CISSP 认证考试指南：安全与风险管理

需积分: 10 2 浏览量更新于2024-07-18 收藏 29.94MB PDF 举报

官方 (ISC)² 指南 CISSP CBK 第四版概述本书是 (ISC)² 官方指南，旨在帮助读者备战 CISSP 考试，涵盖了 CISSP CBK 八大领域的知识点。本书的主要内容包括安全风险管理、资产安全、安全工程、通信与网络安全、身份验证和访问控制、密码学、安全评估测试、软件开发安全等方面。安全风险管理是 CISSP 考试的重要组成部分，本书对安全风险管理的介绍包括机密性、完整性、可用性三个方面。机密性是指保护敏感信息不被未经授权的访问、泄露或破坏；完整性是指确保信息的准确性、完整性和真实性；可用性是指确保信息系统和资源的可用性和可靠性。在安全风险管理中，安全治理是非常重要的概念，包括安全目标、使命和组织目标、组织流程、安全角色和责任、信息安全策略等。同时，本书还介绍了控制框架、 Due Care、Due Diligence、合规性、隐私要求合规性、全球法规和法规合规性等知识点。此外，本书还涵盖了计算机犯罪、知识产权、隐私保护、数据泄露、相关法律和法规等方面的知识点。同时，本书还强调了职业道德的重要性，包括 (ISC)² 职业道德代码和组织的职业道德代码。在业务连续性 (BC) 和灾难恢复 (DR) 方面，本书介绍了业务连续性计划的制定和实施、灾难恢复策略、灾难恢复计划的制定和实施等知识点。本书涵盖了 CISSP 考试的八大领域，包括安全风险管理、资产安全、安全工程、通信与网络安全、身份验证和访问控制、密码学、安全评估测试、软件开发安全等方面，为备战 CISSP 考试的考生提供了详细的参考资料。

security systems, personnel and organizational sub-units, so that these

practices and processes align with the organization’s core goals and strategic

direction.

3. The Security Engineering domain contains the concepts, principles,

structures, and standards used to design, implement, monitor, and secure,

operating systems, equipment, networks, applications, and those controls

used to enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a

comprehensive and rigorous method for describing a current and/or future

structure and behavior for an organization’s security processes, information

security systems, personnel and organizational sub-units, so that these

practices and processes align with the organization’s core goals and strategic

direction.

4. The Communication and Network Security domain encompasses the

structures, transmission methods, transport formats, and security measures

used to provide confidentiality, integrity, and availability for transmissions

over private and public communications networks and media. Network

security is often described as the cornerstone of IT security. The network is a

central asset, if not the most central, in most IT environments. Loss of

network assurance (the combined properties of confidentiality, integrity,

availability, authentication, and non-repudiation) on any level can have

devastating consequences, while control of the network provides an easy and

consistent venue of attack. Conversely, a well-architected and well-protected

network will stop many attacks in their tracks.

5. Although Identity and Access Management is a single domain within the

CISSP Common Body of Knowledge (CBK), it is the most pervasive and

omnipresent aspect of information security. Access controls encompass all

operational levels of an organization:

Facilities – Access controls protect entry to, and movement around,

an organization’s physical locations to protect personnel, equipment,

information, and, other assets inside that facility.

Support Systems – Access to support systems (such as power,

heating, ventilation and air conditioning (HVAC) systems; water; and

fire suppression controls) must be controlled so that a malicious entity

is not able to compromise these systems and cause harm to the

organization’s personnel or the ability to support critical systems.

Information systems – Multiple layers of access controls are

present in most modern information systems and networks to protect

those systems, and the information they contain, from harm or

misuse.

Personnel – Management, end users, customers, business partners,

and nearly everyone else associated with an organization should be

subject to some form of access control to ensure that the right people

have the ability to interface with each other, and not interfere with the

people with whom they do not have any legitimate business.

