CISSP认证指南：安全与风险管理

需积分: 16 6 浏览量更新于2024-07-17 收藏 28.69MB PDF 举报

"Official (ISC)2 Guide to the CISSP CBK 4 Edition.pdf" 《官方(ISC)² CISSP CBK 4版指南》是一本详细阐述信息系统安全专业认证(CISSP)核心知识领域的权威书籍。CISSP认证是全球认可的信息安全专家证书，旨在验证专业人士在设计、实施和管理企业信息安全体系方面的技术和知识。本书涵盖的主要内容包括以下几个关键领域： 1. 安全与风险管理（Security & Risk Management） - 保密性（Confidentiality）、完整性和可用性（Integrity and Availability）是信息安全的三大基石，它们是保护数据免受未经授权访问、修改和中断的基础。 - 安全治理（Security Governance）确保组织的安全策略与业务目标一致，并制定明确的安全目标、使命和目标。 - 组织流程（Organizational Processes）、角色和责任（Roles and Responsibilities）确保所有相关人员都清楚自己的安全职责。 - 完整有效的安全计划（The Complete and Effective Security Program）包括监督委员会的代表和控制框架的建立。 2. 法规遵从与尽职调查（Due Care and Due Diligence） - 尽职调查要求组织采取必要的步骤来防止风险，而尽职调查则要求持续监控和改进。 - 法规遵从（Compliance）包括治理、风险管理和法规遵从（GRC），以及对立法和监管要求的遵守。 3. 法律与合规（Legislative and Regulatory Compliance） - 全球法律和监管问题涉及计算机/网络犯罪、许可和知识产权、进出口以及跨国数据流动。 - 隐私（Privacy）和数据泄露（Data Breaches）的合规要求对个人数据的处理和保护有严格的规定。 - 对相关法律和法规的理解是确保合规性的基础。 4. 职业道德（Professional Ethics） - 了解并遵循职业道德是信息安全专业人员的重要责任，包括支持组织的道德规范和制定安全政策。 - 计算机伦理（Topics in Computer Ethics）和常见的伦理误区（Common Computer Ethics Fallacies）帮助从业者做出道德决策。 - 黑客行为（Hacking and Hacktivism）可能涉及道德和法律问题，需要理解和应用道德准则。 - (ISC)² 的职业行为准则（(ISC)² Code of Professional Ethics）为从业者提供了行为指导。 5. 业务连续性（Business Continuity, BC）与灾难恢复（Disaster Recovery, DR） - 开发和实施安全政策是确保业务在面临威胁时能够持续运行的关键部分，包括业务连续性和灾难恢复计划。本书通过深入探讨这些主题，为准备CISSP认证的考生提供了全面的学习资料，同时也为实际工作中的信息安全专业人员提供了宝贵的参考。

successful. The most important tool that the intrepid traveler can have at their disposal is

a compass, that trusty device that always allows one to understand in what direction they

are heading, and get their bearings when necessary. The compass of the Information

Security professional is their knowledge, experience, and understanding of the world

around them. The thing that is amazing about a compass is that no matter where you

stand on Earth, you can hold one in your hand and it will point toward the North Pole.

While we do not need to know where the North Pole always is in Information Security, as

a CISSP, you are expected to be able to provide guidance and direction to the businesses

and users that you are responsible for. Being able to map the CISSP CBK to your

knowledge, experience, and understanding is the way that you will be able to provide

that guidance, and to translate the CBK into actionable and tangible elements for both

the business and its users that you represent.

1. The Security and Risk Management domain addresses the framework

and policies, concepts, principles, structures, and standards used to establish

criteria for the protection of information assets and to assess the

effectiveness of that protection. It includes issues of governance,

organizational behavior, and security awareness. Information security

management establishes the foundation of a comprehensive and proactive

security program to ensure the protection of an organization’s information

assets. Today’s environment of highly interconnected, interdependent

systems necessitates the requirement to understand the linkage between

information technology and meeting business objectives. Information security

management communicates the risks accepted by the organization due to

the currently implemented security controls, and continually works to cost

effectively enhance the controls to minimize the risk to the company’s

information assets. Security management encompasses the administrative,

technical, and physical controls necessary to adequately protect the

confidentiality, integrity, and availability of information assets. Controls are

manifested through a foundation of policies, procedures, standards,

baselines, and guidelines.

2. The Asset Security domain contains the concepts, principles, structures,

and standards used to monitor and secure assets and those controls used to

enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a

comprehensive and rigorous method for describing a current and/or future

structure and behavior for an organization’s security processes, information

security systems, personnel and organizational sub-units, so that these

practices and processes align with the organization’s core goals and strategic

direction.

3. The Security Engineering domain contains the concepts, principles,

structures, and standards used to design, implement, monitor, and secure,

operating systems, equipment, networks, applications, and those controls

used to enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a

comprehensive and rigorous method for describing a current and/or future

structure and behavior for an organization’s security processes, information

security systems, personnel and organizational sub-units, so that these

practices and processes align with the organization’s core goals and strategic

direction.

4. The Communication and Network Security domain encompasses the

structures, transmission methods, transport formats, and security measures

used to provide confidentiality, integrity, and availability for transmissions

over private and public communications networks and media. Network

security is often described as the cornerstone of IT security. The network is a

central asset, if not the most central, in most IT environments. Loss of

network assurance (the combined properties of confidentiality, integrity,

availability, authentication, and non-repudiation) on any level can have

devastating consequences, while control of the network provides an easy and

consistent venue of attack. Conversely, a well-architected and well-protected

network will stop many attacks in their tracks.

