CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide

James Michael Stewart, CISSP, CEH, CHFI, Security+, has focused on security, certification, and various operating systems for more than 20 years. He teaches numerous job skill and certification courses. Mike Chapple, PhD, CISSP, is Senior Director for IT Service Delivery at the University of Notre Dame. He oversees information security, data governance, IT architecture, project management, strategic planning, and product management functions. Darril Gibson, CISSP, is CEO of YCDA, LLC. He regularly writes and consults on a variety of technical and security topics, and has authored or coauthored more than 35 books.

Introduction xxxiii Assessment Test xlii Chapter 1 Security Governance Through Principles and Policies 1 Understand and Apply Concepts of Confidentiality, Integrity, and Availability 3 Confidentiality 4 Integrity 5 Availability 6 Other Security Concepts 8 Protection Mechanisms 12 Layering 12 Abstraction 12 Data Hiding 13 Encryption 13 Apply Security Governance Principles 13 Alignment of Security Function to Strategy, Goals, Mission, and Objectives 14 Organizational Processes 16 Security Roles and Responsibilities 22 Control Frameworks 23 Due Care and Due Diligence 24 Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines 25 Security Policies 25 Security Standards, Baselines, and Guidelines 26 Security Procedures 27 Understand and Apply Threat Modeling 28 Identifying Threats 30 Determining and Diagramming Potential Attacks 32 Performing Reduction Analysis 33 Prioritization and Response 34 Integrate Security Risk Considerations into Acquisition Strategy and Practice 35 Summary 36 Exam Essentials 38 Written Lab 41 Review Questions 42 Chapter 2 Personnel Security and Risk Management Concepts 47 Contribute to Personnel Security Policies 49 Employment Candidate Screening 52 Employment Agreements and Policies 53 Employment Termination Processes 54 Vendor, Consultant, and Contractor Controls 56 Compliance 57 Privacy 57 Security Governance 59 Understand and Apply Risk Management Concepts 60 Risk Terminology 61 Identify Threats and Vulnerabilities 63 Risk Assessment/Analysis 64 Risk Assignment/Acceptance 72 Countermeasure Selection and Assessment 73 Implementation 74 Types of Controls 75 Monitoring and Measurement 76 Asset Valuation 77 Continuous Improvement 78 Risk Frameworks 78 Establish and Manage Information Security Education, Training, and Awareness 81 Manage the Security Function 82 Summary 83 Exam Essentials 84 Written Lab 88 Review Questions 89 Chapter 3 Business Continuity Planning 93 Planning for Business Continuity 94 Project Scope and Planning 95 Business Organization Analysis 96 BCP Team Selection 96 Resource Requirements 98 Legal and Regulatory Requirements 100 Business Impact Assessment 101 Identify Priorities 101 Risk Identification 102 Likelihood Assessment 104 Impact Assessment 104 Resource Prioritization 106 Continuity Planning 107 Strategy Development 107 Provisions and Processes 108 Plan Approval 109 Plan Implementation 110 Training and Education 110 BCP Documentation 110 Continuity Planning Goals 111 Statement of Importance 111 Statement of Priorities 111 Statement of Organizational Responsibility 111 Statement of Urgency and Timing 112 Risk Assessment 112 Risk Acceptance/Mitigation 112 Vital Records Program 113 Emergency-Response Guidelines 113 Maintenance 114 Testing and Exercises 114 Summary 114 Exam Essentials 115 Written Lab 117 Review Questions 118 Chapter 4 Laws, Regulations, and Compliance 123 Categories of Laws 124 Criminal Law 124 Civil Law 126 Administrative Law 126 Laws 127 Computer Crime 127 Intellectual Property 132 Licensing 138 Import/Export 139 Privacy 139 Compliance 146 Contracting and Procurement 147 Summary 148 Exam Essentials 149 Written Lab 151 Review Questions 152 Chapter 5 Protecting Security of Assets 157 Classifying and Labeling Assets 158 Defining Sensitive Data 158 Defining Classifications 160 Defining Data Security Requirements 163 Understanding Data States 164 Managing Sensitive Data 165 Protecting Confidentiality with Cryptography 172 Identifying Data Roles 174 Data Owners 174 System Owners 175 Business/Mission Owners 176 Data Processors 176 Administrators 177 Custodians 178 Use