CISSP For Dummies

Lawrence C. Miller, CISSP, is a veteran information security professional. He has served as a consultant for multinational corporations and holds many networking certifications. Peter H. Gregory, CISSP, is a security, risk, and technology director with experience in SAAS, retail, telecommunications, non-profit, manufacturing, healthcare, and beyond. Larry and Peter have been coauthors of CISSP For Dummies for more than 20 years.

Introduction 1 About This Book 2 Foolish Assumptions 3 Icons Used in This Book 3 Beyond the Book 4 Where to Go from Here 5 Part 1: Getting Started with CISSP Certification 7 Chapter 1: (ISC)2 and the CISSP Certification 9 About (ISC)2 and the CISSP Certification 9 You Must Be This Tall to Ride This Ride (And Other Requirements) 10 Preparing for the Exam 12 Studying on your own 13 Getting hands-on experience 14 Getting official (ISC)2 CISSP training 14 Attending other training courses or study groups 15 Taking practice exams 15 Are you ready for the exam? 16 Registering for the Exam 16 About the CISSP Examination 17 After the Examination 20 Chapter 2: Putting Your Certification to Good Use 23 Networking with Other Security Professionals 24 Being an Active (ISC)2 Member 25 Considering (ISC)2 Volunteer Opportunities 26 Writing certification exam questions 27 Speaking at events 27 Helping at (ISC)2 conferences 27 Reading and contributing to (ISC)2 publications 27 Supporting the (ISC)2 Center for Cyber Safety and Education 28 Participating in bug-bounty programs 28 Participating in (ISC)2 focus groups 28 Joining the (ISC)2 community 28 Getting involved with a CISSP study group 28 Helping others learn more about data security 29 Becoming an Active Member of Your Local Security Chapter 30 Spreading the Good Word about CISSP Certification 31 Leading by example 32 Using Your CISSP Certification to Be an Agent of Change 32 Earning Other Certifications 33 Other (ISC)2 certifications 33 CISSP concentrations 34 Non-(ISC)2 certifications 34 Choosing the right certifications 38 Finding a mentor, being a mentor 39 Building your professional brand 39 Pursuing Security Excellence 40 Part 2: Certification Domains 43 Chapter 3: Security and Risk Management 45 Understand, Adhere to, and Promote Professional Ethics 45 (ISC)2 Code of Professional Ethics 46 Organizational code of ethics 47 Understand and Apply Security Concepts 49 Confidentiality 50 Integrity 51 Availability 51 Authenticity 52 Nonrepudiation 52 Evaluate and Apply Security Governance Principles 53 Alignment of security function to business strategy, goals, mission, and objectives 53 Organizational processes 54 Organizational roles and responsibilities 56 Security control frameworks 57 Due care and due diligence 60 Determine Compliance and Other Requirements 61 Contractual, legal, industry standards, and regulatory requirements 61 Privacy requirements 66 Understand Legal and Regulatory Issues That Pertain to Information Security 67 Cybercrimes and data breaches 67 Licensing and intellectual property requirements 82 Import/export controls 85 Transborder data flow 85 Privacy 86 Understand Requirements for Investigation Types 93 Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines 94 Policies 95 Standards (and baselines) 95 Procedures 96 Guidelines 96 Identify, Analyze, and Prioritize Business Continuity (BC) Requirements 96 Business impact analysis 99 Develop and document the scope and the plan 107 Contribute to and Enforce Personnel Security Policies and Procedures 120 Candidate screening and hiring 120 Employment agreements and policies 123 Onboarding, transfers, and termination processes 123 Vendor, consultant, and contractor agreements and controls 124 Compliance policy requirements 125 Privacy policy requirements 125 Understand and Apply Risk Management Concepts 125 Identify threats and vulnerabilities 126 Risk assessment/analysis 126 Risk appetite and risk tolerance 132 Risk treatment 133 Countermeasure selection and implementation 133 Applicable types of controls 135 Control assessments (security and privacy) 137 Monitoring and measurement 139 Reporting 140 Continuous improvement 141 Risk frameworks 141 Understand and Apply Threat Modeling Concepts