The Official (ISC)2 CISSP CBK Reference E-Book

Table of Contents

Cover

Title Page

Copyright

Lead Authors

Technical Reviewer

Foreword

Introduction

DOMAIN 1: Security and Risk Management

UNDERSTAND, ADHERE TO, AND PROMOTE PROFESSIONAL ETHICS

UNDERSTAND AND APPLY SECURITY CONCEPTS

EVALUATE AND APPLY SECURITY GOVERNANCE PRINCIPLES

DETERMINE COMPLIANCE AND OTHER REQUIREMENTS

UNDERSTAND LEGAL AND REGULATORY ISSUES THAT PERTAIN TO INFORMATION SECURITY IN A HOLISTIC CONTEXT

UNDERSTAND REQUIREMENTS FOR INVESTIGATION TYPES

DEVELOP, DOCUMENT, AND IMPLEMENT SECURITY POLICY, STANDARDS, PROCEDURES, AND GUIDELINES

IDENTIFY, ANALYZE, AND PRIORITIZE BUSINESS CONTINUITY REQUIREMENTS

CONTRIBUTE TO AND ENFORCE PERSONNEL SECURITY POLICIES AND PROCEDURES

UNDERSTAND AND APPLY RISK MANAGEMENT CONCEPTS

UNDERSTAND AND APPLY THREAT MODELING CONCEPTS AND METHODOLOGIES

APPLY SUPPLY CHAIN RISK MANAGEMENT CONCEPTS

ESTABLISH AND MAINTAIN A SECURITY AWARENESS, EDUCATION, AND TRAINING PROGRAM

SUMMARY

DOMAIN 2: Asset Security

IDENTIFY AND CLASSIFY INFORMATION AND ASSETS

ESTABLISH INFORMATION AND ASSET HANDLING REQUIREMENTS

PROVISION RESOURCES SECURELY

MANAGE DATA LIFECYCLE

ENSURE APPROPRIATE ASSET RETENTION

DETERMINE DATA SECURITY CONTROLS AND COMPLIANCE REQUIREMENTS

SUMMARY

DOMAIN 3: Security Architecture and Engineering

RESEARCH, IMPLEMENT, AND MANAGE ENGINEERING PROCESSES USING SECURE DESIGN PRINCIPLES

UNDERSTAND THE FUNDAMENTAL CONCEPTS OF SECURITY MODELS

SELECT CONTROLS BASED UPON SYSTEMS SECURITY REQUIREMENTS

UNDERSTAND SECURITY CAPABILITIES OF INFORMATION SYSTEMS

ASSESS AND MITIGATE THE VULNERABILITIES OF SECURITY ARCHITECTURES, DESIGNS, AND SOLUTION ELEMENTS

SELECT AND DETERMINE CRYPTOGRAPHIC SOLUTIONS

UNDERSTAND METHODS OF CRYPTANALYTIC ATTACKS

APPLY SECURITY PRINCIPLES TO SITE AND FACILITY DESIGN

DESIGN SITE AND FACILITY SECURITY CONTROLS

SUMMARY

DOMAIN 4: Communication and Network Security

ASSESS AND IMPLEMENT SECURE DESIGN PRINCIPLES IN NETWORK ARCHITECTURES

SECURE NETWORK COMPONENTS

IMPLEMENT SECURE COMMUNICATION CHANNELS ACCORDING TO DESIGN

SUMMARY

DOMAIN 5: Identity and Access Management

CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

MANAGE IDENTIFICATION AND AUTHENTICATION OF PEOPLE, DEVICES, AND SERVICES

FEDERATED IDENTITY WITH A THIRD-PARTY SERVICE

IMPLEMENT AND MANAGE AUTHORIZATION MECHANISMS

MANAGE THE IDENTITY AND ACCESS PROVISIONING LIFECYCLE

IMPLEMENT AUTHENTICATION SYSTEMS

SUMMARY

DOMAIN 6: Security Assessment and Testing

DESIGN AND VALIDATE ASSESSMENT, TEST, AND AUDIT STRATEGIES

CONDUCT SECURITY CONTROL TESTING

COLLECT SECURITY PROCESS DATA

ANALYZE TEST OUTPUT AND GENERATE REPORT

CONDUCT OR FACILITATE SECURITY AUDITS

SUMMARY

DOMAIN 7: Security Operations

UNDERSTAND AND COMPLY WITH INVESTIGATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES

PERFORM CONFIGURATION MANAGEMENT

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS

APPLY RESOURCE PROTECTION

CONDUCT INCIDENT MANAGEMENT

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT

UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESSES

IMPLEMENT RECOVERY STRATEGIES

IMPLEMENT DISASTER RECOVERY PROCESSES

TEST DISASTER RECOVERY PLANS

PARTICIPATE IN BUSINESS CONTINUITY PLANNING AND EXERCISES

IMPLEMENT AND MANAGE PHYSICAL SECURITY

ADDRESS PERSONNEL SAFETY AND SECURITY CONCERNS

SUMMARY

DOMAIN 8: Software Development Security

UNDERSTAND AND INTEGRATE SECURITY IN THE SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)

IDENTIFY AND APPLY SECURITY CONTROLS IN SOFTWARE DEVELOPMENT ECOSYSTEMS

ASSESS THE EFFECTIVENESS OF SOFTWARE SECURITY

ASSESS SECURITY IMPACT OF ACQUIRED SOFTWARE

DEFINE AND APPLY SECURE CODING GUIDELINES AND STANDARDS

SUMMARY

Index

End User License Agreement

List of Tables

Chapter 2

TABLE 2.1 Examples of Asset Classifications

Chapter 3

TABLE 3.1 An Example Access Matrix

TABLE 3.2 Cloud Service Models

TABLE 3.3 Cryptographic Approaches

TABLE 3.4 Overview of Block Ciphers

TABLE 3.5 General Data Center Redundancy Tier Levels

Chapter 4

TABLE 4.1 IPv4 Network Classes

TABLE 4.2 802.11 Standard Amendments

TABLE 4.3 Basic Overview of Cellular Wireless Technologies

TABLE 4.4 Important Characteristics for Common Network Cabling Types

List of Illustrations

Chapter 1

FIGURE 1.1 CIA Triad

FIGURE 1.2 NIST Cybersecurity Framework

FIGURE 1.3 Relationship between policies, procedures, standards, and guideli...

