CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition
CISSP Common Body of Knowledge
| KEY AREA OF KNOWLEDGE | CHAPTER |
| ACCESS CONTROL | |
| Control access by applying the following concepts/methodology/techniques: Policies; types of controls (preventative, detective, corrective, etc.); techniques (e.g., non-discretionary, discretionary and mandatory); Identification and Authentication; Decentralized/distributed access control techniques; Authorization mechanisms; Logging and Monitoring |
1, 2, 14 |
| Understand access control attacks | 2 |
| Assess effectiveness of access controls | 2 |
| APPLICATION DEVELOPMENT SECURITY | |
| Understand and apply security in the system life cycle Systems Development Life Cycle (SDLC); Maturity models; Operation and maintenance; Change management; Perform risk analysis |
7 |
| Understand the application environment and security controls Security of the application environment; Security issues of programming languages; Security issues in source code (eg., buffer overflow); Configuration management |
7, 8 |
| Assess the effectiveness of application security Certification and accreditation; Auditing and logging; Corrective actions |
7 |
| BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING | |
| Understand business continuity requirements Develop and document project scope and plan |
15, 16 |
| Conduct business impact analysis Identify and prioritize critical business functions; Determine maximum tolerable downtime and other criteria; assess exposure to outages (e.g., local, regional, global); Define recovery objectives |
15, 16 |
| Develop recovery strategy Implement a backup storage strategy (e.g., offsite storage, electronic vaulting, tape rotation); recovery site strategies |
15, 16 |
| Understand disaster recovery process Response; Personnel; Communications; Assessment; Restoration |
16 |
| Provide Training | 16 |
| Test, update, assess and maintain the plan (e.g., version control, distribution) | 16 |
| CRYPTOGRAPHY | |
| Understand the application and use of cryptography Data at rest (e.g., Hard Drive); Data in transit (e.g., “On the wire”) |
9, 10 |
| Understand encryption concepts Foundational concepts; Symmetric cryptography; Asymmetric cryptography; Hybrid cryptography; Message digests; Hashing |
9, 10 |
| Understand key management process Creation/distribution; Storage/destruction; Recovery; Key escrow |
10 |
| Understand digital signatures | 10 |
| Understand methods of cryptanalytic attacks Chosen plain-text; Social engineering for key discovery; Brute Force; Cipher-text only; Known plaintext; Frequency analysis; Chosen cipher-text; implementation attacks |
10 |
| Employ cryptography in network security | 10 |
| Use cryptography to maintain e-mail security | 10 |
| Understand Public Key Infrastructure (PKI) | 10 |
| Understand certificate related issues | 10 |
| Understand information hiding alternatives (e.g., steganography, watermarking) | 10 |
| INFORMATION SECURITY GOVERNANCE AND RISK MANAGEMENT | |
| Understand and align security function to goals, mission, and objectives of the organization) | 6 |
| Understand and apply security governance Organizational processes; define security roles and responsibilities; Legislative and regulatory compliance; Privacy requirements compliance; Control frameworks; Due care; Due diligence |
5, 6 |
| Understand and apply concepts of confidentiality, availability, and integrity | 5 |
| Develop and implement security policy Security policies; Standards/baselines; Procedures; Guidelines; Documentation |
6 |
| Define and implement information classification and ownership | 5, 6 |
| Ensure security in contractual agreements and procurement processes | 6 |
| Understand and apply risk management concepts Identify threats and vulnerabilities; Risk assessment/analysis; risk assignment/acceptance; Countermeasure selection |
5, 6 |
| Evaluate personnel security Background checks and employment candidate screening; Employment agreements and policies; Employee termination processes; Vendor, consultant and contractor controls |
5, 6 |
| Develop and manage security education, training, and awareness | 6 |
| Develop and implement information system security strategies | 5, 6 |
| Support certification and accreditation efforts | 5, 6, 12 |
