CISSP CBK官方指南：安全与风险管理

CISSP

需积分: 11 82 浏览量更新于2024-07-18 收藏 30.71MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"Official (ISC)2 Guide to the CISSP CBK" 《(ISC)²官方CISSP CBK指南》第四版是一部重要的信息安全专业文献，涵盖了信息安全与风险管理工作的重要概念和实践。这本书以英文编写，具有检索功能和章节索引，方便读者深入理解和应用。在"Domain 1—Security & Risk Management"中，该书首先讨论了信息安全的三大核心原则：保密性（Confidentiality）、完整性和可用性（Integrity and Availability）。保密性确保信息只被授权的个人或实体访问，完整性则确保信息未经授权修改，而可用性则保证信息在需要时可以被合法用户及时访问。安全治理（Security Governance）是组织信息安全策略的基础，包括设定组织的目标、使命和目标，以及制定和执行组织流程。书中强调了安全角色和责任的定义，确保每个人都清楚自己的职责，以支持有效的信息安全策略。信息安全管理策略涉及制定全面且有效的安全程序，包括监督委员会的代表，以确保决策层对安全问题的重视。控制框架在此过程中起到关键作用，它们提供了一套指导原则和标准，帮助组织实现适当的风险管理。在法律和合规性方面，书中探讨了尽职调查（Due Care）和尽职行为（Due Diligence），以及治理、风险管理和合规（GRC）的整合。它还涵盖了法律法规遵从性，特别是针对隐私要求的合规，以及全球范围内的法律和监管挑战，如计算机犯罪、知识产权法、进出口规定，以及跨国数据流动的法规。隐私保护是信息安全的重要组成部分，书中有专门章节讨论数据泄露及其法律影响。读者将了解到相关法律法规，以及如何理解并遵循专业伦理，包括制定和实施组织的道德准则。书中还深入讨论了计算机伦理，例如常见的计算机伦理误区，黑客行为和黑客主义。同时，介绍了(ISC)²的专业道德守则，鼓励读者支持和遵循组织的道德规范，并建立和执行安全政策，以确保业务连续性（Business Continuity, BC）和灾难恢复（Disaster Recovery, DR）计划。《(ISC)²官方CISSP CBK指南》第四版是一本全面的教材，旨在帮助信息安全专业人士理解和应对不断演变的安全挑战，提升组织的信息安全管理水平。

资源详情

资源推荐

successful. The most important tool that the intrepid traveler can have at their disposal is

a compass, that trusty device that always allows one to understand in what direction they

are heading, and get their bearings when necessary. The compass of the Information

Security professional is their knowledge, experience, and understanding of the world

around them. The thing that is amazing about a compass is that no matter where you

stand on Earth, you can hold one in your hand and it will point toward the North Pole.

While we do not need to know where the North Pole always is in Information Security, as

a CISSP, you are expected to be able to provide guidance and direction to the businesses

and users that you are responsible for. Being able to map the CISSP CBK to your

knowledge, experience, and understanding is the way that you will be able to provide

that guidance, and to translate the CBK into actionable and tangible elements for both

the business and its users that you represent.

1. The Security and Risk Management domain addresses the framework

and policies, concepts, principles, structures, and standards used to establish

criteria for the protection of information assets and to assess the

effectiveness of that protection. It includes issues of governance,

organizational behavior, and security awareness. Information security

management establishes the foundation of a comprehensive and proactive

security program to ensure the protection of an organization’s information

assets. Today’s environment of highly interconnected, interdependent

systems necessitates the requirement to understand the linkage between

information technology and meeting business objectives. Information security

management communicates the risks accepted by the organization due to

the currently implemented security controls, and continually works to cost

effectively enhance the controls to minimize the risk to the company’s

information assets. Security management encompasses the administrative,

technical, and physical controls necessary to adequately protect the

confidentiality, integrity, and availability of information assets. Controls are

manifested through a foundation of policies, procedures, standards,

baselines, and guidelines.

2. The Asset Security domain contains the concepts, principles, structures,

and standards used to monitor and secure assets and those controls used to

enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a

comprehensive and rigorous method for describing a current and/or future

structure and behavior for an organization’s security processes, information

security systems, personnel and organizational sub-units, so that these

practices and processes align with the organization’s core goals and strategic

direction.

3. The Security Engineering domain contains the concepts, principles,

structures, and standards used to design, implement, monitor, and secure,

operating systems, equipment, networks, applications, and those controls

used to enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a

comprehensive and rigorous method for describing a current and/or future

structure and behavior for an organization’s security processes, information

security systems, personnel and organizational sub-units, so that these

practices and processes align with the organization’s core goals and strategic

direction.

4. The Communication and Network Security domain encompasses the

structures, transmission methods, transport formats, and security measures

used to provide confidentiality, integrity, and availability for transmissions

over private and public communications networks and media. Network

security is often described as the cornerstone of IT security. The network is a

central asset, if not the most central, in most IT environments. Loss of

network assurance (the combined properties of confidentiality, integrity,

availability, authentication, and non-repudiation) on any level can have

devastating consequences, while control of the network provides an easy and

consistent venue of attack. Conversely, a well-architected and well-protected

network will stop many attacks in their tracks.