FIGURE 1.4 Relationship between MTD, RTO, and RPO

FIGURE 1.5 Relationship between threats, vulnerabilities, assets, and risks...

FIGURE 1.6 Steps for assessing risk

FIGURE 1.7 ISO 31000:2018

FIGURE 1.8 NIST Risk Management Framework

Chapter 2

FIGURE 2.1 General benefits of asset classification

FIGURE 2.2 Data de-identification via anonymization

FIGURE 2.3 Data de-identification via masking

FIGURE 2.4 Typical asset management lifecycle

FIGURE 2.5 Secure data lifecycle

FIGURE 2.6 Relationship between data processor and data controller

FIGURE 2.7 Data states and examples

FIGURE 2.8 Tailoring process

Chapter 3

FIGURE 3.1 N-tier architecture

FIGURE 3.2 Finite state model

FIGURE 3.3 Simple Security Property and Star Property rules

FIGURE 3.4 Simple Integrity Property and Star Integrity Property rules

FIGURE 3.5 Brewer–Nash security model

FIGURE 3.6 Plan-Do-Check-Act cycle

FIGURE 3.7 Operating system memory protection

FIGURE 3.8 Trusted Platform Module processes

FIGURE 3.9 The cloud shared responsibility model for IaaS, PaaS, and SaaS

FIGURE 3.10 Components of the Mirai DDoS BotNet attack

FIGURE 3.11 Monoliths and microservices

FIGURE 3.12 An operating system efficiently allocates hardware resources bet...

FIGURE 3.13 Type 1 and Type 2 hypervisors

FIGURE 3.14 ECB, CBC and CFB block encryption implementations

FIGURE 3.15 Stream cipher encryption algorithm

FIGURE 3.16 Block cipher encryption algorithm

FIGURE 3.17 Multiple rounds of mathematical functions in block ciphers

FIGURE 3.18 Block cipher with substitution of S-boxes

FIGURE 3.19 Block cipher with permutation of P-boxes

FIGURE 3.20 Adding padding at the end of a message in a block cipher

FIGURE 3.21 ECB padding produces serious weaknesses for longer messages

FIGURE 3.22 CBC mode encryption

FIGURE 3.23 CFB mode encryption

FIGURE 3.24 CTR mode encryption

FIGURE 3.25 Elliptic curve

FIGURE 3.26 A certificate chain protects a CA's root private key

FIGURE 3.27 Producing and verifying a digital signature

FIGURE 3.28 Steps for using a cryptographic hash to detect tampering of a me...

FIGURE 3.29 HMAC process

Chapter 4

FIGURE 4.1 The OSI reference model

FIGURE 4.2 TCP three-way handshake

FIGURE 4.3 The TCP/IP reference model

FIGURE 4.4 Comparison of the OSI and TCP/IP models

FIGURE 4.5 NAT implemented on a perimeter firewall

FIGURE 4.6 Man-in-the-middle attack

FIGURE 4.7 Virtual local area network

FIGURE 4.8 Multiple firewall deployment architecture

FIGURE 4.9 Ring topology

FIGURE 4.10 Linear bus and tree bus topologies

FIGURE 4.11 Star topology

FIGURE 4.12 Mesh topology

FIGURE 4.13 Common areas of increased risk in remote access

Chapter 5

FIGURE 5.1 The access management lifecycle

Chapter 6

FIGURE 6.1 Pen test phases

Chapter 7

FIGURE 7.1 Security perimeters

Chapter 8

FIGURE 8.1 The Waterfall model

FIGURE 8.2 Scrum process flow

FIGURE 8.3 SAMM domains and practices

Guide

Cover

Table of Contents

Title Page

Copyrigt

Lead Authors

Technical Reviewer

Foreword

Introduction

Begin Reading

Index

End User License Agreement

Pages

i

ii

iii

iv

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

CISSP: Certified Information Systems Security Professional

The Official (ISC)2® CISSP® CBK® Reference

Sixth Edition

ARTHUR DEANE

AARON KRAUS

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

ISBN: 978-1-119-78999-4ISBN: 978-1-119-79001-3 (ebk.)ISBN: 978-1-119-79000-6 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021942306

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2, CISSP, and CBK are registered certification marks or trademarks of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover Design: Wiley and (ISC)2

Lead Authors

ARTHUR DEANE, CISSP, CCSP, is a senior director at Capital One Financial, where he leads information security activities in the Card division. Prior to Capital One, Arthur held security leadership roles at Google, Amazon, and PwC, in addition to several security engineering and consulting roles with the U.S. federal government.

Arthur is an adjunct professor at American University and a member of the Computer Science Advisory Board at Howard University. He holds a bachelor's degree in electrical engineering from Rochester Institute of Technology (RIT) and a master's degree in information security from the University of Maryland. Arthur is also the author of CCSP for Dummies.

