Читаем CISSP Practice полностью

2. Standards/baselines

3. Procedures

4. Guidelines

5. Documentation

Manage the information life cycle such as classification, categorization, and ownership.

Manage third-party governance such as onsite assessment, document exchange and review, and process/poly review.

Understand and apply risk management concepts.

1. Identify threats and vulnerabilities

2. Risk assessments/analysis such as qualitative, quantitative, and hybrid

3. Risk assignment/acceptance

4. Countermeasure selection

5. Tangible and intangible asset valuation

Manage personnel security.

1. Employment candidate screening such as reference checks, education, and verification

2. Employment agreements and policies

3. Employee termination processes

4. Vendor, consultant, and contractor controls

Develop and manage security education, training, and awareness.

Manage the security function.

1. Budget

2. Metrics

3. Resources

4. Develop and implement information security strategies

5. Assess the completeness and effectiveness of the security program

DOMAIN 4: SOFTWARE DEVELOPMENT SECURITY

Overview

Software development security domain refers to the controls that are included within systems and applications software and the steps used in their development. Software refers to system software (operating systems) and application programs (agents, applets, software, databases, data warehouses, and knowledge-based systems). These applications may be used in distributed or centralized environments.

The candidate should fully understand the security and controls of the systems development process, system life cycle, application controls, change controls, data warehousing, data mining, knowledge-based systems, program interfaces, and concepts used to ensure data and application integrity, security, and availability.

Key Areas of Knowledge

Understand and apply security in the software development life cycle.

1. Development life cycle

2. Maturity models

3. Operation and maintenance

4. Change management

Understand the environment and security controls.

1. Security of the software environment

2. Security issues of programming languages

3. Security issues in source code such as buffer overflow, escalation of privilege, and backdoor

4. Configuration management

Assess the effectiveness of software security.

1. Certification and accreditation such as system authorization

2. Auditing and logging

3. Risk analysis and mitigation

DOMAIN 5: CRYPTOGRAPHY

Overview

The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity.

Procedures and protocols that meet some or all of the above criteria are known as cryptosystems. Cryptosystems are often thought to refer only to mathematical procedures and computer programs; however, they also include the regulation of human behavior, such as choosing hard-to-guess passwords, logging off unused systems, and not discussing sensitive procedures with outsiders.

The candidate is expected to know the basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications, construction, use of digital signatures to provide authenticity of electronic transactions, and nonrepudiation of the parties involved; and the organization and management of the public key infrastructures (PKIs) and digital certificates distribution and management.

Key Areas of Knowledge

Understand the application and use of cryptography:

1. Data at rest (e.g., Hard drive)

2. Data in transit (e.g., On the wire)

Understand the cryptographic life cycle such as cryptographic limitations, algorithm/protocol governance.

Understand encryption concepts.

1. Foundational concepts

2. Symmetric cryptography

3. Asymmetric cryptography

4. Hybrid cryptography

5. Message digests

6. Hashing

Understand key management processes.

1. Creation/distribution

2. Storage/destruction

3. Recovery

4. Key escrow

Understand digital signatures.

Understand nonrepudiation.

Understand methods of cryptanalytic attacks.

1. Chosen plaintext

2. Social engineering for key discovery

3. Brute force such as rainbow tables, specialized/scalable architecture

4. Ciphertext only

5. Known plaintext

6. Frequency analysis

7. Chosen ciphertext

8. Implementation attacks

Use cryptography to maintain network security.

Use cryptography to maintain application security.

Understand public key infrastructure (PKI).

Understand certificate-related issues.

Understand information-hiding alternatives such as steganography and watermarking.

DOMAIN 6: SECURITY ARCHITECTURE AND DESIGN

Overview

Перейти на страницу:

Похожие книги

100 абсолютных законов успеха в бизнесе
100 абсолютных законов успеха в бизнесе

Почему одни люди преуспевают в бизнесе больше других? Почему одни предприятия процветают, в то время как другие терпят крах? Известный лектор и писатель по вопросам бизнеса нашел ответы на эти очень трудные вопросы. В своей книге он представляет набор принципов, или `универсальных законов`, которые лежат в основе успеха деловых людей всего мира. Практические рекомендации Трейси имеют вид 100 доступных для понимания и простых в применении законов, относящихся к важнейшим сферам труда и бизнеса. Он также приводит примеры из реальной жизни, которые наглядно иллюстрируют, как работает каждый из законов, а также предлагает читателю упражнения по применению этих законов в работе и жизни.

Брайан Трейси

Деловая литература / Маркетинг, PR, реклама / О бизнесе популярно / Финансы и бизнес