The (ISC)2® CISSP®: Certified Information Systems Security Professional Official Study Guide, Ninth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you've shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.
This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.
Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of full-time paid work experience (or four years if you have a college degree) in two or more of the eight domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)², then you are sufficiently prepared to use this book to study for it. For more information on (ISC)², see the next section.
(ISC)² also allows for a one-year reduction of the five-year experience requirement if you have earned one of the approved certifications from the (ISC)² prerequisite pathway. These include certifications such as Certified Authorization Professional (CAP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Cisco Certified Internetwork Expert (CCIE), Cisco Certified Network Associate Security (CCNA Security), CompTIA Advanced Security Practitioner (CASP), CompTIA Security+, CompTIA Cybersecurity Analyst (CySA+), and many of the Global Information Assurance Certification (GIAC) certifications. For a complete list of qualifying certifications, visit www.isc2.org/Certifications/CISSP/Prerequisite-Pathway
.
If you are just getting started on your journey to CISSP certification and do not yet have the work experience, then our book can still be a useful tool in your preparation for the exam. However, you may find that some of the topics covered assume knowledge that you don't have. For those topics, you may need to do some additional research using other materials, and then return to this book to continue learning about the CISSP topics.
The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)². (ISC)2 is a global nonprofit organization. It has four primary mission goals:
(ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners.
(ISC)2 supports and provides a wide variety of certifications, including CISSP, CISSP-ISSAP, CISSP-ISSMP, CISSP-ISSEP, SSCP, CAP, CSSLP, HCISPP, and CCSP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about (ISC)2 and its other certifications from its website at isc2.org
.
The CISSP credential is for security professionals responsible for designing and maintaining security infrastructure within an organization.
The CISSP certification covers material from the eight topical domains. These eight domains are as follows:
These eight domains provide a vendor-independent overview of a common security framework. This framework is the basis for a discussion on security practices that can be supported in all types of organizations worldwide.
(ISC)2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ full-time paid work experience or with four years’ experience and a recent IT or IS degree or an approved security certification (see isc2.org
for details). Professional experience is defined as security work performed for salary or commission within two or more of the eight CBK domains.
Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines (ISC)2 wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)2 website at isc2.org
.
(ISC)2 also offers an entry program known as an Associate of (ISC)². This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years of security experience. Only after providing proof of such experience, usually by means of endorsement and a résumé, can the individual be awarded CISSP certification.
The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you'll need to be familiar with every domain but not necessarily be a master of each domain.
The CISSP exam is in an adaptive format that (ISC)2 calls CISSP-CAT (Computerized Adaptive Testing). For complete details of this new version of exam presentation, please see www.isc2.org/certifications/CISSP/CISSP-CAT
.
The CISSP-CAT exam will have a minimum of 100 questions and a maximum of 150. Not all items you are presented with count toward your score or passing status. These unscored items are called pretest questions by (ISC)², whereas the scored items are called operational items. The questions are not labeled on the exam as to whether they are scored (i.e., operational items) or unscored (i.e., pretest questions). Test candidates will receive 25 unscored items on their exam, regardless of whether they achieve a passing rank at question 100 or see all of the 150 questions.
The CISSP-CAT grants a maximum of three hours to take the exam. If you run out of time before achieving a passing rank, you will automatically fail.
The CISSP-CAT does not allow you to return to a previous question to change your answer. Your answer selection is final once you leave a question by submitting your answer selection.
The CISSP-CAT does not have a published or set score to achieve. Instead, you must demonstrate the ability to answer above the (ISC)2 bar for passing, called the passing standard (which is not disclosed), within the last 75 operational items (i.e., questions).
If the computer determines that you have a less than 5 percent chance of achieving a passing standard and you have seen 75 operational items (which will be at question 100), your test will automatically end with a failure. If the computer determines that you have a higher than 95 percent chance of achieving or maintaining a passing standard once you have seen 75 operational items (which will be at question 100), your test will automatically end with a pass. If neither of these extremes is met, then you will see another question, and your status will be evaluated again after it is answered. You are not guaranteed to see any more questions than are necessary for the computer grading system to determine with 95 percent confidence your ability to achieve a passing standard or to fail to meet the passing standard. If you do not achieve the passing standard after submitting your answer to question 150, then you fail. If you run out of time, then you fail.
If you do not pass the CISSP exam on your first attempt, you are allowed to retake the CISSP exam under the following conditions:
The exam retake policy was updated in October 2020; you can read the official policy here: www.isc2.org/Exams/After-Your-Exam
.