AARON KRAUS, CISSP, CCSP, is an information security professional with more than 15 years of experience in security risk management, auditing, and teaching cybersecurity topics. He has worked in security and compliance leadership roles across industries including U.S. federal government civilian agencies, financial services, insurance, and technology startups.

Aaron is a course author, instructor, and cybersecurity curriculum dean at Learning Tree International, and he most recently taught the Official (ISC)2 CISSP CBK Review Seminar. He is a co-author of The Official (ISC)2Guide to the CCSP CBK, 3rd Edition, and served as technical editor for numerous Wiley publications including (ISC)2CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition; CCSP Official (ISC)2Practice Tests; The Official (ISC)2Guide to the CISSP CBK Reference, 5th Edition; and (ISC)2CISSP Certified Information Systems Security Professional Official Practice Tests, 2nd Edition.

Technical Reviewer

MICHAEL S. WILLS, CAMS, CISSP, SSCP, is assistant professor of applied and innovative information technologies at the College of Business at Embry-Riddle Aeronautical University – Worldwide, where he continues his graduate and undergraduate teaching and research in cybersecurity and information assurance.

Mike has also been an advisor on science and technology policy to the UK's Joint Intelligence Committee, Ministry of Justice, and Defense Science and Technology Laboratories, helping them to evolve an operational and policy consensus relating topics from cryptography and virtual worlds, through the burgeoning surveillance society, to the proliferation of weapons of mass disruption (not just “destruction”) and their effects on global, regional, national, and personal security. For a time, this had him sometimes known as the UK's nonresident expert on outer space law.

Mike has been supporting the work of (ISC)2 by writing, editing, and updating books, study guides, and course materials for both their SSCP and CISSP programs. He wrote the SSCP Official Study Guide, 2nd Edition (Sybex, 2019), followed quickly by the SSCP Official Common Book of Knowledge, 5th Edition. He was lead author for the 2021 update of (ISC)2's official CISSP and SSCP training materials. Mike has also contributed to several industry roundtables and white papers on digital identity and cyber fraud detection and prevention and has been a panelist and webinar presenter on these and related topics for ACAMS.

Foreword

EARNING THE GLOBALLY RECOGNIZED CISSP® security certification is a proven way to build your career and demonstrate deep knowledge of cybersecurity concepts across a broad range of domains. Whether you are picking up this book to supplement your preparation to sit for the exam or are an existing CISSP using it as a desk reference, you'll find the The Official (ISC)2®CISSP® CBK® Reference to be the perfect primer on the security concepts covered in the eight domains of the CISSP CBK.

The CISSP is the most globally recognized certification in the information security market. It immediately signifies that the holder has the advanced cybersecurity skills and knowledge to design, engineer, implement, and manage information security programs and teams that protect against increasingly sophisticated attacks. It also conveys an adherence to best practices, policies, and procedures established by (ISC)2 cybersecurity experts.

The recognized leader in the field of information security education and certification, (ISC)2 promotes the development of information security professionals throughout the world. As a CISSP with all the benefits of (ISC)2 membership, you are part of a global network of more than 161,000 certified professionals who are working to inspire a safe and secure cyber world.

Drawing from a comprehensive, up-to-date global body of knowledge, the CISSP CBK provides you with valuable insights on the skills, techniques, and best practices a security professional should be familiar with, including how different elements of the information technology ecosystem interact.

If you are an experienced CISSP, you will find this edition of the CISSP CBK an indispensable reference. If you are still gaining the experience and knowledge you need to join the ranks of CISSPs, the CISSP CBK is a deep dive that can be used to supplement your studies.

As the largest nonprofit membership body of certified information security professionals worldwide, (ISC)2 recognizes the need to identify and validate not only information security competency, but also the ability to build, manage, and lead a security organization. Written by a team of subject matter experts, this comprehensive compendium covers all CISSP objectives and subobjectives in a structured format with common practices for each objective, a common lexicon and references to widely accepted computing standards and case studies.

The opportunity has never been greater for dedicated professionals to advance their careers and inspire a safe and secure cyber world. The CISSP CBK will be your constant companion in protecting your organization and will serve you for years to come.

Introduction

THE CERTIFIED INFORMATION SYSTEMS Security Professional (CISSP) certification identifies a professional who has demonstrated skills, knowledge, and abilities across a wide array of security practices and principles. The exam covers eight domains of practice, which are codified in the CISSP Common Body of Knowledge (CBK). The CBK presents topics that a CISSP can use in their daily role to identify and manage security risks to data and information systems and is built on a foundation comprising fundamental security concepts of confidentiality, integrity, availability, nonrepudiation, and authenticity (CIANA), as well as privacy and security (CIANA+PS). A variety of controls can be implemented for both data and systems, with the goal of either safeguarding or mitigating security risks to each of these foundational principles.

Global professionals take many paths into information security, and each candidate's experience must be combined with variations in practice and perspective across industries and regions due to the global reach of the certification. For most security practitioners, achieving CISSP requires study and learning new disciplines, and professionals are unlikely to work across all eight domains on a daily basis. The CISSP CBK is a baseline standard of security knowledge to help security practitioners deal with new and evolving risks, and this guide provides easy reference to aid practitioners in applying security topics and principles. This baseline must be connected with the reader's own experience and the unique operating environment of the reader's organization to be effective. The rapid pace of change in security also demands that practitioners continuously maintain their knowledge, so CISSP credential holders are also expected to maintain their knowledge via continuing education. Reference materials like this guide, along with other content sources such as industry conferences, webinars, and research are vital to maintaining this knowledge.

