CISSP备考必备：CBK 4th Edition官方英文PDF

CISSP

需积分: 6 159 浏览量更新于2024-07-16 收藏 29.98MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"02-CBK 4th Edition.pdf 是一份CISSP（Certified Information Systems Security Professional）的参考资料，英文版的CBK（Certification Body of Knowledge），适用于备考CISSP的人士，建议与AIO7结合使用。" 这份文档涵盖了信息安全领域的多个关键知识点，包括安全与风险管理、保密性、完整性和可用性等核心概念。首先，"Security & Risk Management"是信息安全的基础，它强调了在设计和实施安全策略时必须考虑的三个方面：**保密性**、**完整性和可用性**。保密性确保信息只被授权的个人或实体访问，防止敏感信息泄露；完整性关注信息的准确性和完整性，防止数据被篡改；可用性则保证信息和服务在需要时能够可靠地访问。文档进一步探讨了**安全治理**，这涉及到组织的安全目标、使命和目标，以及支持这些目标的组织流程。**安全角色和责任**的明确分配是实现有效治理的关键，确保每个成员都了解他们在保护信息安全中的职责。 **信息安全管理策略**是组织安全框架的重要组成部分，它包括建立一个全面且有效的安全程序，这通常涉及监督委员会的代表，以确保策略的执行和监督。 **控制框架**如ISO 27001等，是指导组织如何实施和维护安全控制的标准。**尽职调查（Due Diligence）**和**谨慎义务（Due Care）**是法律和商业实践中确保组织遵守法规和最佳实践的概念。 **治理、风险管理和合规性（GRC）**整合了这三个方面，确保组织在决策时考虑到风险，并符合法律法规要求。**立法和监管合规性**涉及全球范围内的法律和规定，包括**隐私要求合规**，如欧盟的GDPR等。 **全球法律和监管问题**、**计算机/网络犯罪**、**许可和知识产权**、**进出口**、**跨国数据流动**以及**隐私**都是信息安全专业人员需要理解和应对的问题。**数据泄露**的防范和应对策略也是重要的议题。此外，文档还强调了**道德规范**，包括理解并遵循**专业伦理**，例如(ISC)²的职业行为准则，以及支持组织的道德规范。**计算机伦理**涉及的话题包括常见的伦理误区，**黑客行为**和**黑客主义**，以及制定和实施安全政策的过程，如**业务连续性（BC）和灾难恢复（DR）**规划。这份文档提供了全面的信息安全知识体系，对于准备CISSP考试的考生以及在该领域工作的专业人士来说，是一份宝贵的资源。

资源详情

资源推荐

successful. The most important tool that the intrepid traveler can have at their disposal is

a compass, that trusty device that always allows one to understand in what direction they

are heading, and get their bearings when necessary. The compass of the Information

Security professional is their knowledge, experience, and understanding of the world

around them. The thing that is amazing about a compass is that no matter where you

stand on Earth, you can hold one in your hand and it will point toward the North Pole.

While we do not need to know where the North Pole always is in Information Security, as

a CISSP, you are expected to be able to provide guidance and direction to the businesses

and users that you are responsible for. Being able to map the CISSP CBK to your

knowledge, experience, and understanding is the way that you will be able to provide

that guidance, and to translate the CBK into actionable and tangible elements for both

the business and its users that you represent.

1. The Security and Risk Management domain addresses the framework

and policies, concepts, principles, structures, and standards used to establish

criteria for the protection of information assets and to assess the

effectiveness of that protection. It includes issues of governance,

organizational behavior, and security awareness. Information security

management establishes the foundation of a comprehensive and proactive

security program to ensure the protection of an organization’s information

assets. Today’s environment of highly interconnected, interdependent

systems necessitates the requirement to understand the linkage between

information technology and meeting business objectives. Information security

management communicates the risks accepted by the organization due to

the currently implemented security controls, and continually works to cost

effectively enhance the controls to minimize the risk to the company’s

information assets. Security management encompasses the administrative,

technical, and physical controls necessary to adequately protect the

confidentiality, integrity, and availability of information assets. Controls are

manifested through a foundation of policies, procedures, standards,

baselines, and guidelines.

2. The Asset Security domain contains the concepts, principles, structures,

and standards used to monitor and secure assets and those controls used to

enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a

comprehensive and rigorous method for describing a current and/or future

structure and behavior for an organization’s security processes, information

security systems, personnel and organizational sub-units, so that these

practices and processes align with the organization’s core goals and strategic

direction.

3. The Security Engineering domain contains the concepts, principles,

structures, and standards used to design, implement, monitor, and secure,

operating systems, equipment, networks, applications, and those controls

used to enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a

comprehensive and rigorous method for describing a current and/or future

structure and behavior for an organization’s security processes, information

security systems, personnel and organizational sub-units, so that these

practices and processes align with the organization’s core goals and strategic

direction.

4. The Communication and Network Security domain encompasses the

structures, transmission methods, transport formats, and security measures

used to provide confidentiality, integrity, and availability for transmissions

over private and public communications networks and media. Network

security is often described as the cornerstone of IT security. The network is a

central asset, if not the most central, in most IT environments. Loss of

network assurance (the combined properties of confidentiality, integrity,

availability, authentication, and non-repudiation) on any level can have

devastating consequences, while control of the network provides an easy and

consistent venue of attack. Conversely, a well-architected and well-protected

network will stop many attacks in their tracks.