5. Although Identity and Access Management is a single domain within the

CISSP Common Body of Knowledge (CBK), it is the most pervasive and

omnipresent aspect of information security. Access controls encompass all

operational levels of an organization:

Facilities – Access controls protect entry to, and movement around,

an organization’s physical locations to protect personnel, equipment,

information, and, other assets inside that facility.

Support Systems – Access to support systems (such as power,

heating, ventilation and air conditioning (HVAC) systems; water; and

fire suppression controls) must be controlled so that a malicious entity

is not able to compromise these systems and cause harm to the

organization’s personnel or the ability to support critical systems.

Information systems – Multiple layers of access controls are

present in most modern information systems and networks to protect

those systems, and the information they contain, from harm or

misuse.

Personnel – Management, end users, customers, business partners,

and nearly everyone else associated with an organization should be

subject to some form of access control to ensure that the right people

have the ability to interface with each other, and not interfere with the

people with whom they do not have any legitimate business.

The goals of information security are to ensure the continued Confidentiality-Integrity-

Availability of an organization’s assets. This includes both physical assets (such as

buildings, equipment, and, of course, people) and information assets (such as company

data and information systems.) Access controls play a key role in ensuring the

confidentiality of systems and information. Managing access to physical and information

assets is fundamental to preventing exposure of data by controlling who can see, use,

modify, or destroy those assets. In addition, managing an entity’s admittance and rights

to specific enterprise resources ensures that valuable data and services are not abused,

misappropriated, or stolen. It is also a key factor for many organizations that are required

to protect personal information in order to be compliant with appropriate legislation and

industry compliance requirements.

6. Security Assessment and Testing covers a broad range of ongoing and

point-of-time based testing methods used to determine vulnerabilities and

associated risk. Mature system development lifecycles include security testing

and assessment as part of the development, operations and disposition

phases of a system’s life. The fundamental purpose of test and evaluation

(T&E) is to provide knowledge to assist in managing the risks involved in

developing, producing, operating, and sustaining systems and capabilities.

T&E measures progress in both system and capability development. T&E

provides knowledge of system capabilities and limitations for use in

improving the system performance, and for optimizing system use in

operations. T&E expertise must be brought to bear at the beginning of the

system life cycle to provide earlier learning about the strengths and

weaknesses of the system under development. The goal is early identification

of technical, operational, and system deficiencies, so that appropriate and

timely corrective actions can be developed prior to fielding the system. The

creation of the test and evaluation strategy involves planning for technology

development, including risk; evaluating the system design against mission

requirements; and identifying where competitive prototyping and other

evaluation techniques fit in the process.

7. The Security Operations domain is used to identify critical information and

the execution of selected measures that eliminate or reduce adversary

exploitation of critical information. It includes the definition of the controls

over hardware, media, and the operators with access privileges to any of

these resources. Auditing and monitoring are the mechanisms, tools and

facilities that permit the identification of security events and subsequent

actions to identify the key elements and report the pertinent information to

the appropriate individual, group, or process. The Information Security

professional should always act to Maintain Operational Resilience, Protect

Valuable Assets, Control System Accounts and Manage Security Services

Effectively. In the day to day operations of the business, maintaining

expected levels of availability and integrity for data and services is where the

Information Security professional impacts Operational Resilience. The day to

day securing, monitoring, and maintenance of the resources of the business,

both human and material, illustrate how the Information Security professional

is able to Protect Valuable Assets. Providing a system of checks and balances

with regards to privileged account usage, as well as system access, allows

the Information Security professional to act to Control Systems Accounts in a

consistent way. The use of change and configuration management by the

Information Security professional, as well as reporting and service

improvement programs (SIP), ensures that the actions necessary to Manage

Security Services Effectively are being carried out.

8. The Software Development Security domain requires a security

professional to be prepared to do the following:

Understand and apply security in the software development lifecycle

Enforce security controls in the development environment

Assess the effectiveness of software security

Assess software acquisition security

Although information security has traditionally emphasized system-level access

controls, the security professional needs to ensure that the focus of the enterprise

security architecture includes applications, since many information security incidents now

involve software vulnerabilities in one form or another. Application vulnerabilities also

allow an entry point to attack systems, sometimes at a very deep level. When examined,

剩余1666页未读，继续阅读

minibird

粉丝: 2
资源: 13

CISSP CBK官方指南：安全与风险管理

Official ISC 2 Guide to the CISSP CBK

Official (ISC)² Guide to the CISSP CBK, Third Edition epub

Official (ISC)2 Guide to the CISSP CBK 4 Edition CBK知识点第四版（最新英文版）

Official (ISC)2 Guide to the CISSP CBK 4 Edition.pdf

Official(ISC)²Guide to the CISSP CBK,Fourth Edition

Official ISC2 CISSP CBK Guide

Official Guide to CISSP CBK Third Edition

crc-press-official-isc2-guide-to-the-csslp-cbk-2nd-2014

CISSP study guide

CISSP OIG v2

CCSP CBK 2nd Edition

CISSP OIG v2 第四章

CISSP OIG v2 第八章

CISSP备考白皮书

cissp精华笔记

2015年最新CISSP考生经验总结

osg 9 cissp

最新资源