| Assess the completeness and effectiveness of the security program | 5, 6, 12 |
| Understand professional ethics | 18 |
| (ISC)2 code of professional ethics; Support organization’s code of ethics | |
| Manage the Security Function Budget; Metrics; Resources |
6 |
| LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE | |
| Understand legal issues that pertain to information security internationally Computer crime; Licensing and intellectual property (e.g., copyright, trademark); Import/Export; Trans-border data flow; Privacy |
17, 18 |
| Understand and support investigations Policy; Incident handling and response; Evidence collection and handling (e.g., chain of custody, interviewing); Reporting and documenting |
14, 17, 18 |
| Understand forensic procedures Media analysis; Network analysis; Software analysis |
17, 18 |
| Understand compliance requirements and procedures Regulatory environment; Audits; Reporting |
6, 14, 17, 18 |
| OPERATIONS SECURITY | |
| Understand the following security concepts Need-to-know/least privilege; Separation of duties and responsibilities; Monitor special privileges (e.g., operators, administrators); Job rotation; Marking, handling, storing, and destroying of sensitive information and media; Record retention |
13, 14, 6 |
| Employ resource protection Media management; Asset management; Personnel privacy and safety |
13, 14 |
| Manage incident response Detection; Response; Reporting; Recovery; Remediation |
18, 14, 15, 16, 17, 19 |
| Prevent or respond to attacks (e.g., malicious code, zero-day exploit, denial of service) | 8, 14 |
| Implement and support patch and vulnerability management | 2, 8 |
| Understand configuration management concepts (e.g., versioning, baselining) | 13, 7 |
| Understand fault tolerance requirements | 2, 15, 4 |
| PHYSICAL (ENVIRONMENTAL) SECURITY | |
| Participate in site and facility design considerations | 19 |
| Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs) | 19 |
| Support the implementation and operation of interior security (e.g., escort requirements/visitor control, keys and locks) | 19 |
| Support the implementation and operation of operations or facility security Communications and server rooms; Restricted and work area security; Data center security; Utilities and HVAC considerations; Water issues (e.g., leakage, flooding); Fire prevention, detection and suppression |
19 |
| Support the protection and securing of equipment | 19 |
| SECURITY ARCHITECTURE AND DESIGN | |
| Understand the fundamental concepts of security models (e.g., Confidentiality; Integrity; and Multi-level Models | 11, 12 |
| Understand the components of information systems security evaluation models Product evaluation models (e.g., common criteria); Industry and international security implementation guidelines (e.g., PCI-DSS, ISO) |
12 |
| Understand security capabilities of information systems (e.g., memory protection; virtualization, trusted platform module) | 11, 12 |
| Understand the vulnerabilities of security architecture System (e.g., covert channels; states attacks; emanations); Technology and process integration (e.g., single point of failure, service oriented architecture) |
11, 12 |
| Understand application and system vulnerabilities and threats Web-based (e.g., XML, SAML); Client-based (e.g., applets); Server-based (e.g., data flow control); Database security (e.g., inference, aggregation, data mining) |
11, 12 |
| Understand countermeasure principles (e.g., defense in depth) | 12, 1 |
| TELECOMMUNICATIONS AND NETWORK SECURITY | |
| Establish secure data communications | 3, 4 |
| Understand secure network architecture and design OSI and TCP/IP models; IP networking |
3 |
| Secure network components Hardware (e.g., modems, switches; routers); Transmission media; Filtering devices (e.g., firewalls, proxies); end-point security |
3, 4 |
| Establish secure multimedia communications Voice over IP (VoIP); Multimedia collaboration (e.g., remote meeting technology, instant messaging); Virtual Private Networks (VPN); Remote access |
3, 4 |
| Understand network attacks | 4 |
The (ISC)2 BOK is subject to change at any time without prior notice and at (ISC)2’s sole discretion. Please visit (ISC)2’s website (https://www.isc2.org/) for the most up-to-date information.