(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, 2nd Edition

Mike Wills, SSCP, CISSP, Assistant Professor and Program Chair of Applied Information Technologies in the College of Business at Embry-Riddle Aeronautical University's Worldwide Campus. Mike has been a pioneer in ethical hacking since his days as a phone phreak. His many years of cutting-edge experience in secure systems design, development, and operation have enriched the dozens of courses he's built and taught. He created ERAU's Master of Science in Information Security and Assurance degree program and leads the university's teaching and courseware development for the Microsoft Software & Systems Academy at ERAU's 13 US teaching sites.

Foreword xxi Introduction xxiii Self-Assessment xlv Part I Getting Started as an SSCP 1 Chapter 1 The Business Case for Decision Assurance and Information Security 3 Information: The Lifeblood of Business 4 Data, Information, Knowledge, Wisdom... 5 Information Is Not Information Technology 8 Policy, Procedure, and Process: How Business Gets Business Done 10 Who Is the Business? 11 "What's Your Business Plan?" 12 Purpose, Intent, Goals, Objectives 13 Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success 14 The Value Chain 15 Being Accountable 17 Who Runs the Business? 19 Owners and Investors 19 Boards of Directors 20 Managing or Executive Directors and the "C-Suite" 20 Layers of Function, Structure, Management, and Responsibility 21 Plans and Budgets, Policies, and Directives 22 Summary 23 Chapter 2 Information Security Fundamentals 25 The Common Needs for Privacy, Confidentiality, Integrity, and Availability 26 Privacy 26 Confidentiality 29 Integrity 30 Availability 31 Privacy vs. Security, or Privacy and Security? 32 CIA Needs of Individuals 34 Private Business's Need for CIA 35 Government's Need for CIA 36 The Modern Military's Need for CIA 36 Do Societies Need CIA? 36 Training and Educating Everybody 38 SSCPs and Professional Ethics 38 Summary 40 Exam Essentials 40 Review Questions 44 Part II Integrated Risk Management and Mitigation 51 Chapter 3 Integrated Information Risk Management 53 It's a Dangerous World 54 What Is Risk? 55 Risk: When Surprise Becomes Disruption 59 Information Security: Delivering Decision Assurance 60 "Common Sense" and Risk Management 63 The Four Faces of Risk 65 Outcomes-Based Risk 67 Process-Based Risk 67 Asset-Based Risk 68 Threat-Based (or Vulnerability-Based) Risk 69 Getting Integrated and Proactive with Information Defense 72 Trust, but Verify 76 Due Care and Due Diligence: Whose Jobs Are These? 76 Be Prepared: First, Set Priorities 77 Risk Management: Concepts and Frameworks 78 The SSCP and Risk Management 81 Plan, Do, Check, Act 82 Risk Assessment 84 Establish Consensus about Information Risk 84 Information Risk Impact Assessment 85 The Business Impact Analysis 92 From Assessments to Information Security Requirements 92 Four Choices for Limiting or Containing Damage 94 Deter 96 Detect 96 Prevent 97 Avoid 97 Summary 100 Exam Essentials 101 Review Questions 105 Chapter 4 Operationalizing Risk Mitigation 111 From Tactical Planning to Information Security Operations 112 Operationally Outthinking Your Adversaries 114 Getting Inside the Other Side's OODA Loop 116 Defeating the Kill Chain 117 Operationalizing Risk Mitigation: Step by Step 118 Step 1: Assess the Existing Architectures 119 Step 2: Assess Vulnerabilities and Threats 126 Step 3: Select Risk Treatment and Controls 135 Step 4: Implement Controls 141 Step 5: Authorize: Senior Leader Acceptance and Ownership 146 The Ongoing Job of Keeping Your Baseline Secure 146 Build and Maintain User Engagement with Risk Controls 147 Participate in Security Assessments 148 Manage the Architectures: Asset Management and Configuration Control 151 Ongoing, Continuous Monitoring 152 Exploiting What Monitoring and Event Data Is Telling You 155 Incident Investigation, Analysis, and Reporting 159 Reporting to and Engaging with Management 160 Summary 161 Exam Essentials 161 Review Questions 166 Part III The Technologies of Information Security 173 Chapter 5 Communications and Network Security 175 Trusting Our Communications in a Converged World 176 Introducing CIANA 179 Threat Modeling for Communications Systems 180 Internet Systems Concepts 181 Datagrams and Protocol Data Units 182 Handshakes 184 Packets and Encapsulation 185 Addressing, Routing, and Switching 187 Network Segmentation 1