You will need to pay full price for each additional exam attempt.
It is not possible to take the previous English paper-based or CBT (computer-based testing) flat 250-question version of the exam. CISSP is now available only in the CBT CISSP-CAT format in English through (ISC)2-authorized Pearson VUE test centers in authorized markets.
The CISSP exam is available in English, French, German, Brazilian Portuguese, Spanish (Modern), Japanese, Simplified Chinese, and Korean. These non-English versions of CISSP are still administered using the 250-question linear, fixed-form, flat exam.
For more details and the most up-to-date information on the CISSP exam direct from (ISC)2, please visit www.isc2.org/Certifications/CISSP
and download the CISSP Ultimate Guide and the CISSP Exam Outline (currently located in the “2: Register and Prepare for the Exam” section). You might also find useful information on the (ISC)2 blog at blog.isc2.org/isc2_blog
. For example, there is a good article posted in October 2020 titled “Why Does the CISSP Exam Change?” (blog.isc2.org/isc2_blog/2020/10/why-does-the-cissp-exam-change.html
).
Most of the questions on the CISSP exam are four-option, multiple-choice questions with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response.
You must select the one correct or best answer and mark it. In some cases, the correct answer will be obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you'll need to select the least incorrect answer.
Some multiple-choice questions may require that you select more than one answer; if so, these will state what is necessary to provide a complete answer.
In addition to the standard multiple-choice question format, the exam may include a few advanced question formats, which (ISC)2 calls advanced innovative questions. These include drag-and-drop questions and hotspot questions. These types of questions require you to place topics or concepts in order of operations, in priority preference, or in relation to proper positioning for the needed solution. Specifically, the drag-and-drop questions require the test taker to move labels or icons to mark items on an image. The hotspot questions require the test taker to pinpoint a location on an image with a crosshair marker. These question concepts are easy to work with and understand, but be careful about your accuracy when dropping or marking.
The CISSP exam consists of two key elements. First, you need to know the material from the eight domains. Second, you must have good test-taking skills. You have a maximum of 3 hours to achieve a passing standard with the potential to see up to 150 questions. Thus, you will have on average just over a minute for each question, so it is important to work quickly, without rushing, but also without wasting time.
Question skipping is no longer allowed on the CISSP exam, and you're also not allowed to jump around, so one way or another, you have to come up with your best answer on each question. We recommend that you attempt to eliminate as many answer options as possible before making a guess. Then you can make educated guesses from a reduced set of options to increase your chance of getting a question correct.
Also note that (ISC)2 does not disclose if there is partial credit given for multiple-part questions if you get only some of the elements correct. So, pay attention to questions with checkboxes, and be sure to select as many items as necessary to properly address the question.
You will be provided with a dry-erase board and a marker to jot down thoughts and make notes. But nothing written on that board will be used to alter your score. That board must be returned to the test administrator prior to departing the test facility.
To maximize your test-taking activities, here are some general guidelines:
Manage your time. You can take breaks during your test, but this will consume some of your test time. You might consider bringing a drink and snacks, but your food and drink will be stored for you away from the testing area, and that break time will count against your test time limit. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. You should avoid wearing anything on your wrists, including watches, fitness trackers, and jewelry. You are not allowed to bring any form of noise-canceling headsets or earbuds, although you can use foam earplugs. We also recommend wearing comfortable clothes and taking a light jacket with you (some testing locations are a bit chilly).
You may want to review the (ISC)² Certification Acronym and (ISC)² CISSP Glossary documents here:
www.isc2.org/-/media/Files/Certification-Acronym-Glossary.ashx
www.isc2.org/Certifications/CISSP/CISSP-Student-Glossary
Finally, (ISC)² exam policies are subject to change. Please be sure to check isc2.org
for the current policies before you register and take the exam.
We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:
isc2.org
.Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone who is a CISSP, or other (ISC)2 certification holder, in good standing and familiar with your work history to submit an endorsement form on your behalf. Once you pass the CISSP exam, you will receive an email with instructions. However, you can review the endorsement application process at www.isc2.org/Endorsement
.
If you registered for CISSP, then you must complete endorsement within nine months of your exam. If you registered for Associate of (ISC)2, then you have six years from your exam data to complete endorsement. Once (ISC)2 accepts your endorsement, the certification process will be completed and you will be sent a welcome packet.
