the certification beyond that period. Either take the exam every 3 years or complete Continuing Professional Education hours (CPE hours). Details are found here: https://www.isc2.org/-/media/ISC2/Certifications/CPE/CPE---Handbook.ashx.
Continuing professional education credits are granted for the following:
Attending information system security related training classesReading or publishing information system security related articles or booksAttending information system security conferencesAttending information system security classesPreparing to teach a course on information system securityA work-related project that is not part of your normal work dutiesTaking a higher education courseVolunteering in information system security for non-profit organizationsSelf-study preparing for a certification examTo track your CPE hours, first, join https://www.isc2.org and become a member. The annual dues are US$125. Then, to maintain the CISSP, acquire 120 CPE hours over 3 years. One website that automates the CPE process is BrightTALK, at https://www.brighttalk.com. After registering on their website, watch their information security related videos to earn CPE hours. They will automatically inform (ISC)² of the titles, descriptions, and CPE credit hours so you don't have to.
The CISSP experiential requirements
Not only does the candidate need to pass the exam, but they must meet the CISSP experience requirements found here: https://www.isc2.org/Certifications/CISSP/experience-requirements.
Candidates must have at least 5 years of work experience in at least 2 of the 8 domains. If the candidate does not have the work experience, they may become an Associate CISSP and are allowed up to 6 years to achieve the 5-year work experience requirement. Also, a college degree and some certifications count toward 1 of the 5 years of work experience.
The eight domains are as follows:
Domain 1: Security and Risk ManagementDomain 2: Asset SecurityDomain 3: Security Architecture and EngineeringDomain 4: Communication and Network SecurityDomain 5: Identity and Access Management (IAM)Domain 6: Security Assessment and TestingDomain 7: Security OperationsDomain 8: Software Development SecurityDon't think that you need to have Security in your job title, or need to have worked in a Security Operations Center (SOC) to attain the work experience requirement. Security includes backing up computers, setting up networks, programming firewalls, installing IOTs, and testing for malware.
Are you a computer programmer? Security includes reviewing source code for vulnerabilities, adding input sanitization features, being part of the software development lifecycle team, and so much more. See where your experiences qualify toward CISSP certification by reviewing the detailed outline on the (ISC)² website here: https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CISSP-Exam-Outline-English-April-2021.ashx or refer to the list of topics covered, given in the following sections for your convenience.
Domain 1: Security and Risk Management
1.1 Understand, adhere to, and promote professional ethics:
(ISC)2 Code of Professional EthicsOrganizational code of ethics1.2 Understand and apply security concepts:
Confidentiality, integrity, and availability, authenticity, and nonrepudiation1.3 Evaluate and apply security governance principles:
Alignment of the security function to business strategy, goals, mission, and objectivesOrganizational processes (for example, acquisitions, divestitures, governance committees)Organizational roles and responsibilitiesSecurity control frameworksDue care/due diligence1.4 Determine compliance and other requirements:
Contractual, legal, industry standards, and regulatory requirementsPrivacy requirements1.5 Understand legal and regulatory issues that pertain to information security in a holistic context:
Cybercrimes and data breachesLicensing and Intellectual Property (IP) requirementsImport/export controlsTransborder data flowPrivacy1.6 Understand requirements for investigation types (such as, administrative, criminal, civil, regulatory, or industry standards)
1.7 Develop, document, and implement security policy, standards, procedures, and guidelines
1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements:
Business Impact Analysis (BIA)Develop and document the scope and the plan1.9 Contribute to and enforce personnel security policies and procedures:
Candidate screening and hiringEmployment agreements and policiesOnboarding, transfers, and termination processesVendor, consultant, and contractor agreements and controlsCompliance policy requirementsPrivacy policy requirements1.10 Understand and apply risk management concepts:
Identify threats and vulnerabilitiesRisk assessment/analysisRisk responseCountermeasure selection and implementationApplicable types of controls (for example, preventive, detective, or corrective)Control assessments (security and privacy)Monitoring and measurementReportingContinuous improvement (for example, risk maturity modeling)Risk frameworks1.11 Understand and apply threat modeling concepts and methodologies
1.12 Apply Supply Chain Risk Management (SCRM) concepts:
Risks associated with hardware, software, and servicesThird-party assessment and monitoringMinimum security requirementsService level requirements1.13 Establish and maintain a security awareness, education, and training program:
Methods and techniques to present awareness and training (for example, social engineering, phishing, security champions, or gamification)Periodic content reviewsProgram effectiveness evaluationDomain 2: Asset Security
2.1 Identify and classify information and assets:
Data classificationAsset classification2.2 Establish information and asset handling requirements:
Information and asset ownershipAsset inventory (for example, tangible or intangible)Asset management2.3 Provision resources securely
2.4 Manage the data life cycle:
Data roles (for example, owners, controllers, custodians, processors, and users/subjects)Data collectionData locationData maintenanceData retentionData remanenceData destruction2.5 Ensure appropriate asset retention (for example, End-of-Life (EOL) or End-of-Support (EOS))
2.6 Determine data security controls and compliance requirements:
Data states (for example, in use, in transit, or at rest)Scoping and tailoringStandards selectionData protection methods (for example, Digital Rights Management (DRM), Data Loss Prevention (DLP), or Cloud Access Security Broker (CASB))Domain 3: Security Architecture and Engineering
3.1 Research, implement, and manage engineering processes using secure design principles:
Threat modelingLeast privilegeDefense in depthSecure defaultsFail securelySeparation of Duties (SoD)Keep it simpleZero trustPrivacy by designTrust but verifyShared responsibility3.2 Understand the fundamental concepts of security models (for example, Biba, Star Model, and Bell-LaPadula)
3.3 Select controls based upon systems security requirements
3.4 Understand security capabilities of Information Systems (IS) (for example, memory protection, Trusted Platform Module (TPM), and encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements:
Client-based systemsServer-based systemsDatabase systemsCryptographic systemsIndustrial Control Systems (ICS)Cloud-based systems (for example, Software as a Service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS))Distributed systemsInternet of Things (IoT)MicroservicesContainerizationServerlessEmbedded systemsHigh-Performance Computing (HPC) systemsEdge computing systemsVirtualized systems3.6 Select and determine cryptographic solutions:
Cryptographic life cycle (for example, keys or algorithm selection)Cryptographic methods (for example, symmetric, asymmetric, elliptic curves, or quantum)Public Key Infrastructure (PKI)Key management practicesDigital signatures and digital certificatesNon-repudiationIntegrity (for example, hashing)3.7 Understand methods of cryptanalytic attacks:
Brute forceCiphertext onlyKnown plaintextFrequency analysisChosen ciphertextImplementation attacksSide-channelFault injectionTimingMan-in-the-Middle (MITM)Pass the hashKerberos exploitationRansomware3.8 Apply security principles to site and facility design
3.9 Design site and facility security controls:
Wiring closets/intermediate distribution facilitiesServer rooms/data centersMedia storage facilitiesEvidence storageRestricted and work area securityUtilities and Heating, Ventilation, and Air Conditioning (HVAC)Environmental issuesFire prevention, detection, and suppressionPower (for example, redundant or backup)Domain 4: Communication and Network Security
4.1 Assess and implement secure design principles in network architectures:
Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) modelsInternet Protocol (IP) networking (for example, Internet Protocol Security (IPSec) or Internet Protocol (IP) v4/6)Secure protocolsImplications of multilayer protocolsConverged protocols (for example, Fiber Channel Over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), and Voice over Internet Protocol (VoIP))Micro-segmentation (for example, Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), encapsulation, and Software-Defined Wide Area Network (SD-WAN))Wireless networks (for example, Li-Fi, Wi-Fi, Zigbee, and satellite)Cellular networks (for example, 4G, and 5G)Content Distribution Networks (CDN)4.2 Secure network components:
Operation of hardware (for example, redundant power, warranty, or support) Transmission mediaNetwork Access Control (NAC) devicesEndpoint security4.3 Implement secure communication channels according to design:
VoiceMultimedia collaborationRemote accessData communicationsVirtualized networksThird-party connectivityDomain 5: Identity and Access Management (IAM)
5.1 Control physical and logical access to assets:
InformationSystemsDevicesFacilitiesApplications5.2 Manage identification and authentication of people, devices, and services:
Identity Management (IdM) implementationSingle/Multi-Factor Authentication (MFA) AccountabilitySession managementRegistration, proofing, and establishment of identityFederated Identity Management (FIM)Credential management systemsSingle Sign On (SSO)Just-In-Time (JIT)5.3 Federated identity with a third-party service:
On-premiseCloudHybrid5.4 Implement and manage authorization mechanisms:
Role Based Access Control (RBAC)Rule based access controlMandatory Access Control (MAC)Discretionary Access Control (DAC)Attribute Based Access Control (ABAC)Risk based access control5.5 Manage the identity and access provisioning life cycle:
Account access review (for example, user, system, or service)Provisioning and deprovisioning (for example, on /off boarding and transfers)Role definition (for example, people assigned to new roles)Privilege escalation (for example, managed service accounts, use of sudo, and minimizing its use)5.6 Implement authentication systems:
OpenID Connect (OIDC)/Open Authorization(OAuth)Security Assertion Markup Language (SAML)KerberosRemote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System Plus (TACACS+)Domain 6: Security Assessment and Testing
6.1 Design and validate assessment, test, and audit strategies:
InternalExternalThird-party6.2 Conduct security control testing:
Vulnerability assessmentPenetration testingLog reviewsSynthetic transactionsCode review and testingMisuse case testingTest coverage analysisInterface testingBreach attack simulationsCompliance checks6.3 Collect security process data (for example, technical and administrative):
