Читаем CISSP Practice полностью

CISSP Practice

Vallabhaneni Rao

2. Standards/baselines

3. Procedures

4. Guidelines

5. Documentation

Manage the information life cycle such as classification, categorization, and ownership.

Manage third-party governance such as onsite assessment, document exchange and review, and process/poly review.

Understand and apply risk management concepts.

1. Identify threats and vulnerabilities

2. Risk assessments/analysis such as qualitative, quantitative, and hybrid

3. Risk assignment/acceptance

4. Countermeasure selection

5. Tangible and intangible asset valuation

Manage personnel security.

1. Employment candidate screening such as reference checks, education, and verification

2. Employment agreements and policies

3. Employee termination processes

4. Vendor, consultant, and contractor controls

Develop and manage security education, training, and awareness.

Manage the security function.

1. Budget

2. Metrics

3. Resources

4. Develop and implement information security strategies

5. Assess the completeness and effectiveness of the security program

DOMAIN 4: SOFTWARE DEVELOPMENT SECURITY

Overview

Software development security domain refers to the controls that are included within systems and applications software and the steps used in their development. Software refers to system software (operating systems) and application programs (agents, applets, software, databases, data warehouses, and knowledge-based systems). These applications may be used in distributed or centralized environments.

The candidate should fully understand the security and controls of the systems development process, system life cycle, application controls, change controls, data warehousing, data mining, knowledge-based systems, program interfaces, and concepts used to ensure data and application integrity, security, and availability.

Key Areas of Knowledge

Understand and apply security in the software development life cycle.

1. Development life cycle

2. Maturity models

3. Operation and maintenance

4. Change management

Understand the environment and security controls.

1. Security of the software environment

2. Security issues of programming languages

3. Security issues in source code such as buffer overflow, escalation of privilege, and backdoor

4. Configuration management

Assess the effectiveness of software security.

1. Certification and accreditation such as system authorization

2. Auditing and logging

3. Risk analysis and mitigation

DOMAIN 5: CRYPTOGRAPHY

Overview

The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity.

Procedures and protocols that meet some or all of the above criteria are known as cryptosystems. Cryptosystems are often thought to refer only to mathematical procedures and computer programs; however, they also include the regulation of human behavior, such as choosing hard-to-guess passwords, logging off unused systems, and not discussing sensitive procedures with outsiders.

The candidate is expected to know the basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications, construction, use of digital signatures to provide authenticity of electronic transactions, and nonrepudiation of the parties involved; and the organization and management of the public key infrastructures (PKIs) and digital certificates distribution and management.

Key Areas of Knowledge

Understand the application and use of cryptography:

1. Data at rest (e.g., Hard drive)

2. Data in transit (e.g., On the wire)

Understand the cryptographic life cycle such as cryptographic limitations, algorithm/protocol governance.

Understand encryption concepts.

1. Foundational concepts

2. Symmetric cryptography

3. Asymmetric cryptography

4. Hybrid cryptography

5. Message digests

6. Hashing