Once you have achieved your CISSP certification, you must now work toward maintaining the certification. You will need to earn 120 Continuing Professional Education (CPE) credits by your third-year anniversary. For details on earning and reporting CPEs, please consult the (ISC)2 Continuing Professional Education (CPE) Handbook (www.isc2.org/-/media/ISC2/Certifications/CPE/CPE---Handbook.ashx
) and the CPE Opportunities page (www.isc2.org/Membership/CPE-Opportunities
). You will also be required to pay an annual maintenance fee (AMF) upon earning your certification and at each annual anniversary. For details on the AMF, please see the (ISC)2 CPE Handbook and www.isc2.org/Policies-Procedures/Member-Policies
.
Each chapter includes common elements to help you focus your studies and test your knowledge. Here are descriptions of those elements:
Studying the material in the (ISC)2 CISSP: Certified Information Systems Security Professional Official Study Guide, Ninth Edition is an important part of preparing for the Certified Information Systems Security Professional (CISSP) certification exam, but we provide additional tools to help you prepare. The online TestBank will help you understand the types of questions that will appear on the certification exam.
The sample tests in the TestBank include all the questions in each chapter as well as the questions from the Assessment test in this Introduction section. In addition, there are four bonus practice exams that you can use to evaluate your understanding and identify areas that may require additional study. These four additional practice exams include 125 questions each and cover the breadth of domain topics in a similar percentage ratio as the real exam. They can be used as real exam simulations to evaluate your preparedness.
The flashcards in the TestBank will push the limits of what you should know for the certification exam. The questions are provided in digital format. Each flashcard has one question and one correct answer.
The online glossary is a searchable list of key terms introduced in this exam guide that you should know for the CISSP certification exam.
New for the 9th edition: Audio Review. Author Mike Chapple reads the Exam Essentials for each chapter providing you with 2 hours and 50 minutes of new audio review for yet another way to reinforce your knowledge as you prepare. We suggest using these audio reviews after you have read each chapter. You can listen to them on your commute, at the gym, or anywhere you read audio books!
To start using these to study for the exam, go to www.wiley.com/go/sybextestprep
, register your book to receive your unique PIN, and then once you have the PIN, return to www.wiley.com/go/sybextestprep
, and register a new account or add this book to an existing account.
This table provides the extent, by percentage, to which each section is represented on the actual examination.
Domain | % of exam |
Domain 1: Security and Risk Management | 15% |
Domain 2: Asset Security | 10% |
Domain 3: Security Architecture and Engineering | 13% |
Domain 4: Communication and Network Security | 13% |
Domain 5: Identity and Access Management (IAM) | 13% |
Domain 6: Security Assessment and Testing | 12% |
Domain 7: Security Operations | 13% |
Domain 8: Software Development Security | 11% |
Total | 100% |