Account managementManagement review and approvalKey performance and risk indicatorsBackup verification dataTraining and awarenessDisaster Recovery (DR) and Business Continuity (BC)6.4 Analyze test output and generate reports:
RemediationException handlingEthical disclosure6.5 Conduct or facilitate security audits:
InternalExternalThird-partyDomain 7: Security Operations
7.1 Understand and comply with investigations:
Evidence collection and handlingReporting and documentationInvestigative techniquesDigital forensics tools, tactics, and proceduresArtifacts (for example, a computer, network, or mobile device)7.2 Conduct logging and monitoring activities:
Intrusion detection and preventionSecurity Information and Event Management (SIEM)Continuous monitoringEgress monitoringLog managementThreat intelligence (for example, threat feeds or threat hunting)User and Entity Behavior Analytics (UEBA)7.3 Perform Configuration Management (CM) (for example, provisioning, baselining, or automation)
7.4 Apply foundational security operations concepts:
Need-to-know/least privilegeSeparation of Duties (SoD) and responsibilitiesPrivileged account managementJob rotationService Level Agreements (SLAs)7.5 Apply resource protection:
Media managementMedia protection techniques7.6 Conduct incident management:
DetectionResponseMitigationReportingRecoveryRemediationLessons learned7.7 Operate and maintain detective and preventative measures:
Firewalls (for example, next generation, web application, or network)Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)Whitelisting/blacklistingThird-party provided security servicesSandboxingHoneypots/honeynetsAnti-malwareMachine learning and Artificial Intelligence (AI) based tools7.8 Implement and support patch and vulnerability management
7.9 Understand and participate in change management processes
7.10 Implement recovery strategies:
Backup storage strategiesRecovery site strategiesMultiple processing sitesSystem resilience, High Availability (HA), Quality of Service (QoS), and fault tolerance7.11 Implement Disaster Recovery (DR) processes:
ResponsePersonnelCommunicationsAssessmentRestorationTraining and awarenessLessons learned7.12 Test Disaster Recovery Plans (DRP):
Read-through/tabletopWalkthroughSimulationParallelFull interruption7.13 Participate in Business Continuity (BC) planning and exercises:
7.14 Implement and manage physical security
Perimeter security controlsInternal security controls7.15 Address personnel safety and security concerns:
TravelSecurity training and awarenessEmergency managementDuressDomain 8: Software Development Security
8.1 Understand and integrate security in the Software Development Life Cycle (SDLC):
Development methodologies (for example, Agile, Waterfall, DevOps, or DevSecOps)Maturity models (for example, the Capability Maturity Model (CMM) or the Software Assurance Maturity Model (SAMM))Operation and maintenanceChange managementIntegrated Product Team (IPT)8.2 Identify and apply security controls in software development ecosystems:
Programming languagesLibrariesTool setsIntegrated Development Environment (IDE)RuntimeContinuous Integration and Continuous Delivery (CI/CD)Security Orchestration, Automation, and Response (SOAR)Software Configuration Management (SCM)Code repositoriesApplication security testing (for example, Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST))8.3 Assess the effectiveness of software security:
Auditing and logging of changesRisk analysis and mitigation8.4 Assess security impact of acquired software:
Commercial-off-the-shelf (COTS)Open sourceThird-partyManaged services (for example, Software as a Service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS))8.5 Define and apply secure coding guidelines and standards:
Security weaknesses and vulnerabilities at the source-code levelSecurity of Application Programming Interfaces (APIs)Secure coding practicesSoftware-defined securityHow to use this book
To best prepare for taking the CISSP exam, it is recommended you attempt practice exam 1 first, at the end of the book. Take 2 hours to complete the exam. Make sure to grade yourself.
Use the domain guide at the end of the exam, and determine which domains you need the most help with. Study further by reviewing the Learn more links that are provided with some of the questions to brush up on domains you are weak on.
This book has 100 practice questions for each domain, so review those practice questions to become stronger in those domains, and become better at test taking. For example, make sure to not spend more than 1 to 2 minutes per question so that when taking the real exam, you will not run out of time.
The real exam has up to 150 questions, with 3 hours to complete it, but if you demonstrate the required information security skills earlier, the exam may end at question 100, 120, or even 137. The exam ends once you demonstrate the required knowledge and experience.
Also, when taking the practice questions, try not to go back and change answers, because the real exam does not allow candidates to go back and correct wrong answers. Once a question is answered, you will never see that question again because you cannot go back. What if you realize you got an answer wrong a few questions later? It stays wrong. You are not allowed to go back and change answers.
Summary
To best prepare for the CISSP exam, study the practice questions in this book, and complete the full practice exams at the end of the book:
The CISSP exam has a 5-year experience requirement, and if you have been working in information systems for at least 10 years, it should be straightforward to satisfy the work experience requirement.Once you earn the CISSP, you can retain it with CPE credit, or you can take the exam again in 3 years.Good luck on the exam, and please let us know how well you did on Twitter or YouTube: @JordanTeamLearn.