The domains presented in the CBK are progressive, starting with a foundation of basic security and risk management concepts in Chapter 1, “Security and Risk Management,” as well as fundamental topics of identifying, valuing, and applying proper risk mitigations for asset security in Chapter 2,“Asset Security.” Applying security to complex technology environments can be achieved by applying architecture and engineering concepts, which are presented in Chapter 3, “Security Architecture and Engineering.” Chapter 4, “Communication and Network Security,” details both the critical risks to as well as the critical defensive role played by communications networks, and Chapter 5, “Identity and Access Management,” covers the crucial practices of identifying users (both human and nonhuman) and controlling their access to systems, data, and other resources. Once a security program is designed, it is vital to gather information about and assess its effectiveness, which is covered in Chapter 6, “Security Assessment and Testing,” and keep the entire affair running — also known as security operations or SecOps, which is covered in Chapter 7, “Security Operations.” Finally, the vital role played by software is addressed in Chapter 8, “Software Development Security,” which covers both principles of securely developing software as well as risks and threats to software and development environments. The following presents overviews for each of these chapters in a little more detail.

Security and Risk Management

The foundation of the CISSP CBK is the assessment and management of risk to data and the information systems that process it. The Security and Risk Management domain introduces the foundational CIANA+PS concepts needed to build a risk management program. Using these concepts, a security practitioner can build a program for governance, risk, and compliance (GRC), which allows the organization to design a system of governance needed to implement security controls. These controls should address the risks faced by the organization as well as any necessary legal and regulatory compliance obligations.

Risk management principles must be applied throughout an organization's operations, so topics of business continuity (BC), personnel security, and supply chain risk management are also introduced in this domain. Ensuring that operations can continue in the event of a disruption supports the goal of availability, while properly designed personnel security controls require training programs and well-documented policies and other security guidance.

One critical concept is presented in this domain: the (ISC)2 code of professional ethics. All CISSP candidates must agree to be bound by the code as part of the certification process, and credential holders face penalties up to and including loss of their credentials for violating the code. Regardless of what area of security a practitioner is working in, the need to preserve the integrity of the profession by adhering to a code of ethics is critical to fostering trust in the security profession.

Asset Security

Assets are anything that an organization uses to generate value, including ideas, processes, information, and computing hardware. Classifying and categorizing assets allows organizations to prioritize limited security resources to achieve a proper balance of costs and benefits, and this domain introduces important concepts of asset valuation, classification and categorization, and asset handling to apply appropriate protection based on an asset's value. The value of an asset dictates the level of protection it requires, which is often expressed as a security baseline or compliance obligation that the asset owner must meet.

CISSP credential holders will spend a large amount of their time focused on data and information security concerns. The data lifecycle is introduced in this domain to provide distinct phases for determining data security requirements. Protection begins by defining roles and processes for handling data, and once the data is created, these processes must be followed. This includes managing data throughout creation, use, archival, and eventual destruction when no longer needed, and it focuses on data in three main states: in use, in transit, and at rest.

Handling sensitive data for many organizations will involve legal or regulatory obligations to protect specific data types, such as personally identifiable information (PII) or transactional data related to payment cards. Payment card data is regulated by the Payment Card Industry (PCI) Council, and PII often requires protections to comply with regional or local laws like the European Union General Data Protection Regulation (EU GDPR). Both compliance frameworks dictate specific protection obligations an organization must meet when collecting, handling, and using the regulated data.

Security Architecture and Engineering

The Security Architecture and Engineering domain covers topics relevant to implementing and managing security controls across a variety of systems. Secure design principles are introduced that are used to build a security program, such as secure defaults, zero trust, and privacy by design. Common security models are also covered in this domain, which provide an abstract way of viewing a system or environment and allow for identification of security requirements related to the CIANA+PS principles. Specific system types are discussed in detail to highlight the application of security controls in a variety of architectures, including client- and server-based systems, industrial control systems (ICSs), Internet of Things (IoT), and emerging system types like microservices and containerized applications.

This domain presents the foundational details of cryptography and introduces topics covering basic definitions of encryption, hashing, and various cryptographic methods, as well as attacks against cryptography known as cryptanalysis. Applications of cryptography are integrated throughout all domains where relevant, such as the use of encryption in secure network protocols, which is covered in Chapter 4. Physical architecture security — including fire suppression and detection, secure facility design, and environmental control — is also introduced in this domain.

Communication and Network Security

One major value of modern information systems lies in their ability to share and exchange data, so fundamentals of networking are presented in the Communication and Network Security domain along with details of implementing adequate security protections for these communications. This domain introduces common models used for network services, including the Open Systems Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models. These layered abstractions provide a method for identifying specific security risks and control capabilities to safeguard data, and the domain presents fundamentals, risks, and countermeasures available at each level of the OSI and TCP/IP models.

Properly securing networks and communications requires strategic planning to ensure proper architectural choices are made and implemented. Concepts of secure network design — such as planning and segmentation, availability of hardware, and network access control (NAC) — are introduced in this domain. Common network types and their specific security risks are introduced as well, including software-defined networks (SDNs), voice networks, and remote access and collaboration technologies.

Identity and Access Management

Controlling access to assets is one of the fundamental goals of security and offers the ability to safeguard all five CIANA+PS security concepts. Properly identifying users and authenticating the access they request can preserve confidentiality and authenticity of information, while properly implemented controls reduce the risk of lost or corrupted data, thereby preserving availability and integrity. Logging the actions taken by identified users or accounts supports nonrepudiation by verifiably demonstrating which user or process performed took a particular action.