5. Although Identity and Access Management is a single domain within the

CISSP Common Body of Knowledge (CBK), it is the most pervasive and

omnipresent aspect of information security. Access controls encompass all

operational levels of an organization:

Facilities – Access controls protect entry to, and movement around,

an organization’s physical locations to protect personnel, equipment,

information, and, other assets inside that facility.

Support Systems – Access to support systems (such as power,

heating, ventilation and air conditioning (HVAC) systems; water; and

fire suppression controls) must be controlled so that a malicious entity

is not able to compromise these systems and cause harm to the

organization’s personnel or the ability to support critical systems.

Information systems – Multiple layers of access controls are

present in most modern information systems and networks to protect

those systems, and the information they contain, from harm or

misuse.

Personnel – Management, end users, customers, business partners,

and nearly everyone else associated with an organization should be

subject to some form of access control to ensure that the right people

have the ability to interface with each other, and not interfere with the

people with whom they do not have any legitimate business.

The goals of information security are to ensure the continued Confidentiality-Integrity-

Availability of an organization’s assets. This includes both physical assets (such as

buildings, equipment, and, of course, people) and information assets (such as company

data and information systems.) Access controls play a key role in ensuring the

confidentiality of systems and information. Managing access to physical and information

assets is fundamental to preventing exposure of data by controlling who can see, use,

modify, or destroy those assets. In addition, managing an entity’s admittance and rights

to specific enterprise resources ensures that valuable data and services are not abused,

misappropriated, or stolen. It is also a key factor for many organizations that are required

to protect personal information in order to be compliant with appropriate legislation and

industry compliance requirements.

6. Security Assessment and Testing covers a broad range of ongoing and

point-of-time based testing methods used to determine vulnerabilities and

associated risk. Mature system development lifecycles include security testing

and assessment as part of the development, operations and disposition

phases of a system’s life. The fundamental purpose of test and evaluation

(T&E) is to provide knowledge to assist in managing the risks involved in

developing, producing, operating, and sustaining systems and capabilities.

T&E measures progress in both system and capability development. T&E

provides knowledge of system capabilities and limitations for use in

improving the system performance, and for optimizing system use in

operations. T&E expertise must be brought to bear at the beginning of the

system life cycle to provide earlier learning about the strengths and

weaknesses of the system under development. The goal is early identification

of technical, operational, and system deficiencies, so that appropriate and

timely corrective actions can be developed prior to fielding the system. The

creation of the test and evaluation strategy involves planning for technology

development, including risk; evaluating the system design against mission

requirements; and identifying where competitive prototyping and other

evaluation techniques fit in the process.

7. The Security Operations domain is used to identify critical information and

the execution of selected measures that eliminate or reduce adversary

exploitation of critical information. It includes the definition of the controls

over hardware, media, and the operators with access privileges to any of

these resources. Auditing and monitoring are the mechanisms, tools and

facilities that permit the identification of security events and subsequent

actions to identify the key elements and report the pertinent information to

the appropriate individual, group, or process. The Information Security

professional should always act to Maintain Operational Resilience, Protect

Valuable Assets, Control System Accounts and Manage Security Services

Effectively. In the day to day operations of the business, maintaining

expected levels of availability and integrity for data and services is where the

Information Security professional impacts Operational Resilience. The day to

day securing, monitoring, and maintenance of the resources of the business,

both human and material, illustrate how the Information Security professional

is able to Protect Valuable Assets. Providing a system of checks and balances

with regards to privileged account usage, as well as system access, allows

the Information Security professional to act to Control Systems Accounts in a

consistent way. The use of change and configuration management by the

Information Security professional, as well as reporting and service

improvement programs (SIP), ensures that the actions necessary to Manage

Security Services Effectively are being carried out.

8. The Software Development Security domain requires a security

professional to be prepared to do the following:

Understand and apply security in the software development lifecycle

Enforce security controls in the development environment

Assess the effectiveness of software security

Assess software acquisition security

Although information security has traditionally emphasized system-level access

controls, the security professional needs to ensure that the focus of the enterprise

security architecture includes applications, since many information security incidents now

involve software vulnerabilities in one form or another. Application vulnerabilities also

allow an entry point to attack systems, sometimes at a very deep level. When examined,

剩余1666页未读，继续阅读

kwiy886

粉丝: 0
资源: 3

CISSP备考必备：CBK 4th Edition官方英文PDF

(ISC)2 CISSP CBK Reference 6th Edition.pdf

Official (ISC)2 Guide to the CISSP CBK 4 Edition.pdf

nvm_cbg.h与nvm_cbk.h的区别

ThreadPoolExecutor 线程池封装

Incorrect string value: '\xC2\xB3/h\xEF\xBC...' for column 'cbk_cs1' at row 1

定义一个泛型函数 MyArrayMap(ary: T[], cbk: (val: T) => U): U[]，它可以将数组映射到一个新数组中并返回。

1、请按照正常呼叫流程的TUP信令关系在下图中画出NO.7信令流程。条件：NO.7信令采用成组发送方式，被叫空闲，话毕被叫先挂机。（可能用到的No.7信令消息：IAI、IAM、SAO、SAM、CBK 、ACM、RLG、ANC、CLF、GRQ ）

cbk: (val: T) => U

ccsp cbk 下载

linuxsudo是什么命令

CBK_EVENT_AIRPLAY_MW_STOP是什么

启动MySQL时报错：ERROR 1045 (28000): Access denied for user 'cbk'@'localhost' (using password: NO)

python爬取百度热力图的代码

请给出Craig-Bampton方法在MATLAB中的实现程序代码

function变量缩写

oracle create function syntax

dbms_java 加载class文件

osg 9 cissp

PLJAVA inout postgresql

最新资源