This book is designed to cover each of the eight CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book consists of 21 chapters. Here is a complete CISSP Exam Outline mapping each objective item to its location in this book's chapters.
Domain # | Objective | Chapter |
Domain 1 | Security and Risk Management | |
1.1 | Understand, adhere to, and promote professional ethics | 19 |
1.1.1 |
|
19 |
1.1.2 |
|
19 |
1.2 | Understand and apply security concepts | 1 |
1.2.1 |
|
1 |
1.3 | Evaluate and apply security governance principles | 1 |
1.3.1 |
|
1 |
1.3.2 |
|
1 |
1.3.3 |
|
1 |
1.3.4 |
|
1 |
1.3.5 |
|
1 |
1.4 | Determine compliance and other requirements | 4 |
1.4.1 |
|
4 |
1.4.2 |
|
4 |
1.5 | Understand legal and regulatory issues that pertain to information security in a holistic context | 4 |
1.5.1 |
|
4 |
1.5.2 |
|
4 |
1.5.3 |
|
4 |
1.5.4 |
|
4 |
1.5.5 |
|
4 |
1.6 | Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) | 19 |
1.7 | Develop, document, and implement security policy, standards, procedures, and guidelines | 1 |
1.8 | Identify, analyze, and prioritize Business Continuity (BC) requirements | 3 |
1.8.1 |
|
3 |
1.8.2 |
|
3 |
1.9 | Contribute to and enforce personnel security policies and procedures | 2 |
1.9.1 |
|
2 |
1.9.2 |
|
2 |
1.9.3 |
|
2 |
1.9.4 |
|
2 |
1.9.5 |
|
2 |
1.9.6 |
|
2 |
1.10 | Understand and apply risk management concepts | 2 |
1.10.1 |
|
2 |
1.10.2 |
|
2 |
1.10.3 |
|
2 |
1.10.4 |
|
2 |
1.10.5 |
|
2 |
1.10.6 |
|
2 |
1.10.7 |
|
2 |
1.10.8 |
|
2 |
1.10.9 |
|
2 |
1.10.10 |
|
2 |
1.11 | Understand and apply threat modeling concepts and methodologies | 1 |
1.12 | Apply Supply Chain Risk Management (SCRM) concepts | 1 |
1.12.1 |
|
1 |
1.12.2 |
|
1 |
1.12.3 |
|
1 |
1.12.4 |
|
1 |
1.13 | Establish and maintain a security awareness, education, and training program | 2 |
1.13.1 |
|
2 |
1.13.2 |
|
2 |
1.13.3 |
|
2 |
Domain 2 | Asset Security | |
2.1 | Identify and classify information and assets | 5 |
2.1.1 |
|
5 |
2.1.2 |
|
5 |
2.2 | Establish information and asset handling requirements | 5 |
2.3 | Provision resources securely | 16 |
2.3.1 |
|
16 |
2.3.2 |
|
16 |
2.3.3 |
|
16 |
2.4 | Manage data lifecycle | 5 |
2.4.1 |
|
5 |
2.4.2 |
|
5 |
2.4.3 |
|
5 |
2.4.4 |
|
5 |
2.4.5 |
|
5 |
2.4.6 |
|
5 |
2.4.7 |
|
5 |
2.5 | Ensure appropriate asset retention (e.g., End-of-Life (EOL) End-of-Support (EOS)) | 5 |
2.6 | Determine data security controls and compliance requirements | 5 |
2.6.1 |
|
5 |
2.6.2 |
|
5 |
2.6.3 |
|
5 |
2.6.4 |
|
5 |
Domain 3 | Security Architecture and Engineering | |
3.1 | Research, implement and manage engineering processes using secure design principles | 1, 8, 9, 16 |
3.1.1 |
|
1 |
3.1.2 |
|
16 |
3.1.3 |
|
1 |
3.1.4 |
|
8 |
3.1.5 |
|
8 |
3.1.6 |
|
16 |
3.1.7 |
|
8 |
3.1.8 |
|
8 |
3.1.9 |
|
8 |
3.1.10 |
|
8 |
3.1.11 |
|
9 |
3.2 | Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) | 8 |
3.3 | Select controls based upon systems security requirements | 8 |
3.4 | Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) | 8 |
3.5 | Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements | 9, 16, 20 |
3.5.1 |
|
9 |
3.5.2 |
|
9 |
3.5.3 |
|
20 |
3.5.4 |
|
7 |
3.5.5 |
|
9 |
3.5.6 |
|
16 |
3.5.7 |
|
9 |
3.5.8 |
|
9 |
3.5.9 |
|
9 |
3.5.10 |
|
9 |
3.5.11 |
|
9 |
3.5.12 |
|
9 |
3.5.13 |
|
9 |
3.5.14 |
|
9 |
3.5.15 |
|
9 |