The Identity and Access Management (IAM) domain introduces important concepts related to identifying subjects and controlling their access to objects. Subjects can be users, processes, or other systems, and objects are typically systems or data that a subject is trying to access. IAM requirements are presented through four fundamental aspects, including identification, authentication, authorization, and accountability (IAAA). The domain also presents important concepts for managing identities and access, including federation and the use of third-party identity service providers.

Security Assessment and Testing

It is necessary to evaluate the effectiveness of security controls to determine if they are providing sufficient risk mitigation. Assessment, testing, and auditing are methods presented in this domain that allow a security practitioner to identify deficiencies in the security program and prioritize remedial activities.

Assessment and testing can be performed as an internal or external function; while both are appropriate for monitoring security program status, there are situations that require external evaluations. For instance, third-party audits are common in situations where an assessment must be conducted that is free of any conflict of interest. External audit reports, such as the Service Organization Control or SOC 2, can be useful for organizations to communicate details of their security practices to external parties like vendors or business partners. In this case, the auditor's independence from the audited organization provides additional assurance to consumers of the report.

Ethical penetration testing and related technical testing topics are presented in this domain, including test coverage and breach attack simulations. These types of tests can be conducted against a range of targets from individual information systems to entire organizations and are a valuable tool to identify deficiencies in security controls. The disclosure and handling of any findings from such testing is also discussed, including legal and ethical implications of information that might be discovered.

An ongoing assessment and testing program is also useful for establishing continuous monitoring and supporting compliance needs. Properly designed and implemented strategies for testing security controls, vulnerabilities, and attack simulations measure the effectiveness of the organization's existing control program. Any identified deficiencies must be addressed to ensure adequate risk management.

Security Operations

Security Operations (SecOps) is a companion to the other domains in the CBK, and this chapter deals with implementing, operating, and maintaining infrastructure needed to enable the organization's security program. Security practitioners must first perform a risk assessment and then design and operate security controls spanning technology, people, and process to mitigate those risks. SecOps is a key integration point between security teams and other parts of the organization such as Human Resources (HR) for key tasks like designing job rotations or segregation of duties, or a network engineering team that is responsible for implementing and maintaining firewalls and intrusion detection systems (IDSs).

Logical security aspects of SecOps include running and maintaining a security operations center (SOC), which is becoming an increasingly crucial part of a security program. The SOC centralizes information like threat intelligence, incident response, and security alerts, permitting information sharing, more efficient response, and oversight for the security program and functions. Planning for and exercising crucial business plans like business continuity and disaster recovery (BCDR) are also an important element of SecOps.

SecOps also encompasses important physical security concepts like facility design and environmental controls, which are often completely new concepts for security practitioners who have experience in cybersecurity or information technology (IT). However, the physical security of information systems and the data they contain is an important element of maintaining all aspects of security. In some cases, physical limitations like existing or shared buildings are drivers for additional logical controls to compensate for potential unauthorized physical access.

Software Development Security

Information systems rely on software, so proper security is essential for the tools and processes used to develop software. This includes both custom-built software as well as purchased system components that are integrated into information systems. Cloud computing is changing the paradigm of software development, so this domain also includes security requirements for computing resources that are consumed as a service like software as a service (SaaS), platform as a service (PaaS), and emerging architectures like containerization and microservices.

Software can be both a target for attackers and the attack vector. The increasingly complex software environment makes use of open-source software, prebuilt modules and libraries, and distributed applications to provide greater speed for developers and functionality for users. These business advantages, however, introduce risks like the potential for untrustworthy third-party code to be included in an application or attackers targeting remote access features.

Adequate security in the software development lifecycle (SDLC) requires a combined approach addressing people, process, and technology. This domain revisits the critical personnel security concept of training, with a specific focus on developer security training. Well-documented software development methodologies, guidelines, and procedures are essential process controls covered in the domain. Technology controls encompassing both the software development environment and software security testing are presented, as well as testing approaches for application security (AppSec) including static and dynamic testing.

DOMAIN 1Security and Risk Management

DOMAIN 1 OF THE CISSP Common Body of Knowledge (CBK) covers the foundational topics of building and managing a risk-based information security program. This domain covers a wide variety of concepts upon which the remainder of the CBK builds.

Before diving into the heart of security and risk management concepts, this chapter begins with coverage of professional ethics and how they apply in the field of information security. Understanding your responsibilities as a security professional is equally as important as knowing how to apply the security concepts. We then move on to topics related to understanding your organization's mission, strategy, goals, and business objectives, and evaluating how to properly satisfy your organization's business needs securely.

Understanding risk management, and how its concepts apply to information security, is one of the most important things you should take away from this chapter. We describe risk management concepts and explain how to apply them within your organization's security program. In addition, understanding relevant legal, regulatory, and compliance requirements is a critical component of every information security program. Domain 1 includes coverage of concepts such as cybercrimes and data breaches, import/export controls, and requirements for conducting various types of investigations.

This chapter introduces the human element of security and includes coverage of methods for educating your organization's employees on key security concepts. We cover the structure of a security awareness program and discuss how to evaluate the effectiveness of your education and training methods.

UNDERSTAND, ADHERE TO, AND PROMOTE PROFESSIONAL ETHICS

Understanding and following a strict code of ethics should be a top priority for any security professional. As a CISSP (or any information security professional who is certified by (ISC)2), you are required to understand and fully commit to supporting the (ISC)2 Code of Ethics. Any (ISC)2 member who knowingly violates the (ISC)2 Code of Ethics will be subject to peer review and potential penalties, which may include revocation of the member's (ISC)2 certification(s).