5. Although Identity and Access Management is a single domain within the

CISSP Common Body of Knowledge (CBK), it is the most pervasive and

omnipresent aspect of information security. Access controls encompass all

operational levels of an organization:

Facilities – Access controls protect entry to, and movement around,

an organization’s physical locations to protect personnel, equipment,

information, and, other assets inside that facility.

Support Systems – Access to support systems (such as power,

heating, ventilation and air conditioning (HVAC) systems; water; and

fire suppression controls) must be controlled so that a malicious entity

is not able to compromise these systems and cause harm to the

organization’s personnel or the ability to support critical systems.

Information systems – Multiple layers of access controls are

present in most modern information systems and networks to protect

those systems, and the information they contain, from harm or

misuse.

Personnel – Management, end users, customers, business partners,

and nearly everyone else associated with an organization should be

subject to some form of access control to ensure that the right people

have the ability to interface with each other, and not interfere with the

people with whom they do not have any legitimate business.

The goals of information security are to ensure the continued Confidentiality-Integrity-

Availability of an organization’s assets. This includes both physical assets (such as

buildings, equipment, and, of course, people) and information assets (such as company

data and information systems.) Access controls play a key role in ensuring the

confidentiality of systems and information. Managing access to physical and information

assets is fundamental to preventing exposure of data by controlling who can see, use,

modify, or destroy those assets. In addition, managing an entity’s admittance and rights

to specific enterprise resources ensures that valuable data and services are not abused,

misappropriated, or stolen. It is also a key factor for many organizations that are required

to protect personal information in order to be compliant with appropriate legislation and

industry compliance requirements.

6. Security Assessment and Testing covers a broad range of ongoing and

point-of-time based testing methods used to determine vulnerabilities and

associated risk. Mature system development lifecycles include security testing

and assessment as part of the development, operations and disposition

phases of a system’s life. The fundamental purpose of test and evaluation

(T&E) is to provide knowledge to assist in managing the risks involved in

developing, producing, operating, and sustaining systems and capabilities.

T&E measures progress in both system and capability development. T&E

provides knowledge of system capabilities and limitations for use in

improving the system performance, and for optimizing system use in

operations. T&E expertise must be brought to bear at the beginning of the

system life cycle to provide earlier learning about the strengths and

weaknesses of the system under development. The goal is early identification

of technical, operational, and system deficiencies, so that appropriate and

timely corrective actions can be developed prior to fielding the system. The

creation of the test and evaluation strategy involves planning for technology

development, including risk; evaluating the system design against mission

requirements; and identifying where competitive prototyping and other

evaluation techniques fit in the process.

7. The Security Operations domain is used to identify critical information and

the execution of selected measures that eliminate or reduce adversary

exploitation of critical information. It includes the definition of the controls

over hardware, media, and the operators with access privileges to any of

these resources. Auditing and monitoring are the mechanisms, tools and

facilities that permit the identification of security events and subsequent

actions to identify the key elements and report the pertinent information to

the appropriate individual, group, or process. The Information Security

professional should always act to Maintain Operational Resilience, Protect

Valuable Assets, Control System Accounts and Manage Security Services

Effectively. In the day to day operations of the business, maintaining

expected levels of availability and integrity for data and services is where the

Information Security professional impacts Operational Resilience. The day to

day securing, monitoring, and maintenance of the resources of the business,

both human and material, illustrate how the Information Security professional

is able to Protect Valuable Assets. Providing a system of checks and balances

with regards to privileged account usage, as well as system access, allows

the Information Security professional to act to Control Systems Accounts in a

consistent way. The use of change and configuration management by the

Information Security professional, as well as reporting and service

improvement programs (SIP), ensures that the actions necessary to Manage

Security Services Effectively are being carried out.

8. The Software Development Security domain requires a security

professional to be prepared to do the following:

Understand and apply security in the software development lifecycle

Enforce security controls in the development environment

Assess the effectiveness of software security

Assess software acquisition security

Although information security has traditionally emphasized system-level access

controls, the security professional needs to ensure that the focus of the enterprise

security architecture includes applications, since many information security incidents now

involve software vulnerabilities in one form or another. Application vulnerabilities also

allow an entry point to attack systems, sometimes at a very deep level. When examined,

剩余1666页未读，继续阅读

ziyang59

粉丝: 0
资源: 1

CISSP认证指南：安全与风险管理

CISSP (ISC)2 Official Study Guide.pdf

CISSP GBK 第四版

Official (ISC)2 Guide to the CISSP CBK 4 Edition CBK知识点第四版（最新英文版）

cissp官方学习文档pdf

Failed to start isc-dhcp-server.service: Unit not found.

osg 9 cissp

如何解决sudo systemctl restart isc-dhcp-server.service Job for isc-dhcp-server.service failed because the control process exited with error code. See "systemctl status isc-dhcp-server.service" and "journalctl -xeu isc-dhcp-server.service" for details.

如何解决Job for isc-dhcp-server.service failed because the control process exited with error code. See "systemctl status isc-dhcp-server.service" and "journalctl -xeu isc-dhcp-server.service" f

最新资源