3.6 | Select and determine cryptographic solutions | 6, 7 |
3.6.1 |
|
6, 7 |
3.6.2 |
|
6, 7 |
3.6.3 |
|
7 |
3.6.4 |
|
7 |
3.6.5 |
|
7 |
3.6.6 |
|
6, 7 |
3.6.7 |
|
6, 7 |
3.7 | Understand methods of cryptanalytic attacks | 7, 14, 21 |
3.7.1 |
|
7 |
3.7.2 |
|
7 |
3.7.3 |
|
7 |
3.7.4 |
|
7 |
3.7.5 |
|
7 |
3.7.6 |
|
7 |
3.7.7 |
|
7 |
3.7.8 |
|
7 |
3.7.9 |
|
7 |
3.7.10 |
|
7 |
3.7.11 |
|
14 |
3.7.12 |
|
14 |
3.7.13 |
|
21 |
3.8 | Apply security principles to site and facility design | 10 |
3.9 | Design site and facility security controls | 10 |
3.9.1 |
|
10 |
3.9.2 |
|
10 |
3.9.3 |
|
10 |
3.9.4 |
|
10 |
3.9.5 |
|
10 |
3.9.6 |
|
10 |
3.9.7 |
|
10 |
3.9.8 |
|
10 |
3.9.9 |
|
10 |
Domain 4 | Communication and Network Security | |
4.1 | Assess and implement secure design principles in network architectures | 11, 12 |
4.1.1 |
|
11 |
4.1.2 |
|
11, 12 |
4.1.3 |
|
11 |
4.1.4 |
|
11 |
4.1.5 |
|
11 |
4.1.6 |
|
11 |
4.1.7 |
|
11 |
4.1.8 |
|
11 |
4.1.9 |
|
11 |
4.2 | Secure network components | 11 |
4.2.1 |
|
11 |
4.2.2 |
|
11 |
4.2.3 |
|
11 |
4.2.4 |
|
11 |
4.3 | Implement secure communication channels according to design | 12 |
4.3.1 |
|
12 |
4.3.2 |
|
12 |
4.3.3 |
|
12 |
4.3.4 |
|
12 |
4.3.5 |
|
12 |
4.3.6 |
|
12 |
Domain 5 | Identity and Access Management (IAM) | |
5.1 | Control physical and logical access to assets | 13 |
5.1.1 |
|
13 |
5.1.2 |
|
13 |
5.1.3 |
|
13 |
5.1.4 |
|
13 |
5.1.5 |
|
13 |
5.2 | Manage identification and authentication of people, devices, and services | 13 |
5.2.1 |
|
13 |
5.2.2 |
|
13 |
5.2.3 |
|
13 |
5.2.4 |
|
13 |
5.2.5 |
|
13 |
5.2.6 |
|
13 |
5.2.7 |
|
13 |
5.2.8 |
|
13 |
5.2.9 |
|
13 |
5.3 | Federated identity with a third-party service | 13 |
5.3.1 |
|
13 |
5.3.2 |
|
13 |
5.3.3 |
|
13 |
5.4 | Implement and manage authorization mechanisms | 14 |
5.4.1 |
|
14 |
5.4.2 |
|
14 |
5.4.3 |
|
14 |
5.4.4 |
|
14 |
5.4.5 |
|
14 |
5.4.6 |
|
14 |
5.5 | Manage the identity and access provisioning lifecycle | 13, 14 |
5.5.1 |
|
13 |
5.5.2 |
|
13 |
5.5.3 |
|
13 |
5.5.4 |
|
14 |
5.6 | Implement authentication systems | 14 |
5.6.1 |
|
14 |
5.6.2 |
|
14 |
5.6.3 |
|
14 |
5.6.4 |
|
14 |
Domain 6 | Security Assessment and Testing | |
6.1 | Design and validate assessment, test, and audit strategies | 15 |
6.1.1 |
|
15 |
6.1.2 |
|
15 |
6.1.3 |
|
15 |
6.2 | Conduct security control testing | 15 |
6.2.1 |
|
15 |
6.2.2 |
|
15 |
6.2.3 |
|
15 |
6.2.4 |
|
15 |
6.2.5 |
|
15 |
6.2.6 |
|
15 |
6.2.7 |
|
15 |
6.2.8 |
|
15 |
6.2.9 |
|
15 |
6.2.10 |
|
15 |
6.3 | Collect security process data (e.g., technical and administrative) | 15, 18 |
6.3.1 |
|
15 |
6.3.2 |
|
15 |
6.3.3 |
|
15 |
6.3.4 |
|
15 |
6.3.5 |
|
15, 18 |
6.3.6 |
|
18, 3 |
6.4 | Analyze test output and generate report | 15 |
6.4.1 |
|
15 |
6.4.2 |
|
15 |
6.4.3 |
|
15 |
6.5 | Conduct or facilitate security audits | 15 |
6.5.1 |
|
15 |
6.5.2 |
|
15 |
6.5.3 |
|
15 |
Domain 7 | Security Operations | |
7.1 | Understand and comply with investigations | 19 |
7.1.1 |
|
19 |
7.1.2 |
|
19 |
7.1.3 |
|
19 |
7.1.4 |
|
19 |
7.1.5 |
|
19 |
7.2 | Conduct logging and monitoring activities | 17, 21 |
7.2.1 |
|
17 |
7.2.2 |
|
17 |
7.2.3 |
|
17 |
7.2.4 |
|
17 |
7.2.5 |
|
17 |
7.2.6 |
|
17 |
7.2.7 |
|
21 |
7.3 | Perform Configuration Management (CM) (e.g., provisioning, baselining, automation) | 16 |
7.4 | Apply foundational security operations concepts | 16 |