(ISC)2 Code of Professional Ethics

The (ISC)2 Code of Ethics Preamble is as follows:

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

Therefore, strict adherence to this Code of Ethics is a condition of certification.

In short, the Code of Ethics Preamble states that it is required that every CISSP certified member not only follows the Code of Ethics but must be visibly seen as following the Code of Ethics. Even the perception of impropriety or ethical deviation may bring into question a member's standing. As such, CISSP certified members must serve as visible ethical leaders within their organizations and industry, at all times.

The (ISC)2 Code of Ethics includes four canons that are intended to serve as high-level guidelines to augment, not replace, members' professional judgment. The (ISC)2 Code of Ethics Canons are as follows:

Canon I:

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Canon II:

Act honorably, honestly, justly, responsibly, and legally.

Canon III:

Provide diligent and competent service to principals.

Canon IV:

Advance and protect the profession.

Adhering to and promoting the (ISC)2 Code of Ethics not only includes being mindful of your own professional behaviors, but also being aware of your peers' behaviors. (ISC)2 requires that any member who observes another member breaching the Code of Ethics follow the published ethics complaint procedure. Failure to do so may be considered breach of Canon IV. Additional information on the (ISC)2 Code of Ethics and the ethics complaint procedures can be found at www.isc2.org/Ethics.

Organizational Code of Ethics

In addition to the (ISC)2 Code of Ethics, as an information security professional, you must be aware of any code of ethics that you are required to uphold by your employer or industry. Similar to the (ISC)2 Code of Ethics, these other organizational codes of ethics should not be considered replacements for sound judgment and moral behavior. As a CISSP, you are a leader within your organization. As such, you should lead by example in adhering to your organization's Code of Ethics.

 Ethics and the Internet

In January 1989, right around the dawn of the internet, the Internet Activities Board (IAB) released a memo titled “Ethics and the Internet” (RFC 1087) as a statement of policy concerning ethical use of the internet. Although the memo is ancient by technology standards, the principles within it are still relevant today; as a CISSP, you should understand and adhere to these principles.

RFC 1087 characterizes as unethical and unacceptable any activity that purposely

“seeks to gain unauthorized access to the resources of the Internet”

“disrupts the intended use of the Internet”

“wastes resources (people, capacity, computer) through such actions

“destroys the integrity of computer-based information

“compromises the privacy of users”

Interestingly enough, this memo that debuted in the very early days of the internet — even before there was structured thought around information security — aligns directly with the CIA Triad and privacy principles that guide information security professionals in the 21st century.

UNDERSTAND AND APPLY SECURITY CONCEPTS

Information security refers to the processes and methodologies involved in safeguarding information and underlying systems from inappropriate access, use, modification, or disturbance. This is most often described by three critical security concepts: confidentiality, integrity, and availability. Together, these three principles form the pillars of information security known as the CIA Triad (see Figure 1.1).

FIGURE 1.1 CIA Triad

Although different types of systems and data may prioritize one principle over the others, all three security concepts work together and depend on each other to successfully maintain information security. Confidentiality, integrity, and availability are the most critical characteristics that information security provides, and understanding each of these principles is a basic requirement for all information security professionals. As such, a common understanding of the meaning of each of the elements in the CIA Triad allows security professionals to communicate effectively.

Confidentiality

The first principle of the CIA Triad is confidentiality. Confidentiality is the concept of limiting access to data to authorized users and systems and restricting access from unauthorized parties. In other words, confidentiality guarantees that only intended people are able to access information and resources. In short, the goal of confidentiality is to prevent unauthorized access to data, as it pertains to viewing, copying, or moving the data. Organizations that fail to protect data confidentiality run the risk of violating contractual and regulatory obligations around data protection. In addition, companies with known breaches of confidentiality commonly experience reputational damage that benefits their competitors and potentially impacts their bottom line.

The concept of confidentiality is closely related to the security best practice of least privilege, which asserts that access to information should be granted only on a need-to-know basis. Under least privilege, users are only given enough access to do their jobs — no more and no less.

Privacy is a field that is closely related to security and is focused on the confidentiality of personal data specifically. Information that can be used to uniquely identify a person, such as names, birthdates, and Social Security numbers, are considered personally identifiable information (PII), which is usually required by law to be kept highly confidential. Privacy requirements are introduced later in this chapter, in the section “Determine Compliance and Other Requirements.”

Numerous malicious acts target data confidentiality, including phishing and other forms of social engineering, credential (e.g., password) theft, network sniffing, and others. In addition to malicious acts, confidentiality may be compromised by human error, oversight, or mere negligence. Such examples include failure to encrypt sensitive data, misrouted emails, or displaying sensitive information on your computer monitor while unauthorized viewers are in the vicinity.

Confidentiality is often the security concept that data owners care about the most, and there are many security controls available to assist with this. Encryption, multifactor authentication, and role-based access controls are a few measures that can help ensure data confidentiality. Extensive personnel training is a hugely important measure for reducing risk associated with human error and negligence. We address data confidentiality and discuss relevant controls throughout the remainder of this book.

Integrity

The second principle of the CIA Triad is integrity. Integrity is the concept of maintaining the accuracy, validity, and completeness of data and systems. It ensures that data is not manipulated by anyone other than an authorized party with an authorized purpose, and that any unauthorized manipulation is easily identifiable as such. The primary goal of integrity is to ensure that all data remains intact, correct, and reliable. Failure to properly protect data integrity can have a negative impact on business processes, including leading to personnel making improper decisions or potentially harmful actions, due to having incorrect information.