The goals of information security are to ensure the continued Confidentiality-Integrity-

Availability of an organization’s assets. This includes both physical assets (such as

buildings, equipment, and, of course, people) and information assets (such as company

data and information systems.) Access controls play a key role in ensuring the

confidentiality of systems and information. Managing access to physical and information

assets is fundamental to preventing exposure of data by controlling who can see, use,

modify, or destroy those assets. In addition, managing an entity’s admittance and rights

to specific enterprise resources ensures that valuable data and services are not abused,

misappropriated, or stolen. It is also a key factor for many organizations that are required

to protect personal information in order to be compliant with appropriate legislation and

industry compliance requirements.

6. Security Assessment and Testing covers a broad range of ongoing and

point-of-time based testing methods used to determine vulnerabilities and

associated risk. Mature system development lifecycles include security testing

and assessment as part of the development, operations and disposition

phases of a system’s life. The fundamental purpose of test and evaluation

(T&E) is to provide knowledge to assist in managing the risks involved in

developing, producing, operating, and sustaining systems and capabilities.

T&E measures progress in both system and capability development. T&E

provides knowledge of system capabilities and limitations for use in

improving the system performance, and for optimizing system use in

operations. T&E expertise must be brought to bear at the beginning of the

system life cycle to provide earlier learning about the strengths and

weaknesses of the system under development. The goal is early identification

of technical, operational, and system deficiencies, so that appropriate and

timely corrective actions can be developed prior to fielding the system. The

creation of the test and evaluation strategy involves planning for technology

development, including risk; evaluating the system design against mission

requirements; and identifying where competitive prototyping and other

evaluation techniques fit in the process.

7. The Security Operations domain is used to identify critical information and

the execution of selected measures that eliminate or reduce adversary

exploitation of critical information. It includes the definition of the controls

over hardware, media, and the operators with access privileges to any of

these resources. Auditing and monitoring are the mechanisms, tools and

facilities that permit the identification of security events and subsequent

actions to identify the key elements and report the pertinent information to

the appropriate individual, group, or process. The Information Security

professional should always act to Maintain Operational Resilience, Protect

Valuable Assets, Control System Accounts and Manage Security Services

Effectively. In the day to day operations of the business, maintaining

expected levels of availability and integrity for data and services is where the

Information Security professional impacts Operational Resilience. The day to

day securing, monitoring, and maintenance of the resources of the business,

both human and material, illustrate how the Information Security professional

is able to Protect Valuable Assets. Providing a system of checks and balances

with regards to privileged account usage, as well as system access, allows

the Information Security professional to act to Control Systems Accounts in a

consistent way. The use of change and configuration management by the

Information Security professional, as well as reporting and service

improvement programs (SIP), ensures that the actions necessary to Manage

Security Services Effectively are being carried out.

8. The Software Development Security domain requires a security

professional to be prepared to do the following:

Understand and apply security in the software development lifecycle

Enforce security controls in the development environment

Assess the effectiveness of software security

Assess software acquisition security

Although information security has traditionally emphasized system-level access

controls, the security professional needs to ensure that the focus of the enterprise

security architecture includes applications, since many information security incidents now

involve software vulnerabilities in one form or another. Application vulnerabilities also

allow an entry point to attack systems, sometimes at a very deep level. When examined,

剩余1665页未读，继续阅读

weixin_34820824

粉丝: 0
资源: 2

CISSP 认证考试指南：安全与风险管理

Official (ISC)² Guide to the CISSP CBK, Third Edition epub

CISSP 2018最新全套培训讲义（完整版）

Official (ISC)2 Guide to the CISSP CBK

Official ISC 2 Guide to the CISSP CBK

Official(ISC)²Guide to the CISSP CBK,Fourth Edition

Official (ISC)2 Guide to the CISSP CBK 4 Edition.pdf

Official (ISC)2 Guide to the CISSP CBK 4 Edition CBK知识点第四版（最新英文版）

Official Guide to CISSP CBK Third Edition

Official ISC2 CISSP CBK Guide

The Official (ISC)2 Guide to the CCSP CBK, 第二版英文

最新资源