7.4.1 |
|
16 |
7.4.2 |
|
16 |
7.4.3 |
|
16 |
7.4.4 |
|
16 |
7.4.5 |
|
16 |
7.5 | Apply resource protection | 16 |
7.5.1 |
|
16 |
7.5.2 |
|
16 |
7.6 | Conduct incident management | 17 |
7.6.1 |
|
17 |
7.6.2 |
|
17 |
7.6.3 |
|
17 |
7.6.4 |
|
17 |
7.6.5 |
|
17 |
7.6.6 |
|
17 |
7.6.7 |
|
17 |
7.7 | Operate and maintain detective and preventative measures | 11, 17 |
7.7.1 |
|
11 |
7.7.2 |
|
17 |
7.7.3 |
|
17 |
7.7.4 |
|
17 |
7.7.5 |
|
17 |
7.7.6 |
|
17 |
7.7.7 |
|
17 |
7.7.8 |
|
17 |
7.8 | Implement and support patch and vulnerability management | 16 |
7.9 | Understand and participate in change management processes | 16 |
7.10 | Implement recovery strategies | 18 |
7.10.1 |
|
18 |
7.10.2 |
|
18 |
7.10.3 |
|
18 |
7.10.4 |
|
18 |
7.11 | Implement Disaster Recovery (DR) processes | 18 |
7.11.1 |
|
18 |
7.11.2 |
|
18 |
7.11.3 |
|
18 |
7.11.4 |
|
18 |
7.11.5 |
|
18 |
7.11.6 |
|
18 |
7.11.7 |
|
18 |
7.12 | Test Disaster Recovery Plans (DRP) | 18 |
7.12.1 |
|
18 |
7.12.2 |
|
18 |
7.12.3 |
|
18 |
7.12.4 |
|
18 |
7.12.5 |
|
18 |
7.13 | Participate in Business Continuity (BC) planning and exercises | 3 |
7.14 | Implement and manage physical security | 10 |
7.14.1 |
|
10 |
7.14.2 |
|
10 |
7.15 | Address personnel safety and security concerns | 16 |
7.15.1 |
|
16 |
7.15.2 |
|
16 |
7.15.3 |
|
16 |
7.15.4 |
|
16 |
Domain 8 | Software Development Security | |
8.1 | Understand and integrate security in the Software Development Life Cycle (SDLC) | 20 |
8.1.1 |
|
20 |
8.1.2 |
|
20 |
8.1.3 |
|
20 |
8.1.4 |
|
20 |
8.1.5 |
|
20 |
8.2 | Identify and apply security controls in software development ecosystems | 15, 17, 20, 21 |
8.2.1 |
|
20 |
8.2.2 |
|
20 |
8.2.3 |
|
20 |
8.2.4 |
|
20 |
8.2.5 |
|
20 |
8.2.6 |
|
20 |
8.2.7 |
|
17 |
8.2.8 |
|
20 |
8.2.9 |
|
20 |
8.2.10 |
|
15 |
8.3 | Assess the effectiveness of software security | 20 |
8.3.1 |
|
20 |
8.3.2 |
|
20 |
8.4 | Assess security impact of acquired software | 16, 20 |
8.4.1 |
|
20 |
8.4.2 |
|
20 |
8.4.3 |
|
20 |
8.4.4 |
|
16 |
8.5 | Define and apply secure coding guidelines and standards | 20, 21 |
8.5.1 |
|
21 |
8.5.2 |
|
20 |
8.5.3 |
|
20 |
8.5.4 |
|
20 |
If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.
In order to submit your possible errata, please email it to our Customer Service Team at [email protected]
with the subject line “Possible Book Errata Submission.”
X: 0 1 1 0 1 0
Y: 0 0 1 1 0 1
___________________
X Å Y: ?
User | Last Login Length | Lass Password Change |
Bob | 4 hours | 87 days |
Sue | 3 hours | 38 days |
John | 1 hour | 935 days |
Kesha | 3 hours | 49 days |
The security manager reviews the account policies of the organization and takes note of the following requirements:
Which of the following security controls should be corrected to enforce the password policy?
SHTTP://
TLS://
FTPS://
HTTPS://
HTTPS://
is the correct prefix for the use of HTTP (Hypertext Transfer Protocol) over TLS (Transport Layer Security). This was the same prefix when SSL (Secure Sockets Layer) was used to encrypt HTTP, but SSL has been deprecated. SHTTP://
is for Secure HTTP, which was SSH but SHTTP is also deprecated. TLS://
is an invalid prefix. FTPS://
is a valid prefix that can be used in some web browsers, and it uses TLS to encrypt the connection, but it is for securing FTP file exchange rather than web communications.3.137.218.230