As with confidentiality, integrity may be compromised by malicious acts, human error, oversight, or negligence. Viruses, compromise of poorly written code, and intentional modification are examples of malicious threats that may violate integrity, and we discuss others throughout this book. In addition, integrity violations can occur when an administrator enters the wrong command in a database, when an administrator alters the wrong line in a configuration file, or when a user accidentally introduces malware into their system through a phishing email.

Data backups, software version control, strict access control, and cryptographic hashes are some measures that help ensure data integrity by preventing unauthorized modifications or by allowing tampered data to be restored to a known-good state. Similar to confidentiality, extensive security awareness training is a major factor in preventing nonmalicious integrity violations.

Authenticity and nonrepudiation are two concepts that are closely related to integrity. Authenticity refers to ensuring that data is genuine and that all parties are who they say they are. Nonrepudiation is a legal principle that has a strong parallel in the information security world; this concept requires ensuring that no party is able to deny their actions (e.g., creating, modifying, or deleting data). Digital signatures are the most common mechanisms used to establish authenticity and nonrepudiation in information systems.

Availability

The third and final principle of the CIA Triad is availability. Availability is the concept focused on ensuring that authorized users can access data when they need it. In enterprise environments, the concept of availability entails providing assurance that legitimate parties have timely and uninterrupted access to the systems and data that they need to do their jobs. Threats against availability can interfere or even halt an organization's business operations. An extended disruption of critical systems and data may lead to reputational damage that results in loss of customers and revenue.

Related concepts that should be considered alongside availability include the following:

Accessibility

refers to the ability and ease of a user to use a resource or access data when needed. This involves removing barriers for authorized users to access these resources and data. For example, consider a file that's stored on your company's internal network drive. As long as the file is intact and the network drive is up and running, that file can be considered available. However, if someone were to move that file to a protected folder on the shared drive, you may lack the required permissions to access that file — the data is still available but is no longer accessible.

Usability

refers to the ability of a user to meet their needs with available data. If you have ever needed to edit a Google doc (or any other file) and noticed that you have been granted only read-only permissions, then that file was absolutely available but lacked sufficient usability.

Timeliness

refers to the time expectation for availability of information and resources and is the measure of the time between when information is expected and when it is available for use. Ensuring timeliness requires that data is available to authorized users within an acceptable period of time. For cloud services and other situations that involve a third party managing data, timeliness is a key factor that must be agreed upon and documented in service level agreements (SLAs).

There are many threats to data and system availability, and they may be either malicious or nonmalicious, either man-made or naturally occurring. Malicious availability threats include denial-of-service (DoS) attacks, object deletion, and ransomware attacks. While malicious compromise of availability tends to get all the buzz, there are various nonmalicious threats that can interfere with resource and data availability. Some common examples include hardware failures, software errors, and environmental threats such as power outages, floods, excessive heat, and so forth. When planning your information security program, it's essential that you thoroughly consider both human-based and naturally occurring threats and develop mitigations that address all threat vectors.

Mechanisms such as data backups, redundant storage, backup power supply, and web application firewalls (WAFs) can help prevent disruption of system and information availability. For systems that have a requirement for high availability and continuous uptime, cloud computing offers added redundancy and extra assurance of availability.

Limitations of the CIA Triad

The CIA Triad evolved out of theoretical work done in the mid-1960s. Precisely because of its simplicity, the rise of distributed systems and a vast number of new applications for new technology has caused researchers and security practitioners to extend the triad's coverage.

Guaranteeing the identities of parties involved in communications is essential to confidentiality. The CIA Triad does not directly address the issues of authenticity and nonrepudiation, but the point of nonrepudiation is that neither party can deny that they participated in the communication. This extension of the triad uniquely addresses aspects of confidentiality and integrity that were never considered in the early theoretical work.

The National Institute of Standards and Technology (NIST) Special Publication 800-33, “Underlying Technical Models for Information Technology Security,” included the CIA Triad as three of its five security objectives, but added the concepts of accountability (that actions of an entity may be traced uniquely to that entity) and assurance (the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes). The NIST work remains influential as an effort to codify best-practice approaches to systems security.

Perhaps the most widely accepted extension to the CIA Triad was proposed by information security pioneer Donn B. Parker. In extending the triad, Parker incorporated three additional concepts into the model, arguing that these concepts were both atomic (could not be further broken down conceptually) and nonoverlapping. This framework has come to be known as the Parkerian Hexad. The Parkerian Hexad contains the following concepts:

Confidentiality:

The limits on who has access to information

Integrity:

Whether the information is in its intended state

Availability:

Whether the information can be accessed in a timely manner

Authenticity:

The proper attribution of the person who created the information

Utility:

The usefulness of the information

Possession or control:

The physical state where the information is maintained

Subsequent academic work produced dozens of other information security models, all aimed at the same fundamental issue — how to characterize information security risks.

In addition to security topics codified in the CIA Triad and related models, the concept of privacy has grown to be a core consideration of security professionals. Privacy, as defined in the (ISC)2 glossary, is the right of human individuals to control the distribution of information about themselves. Privacy, though often managed outside of organizations' central security team, is closely related to the principle of confidentiality and must be a priority for every organization that handles employee or customer personal information. We discuss privacy in several sections throughout the rest of this book.

For the security professional, a solid understanding of the CIA Triad is essential when communicating about information security practice, but it's important to consider related topics not covered by the triad.

EVALUATE AND APPLY SECURITY GOVERNANCE PRINCIPLES

Security governance is the set of responsibilities, policies, and procedures related to defining, managing, and overseeing security practices at an organization. Security is often mistakenly considered to be an IT issue; in actuality, securing an organization's assets and data is a business issue and requires a high level of planning and oversight by people throughout the entire organization, not just the IT department. Because security is a wide-ranging business issue, security governance commonly overlaps with corporate governance and IT governance for an organization. As such, security governance is typically led by executive management at a company, usually including the board of directors. Applying security governance principles involves the following:

Aligning the organization's security function to the company's business strategy, goals, mission, and objectives

Defining and managing organizational processes that require security involvement or oversight (e.g., acquisitions, divestitures, and governance committees)

Developing security roles and responsibilities throughout the organization

Identifying one or more security control frameworks to align your organization with

Conducting due diligence and due care activities on an ongoing basis

Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives

An effective security function must be in alignment with the company's business strategy, goals, mission, and business objectives. Each of these elements should be considered during the creation and management of the organization's information security program and policies.

Companies that fail to properly align their security program with their business strategy, goals, mission, and objectives often perceive security as a business blocker; these companies frequently experience information security as a hurdle that must be cleared to get things accomplished. On the contrary, an information security function that is tightly aligned with a company's strategy and mission can serve as a business enabler, where security is built into the fabric of the company and helps drive toward common goals and objectives. In other words, a company should achieve its mission thanks in part to security, not despite security.

A mission statement is a simple declaration that defines a company's function and purpose; a mission statement summarizes what the company is, what it does, and why the company exists to do those things. A mission statement should be used to drive all corporate activities, including the organization's allocation of time, finances, and effort.

A business strategy describes the actions that a company takes to achieve its goals and objectives. Whereas a mission statement describes what will be achieved, an organization's business strategy identifies exactly how the mission will be accomplished. A company's mission statement rarely changes, but an organization's strategy must be flexible enough to change as the business environment changes.

A goal, in business, is something that an organization expects to achieve or accomplish. Business goals help a company plan for success, and an organization's goals should contribute to its mission. Many companies use the SMART criteria to define their organizational goals. SMART is a mnemonic acronym that defines criteria for creating quality goals. A SMART goal must exhibit the following characteristics:

Specific:

State what you will do using real numbers and real deadlines.

Measurable:

Identify a way to evaluate progress and measure success (or failure). Use metrics or data targets to ensure that the goal is trackable.

Achievable or Attainable:

Establish challenging, but possible, goals that are within your scope.

Relevant:

Establish a goal that is pertinent to your overall mission and vision and aligned with your organization's values and strategy.

Time-bound:

State when you will get the goal done, using specific dates or timeframes.

An objective is a milestone or a specific step that contributes to an organization reaching its goals and achieving its mission. Objectives are used to define incremental steps toward achieving a broader goal. Much like SMART goals, organizations often use the SMART framework to define quality objectives. While many people incorrectly use the terms goal and objective interchangeably, you should understand that an objective is a short-term milestone that supports a longer-term goal.

When establishing your organization's security function, you should begin by defining a security strategy that aligns with your organization's overall business strategy and mission statement. You should develop a set of specific, measurable, achievable, relevant, and time-bound goals and objectives that will help you efficiently maintain the confidentiality, integrity, and availability of your company's systems and information without disrupting your organization's ability to achieve its business goals and objectives. Running an effective security program demands careful consideration of business needs and organizational strategy, in addition to legal and compliance requirements, and requires governance to manage the effectiveness of the security function within the overall organization.

Organizational Processes

People who consider information security a purely IT matter are more prone to focusing solely on the technologies that fit into a security program. As a CISSP, you should know that a mature information security program is more than a collection of firewalls, intrusion detection systems and intrusion prevention systems (IDSs/IPS), and other tools thrown together — a well-managed security program requires processes in place to provide oversight of activities by executive members of the organization. Security governance is the set of all organizational processes involved in defining and managing information security policies and procedures, including the oversight to ensure that those policies and procedures follow the direction of the organization's strategy and mission.

Governance Committees

A governance committee is a group of executives and leaders who regularly meet to set the direction of the company's security function and provide guidance to help the security function align with the company's overall mission and business strategy. Governance committees review ongoing and planned projects, operational metrics, and any other security matters that may concern the business as a whole. The primary objective of a governance committee is to provide oversight for the company's security function, while ensuring that the security function continues to meet the needs of the organization and its stakeholders.

There are many organizational processes that require a heavy dose of security governance. Mergers, acquisitions, and divestitures are major business events that come with a great deal of security risk that a company must manage.

Mergers and Acquisitions

A merger is the combining of two separate organizations that creates a new, joint organization. An acquisition is the takeover of one organization by another. While mergers and acquisitions (M&A) have different business approaches, they share many of the same security concerns and are often discussed together.

There are countless potential security risks when a company acquires another company or when two organizations decide to merge. For any merger or acquisition, it's imperative that organizations consider these risks and identify appropriate mitigations before pulling the trigger. Some M&A risk factors to consider include the following:

Absorbing the unknown:

When merging with or acquiring another organization, you are absorbing its entire IT infrastructure — good or bad. This means that you are acquiring systems that are likely managed differently from your own, and there may be significant differences in the security controls and processes in place. In addition, the acquired company may use homegrown or highly customized applications that will need to be securely integrated into your existing environment. Further, the acquired or absorbed company may use a different approach to threat modeling and vulnerability management (if they do these at all). Differences in security processes may result in operational challenges and inconsistent procedures during and after integration of the two businesses.

Creating new attack vectors:

By adding in new systems and platforms, you are potentially creating new routes for your company to be attacked. For example, if your organization uses Windows and macOS and you acquire a company that has a fleet of Linux systems, you now have a third operating system to manage and secure.

Impacting resources: