Dekorationsartikel gehören nicht zum Leistungsumfang.
Sprache:
Englisch
91,45 €*
Versandkostenfrei per Post / DHL
Lieferzeit 1-2 Wochen
Kategorien:
Beschreibung
Foreword xxv
Introduction xxvii
Domain 1: Security and Risk Management 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2
Information Security 3
Evaluate and Apply Security Governance Principles 6
Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6
Vision, Mission, and Strategy 6
Governance 7
Due Care 10
Determine Compliance Requirements 11
Legal Compliance 12
Jurisdiction 12
Legal Tradition 12
Legal Compliance Expectations 13
Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13
Cyber Crimes and Data Breaches 14
Privacy 36
Understand, Adhere to, and Promote Professional Ethics 49
Ethical Decision-Making 49
Established Standards of Ethical Conduct 51
(ISC)² Ethical Practices 56
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57
Organizational Documents 58
Policy Development 61
Policy Review Process 61
Identify, Analyze, and Prioritize Business Continuity Requirements 62
Develop and Document Scope and Plan 62
Risk Assessment 70
Business Impact Analysis 71
Develop the Business Continuity Plan 73
Contribute to and Enforce Personnel Security Policies and Procedures 80
Key Control Principles 80
Candidate Screening and Hiring 82
Onboarding and Termination Processes 91
Vendor, Consultant, and Contractor Agreements and Controls 96
Privacy in the Workplace 97
Understand and Apply Risk Management Concepts 99
Risk 99
Risk Management Frameworks 99
Risk Assessment Methodologies 108
Understand and Apply Threat Modeling Concepts and Methodologies 111
Threat Modeling Concepts 111
Threat Modeling Methodologies 112
Apply Risk-Based Management Concepts to the Supply Chain 116
Supply Chain Risks 116
Supply Chain Risk Management 119
Establish and Maintain a Security Awareness, Education, and Training Program 121
Security Awareness Overview 122
Developing an Awareness Program 123
Training 127
Summary 128
Domain 2: Asset Security 131
Asset Security Concepts 131
Data Policy 132
Data Governance 132
Data Quality 133
Data Documentation 134
Data Organization 136
Identify and Classify Information and Assets 139
Asset Classification 141
Determine and Maintain Information and Asset Ownership 145
Asset Management Lifecycle 146
Software Asset Management 148
Protect Privacy 152
Cross-Border Privacy and Data Flow Protection 153
Data Owners 161
Data Controllers 162
Data Processors 163
Data Stewards 164
Data Custodians 164
Data Remanence 164
Data Sovereignty 168
Data Localization or Residency 169
Government and Law Enforcement Access to Data 171
Collection Limitation 172
Understanding Data States 173
Data Issues with Emerging Technologies 173
Ensure Appropriate Asset Retention 175
Retention of Records 178
Determining Appropriate Records Retention 178
Retention of Records in Data Lifecycle 179
Records Retention Best Practices 180
Determine Data Security Controls 181
Technical, Administrative, and Physical Controls 183
Establishing the Baseline Security 185
Scoping and Tailoring 186
Standards Selection 189
Data Protection Methods 198
Establish Information and Asset Handling Requirements 208
Marking and Labeling 208
Handling 209
Declassifying Data 210
Storage 211
Summary 212
Domain 3: Security Architecture and Engineering 213
Implement and Manage Engineering Processes Using Secure Design Principles 215
Saltzer and Schroeder's Principles 216
ISO/IEC 19249 221
Defense in Depth 229
Using Security Principles 230
Understand the Fundamental Concepts of Security Models 230
Bell-LaPadula Model 232
The Biba Integrity Model 234
The Clark-Wilson Model 235
The Brewer-Nash Model 235
Select Controls Based upon Systems Security Requirements 237
Understand Security Capabilities of Information Systems 241
Memory Protection 241
Virtualization 244
Secure Cryptoprocessor 247
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 253
Client-Based Systems 254
Server-Based Systems 255
Database Systems 257
Cryptographic Systems 260
Industrial Control Systems 267
Cloud-Based Systems 271
Distributed Systems 274
Internet of Things 275
Assess and Mitigate Vulnerabilities in Web-Based Systems 278
Injection Vulnerabilities 279
Broken Authentication 280
Sensitive Data Exposure 283
XML External Entities 284
Broken Access Control 284
Security Misconfiguration 285
Cross-Site Scripting 285
Using Components with Known Vulnerabilities 286
Insufficient Logging and Monitoring 286
Cross-Site Request Forgery 287
Assess and Mitigate Vulnerabilities in Mobile Systems 287
Passwords 288
Multifactor Authentication 288
Session Lifetime 289
Wireless Vulnerabilities 290
Mobile Malware 290
Unpatched Operating System or Browser 290
Insecure Devices 291
Mobile Device Management 291
Assess and Mitigate Vulnerabilities in Embedded Devices 292
Apply Cryptography 295
Cryptographic Lifecycle 295
Cryptographic Methods 298
Public Key Infrastructure 311
Key Management Practices 315
Digital Signatures 318
Non-Repudiation 320
Integrity 321
Understand Methods of Cryptanalytic Attacks 325
Digital Rights Management 339
Apply Security Principles to Site and Facility Design 342
Implement Site and Facility Security Controls 343
Physical Access Controls 343
Wiring Closets/Intermediate Distribution Facilities 345
Server Rooms/Data Centers 346
Media Storage Facilities 348
Evidence Storage 349
Restricted and Work Area Security 349
Utilities and Heating, Ventilation, and Air Conditioning 351
Environmental Issues 355
Fire Prevention, Detection, and Suppression 358
Summary 362
Domain 4: Communication and Network Security 363
Implement Secure Design Principles in Network Architectures 364
Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models 365
Internet Protocol Networking 382
Implications of Multilayer Protocols 392
Converged Protocols 394
Software-Defined Networks 395
Wireless Networks 396
Internet, Intranets, and Extranets 409
Demilitarized Zones 410
Virtual LANs 410
Secure Network Components 411
Firewalls 412
Network Address Translation 418
Intrusion Detection System 421
Security Information and Event Management 422
Network Security from Hardware Devices 423
Transmission Media 429
Endpoint Security 442
Implementing Defense in Depth 447
Content Distribution Networks 448
Implement Secure Communication Channels According to Design 449
Secure Voice Communications 449
Multimedia Collaboration 452
Remote Access 458
Data Communications 466
Virtualized Networks 470
Summary 481
Domain 5: Identity and Access Management 483
Control Physical and Logical Access to Assets 484
Information 485
Systems 486
Devices 487
Facilities 488
Manage Identification and Authentication of People, Devices, and Services 492
Identity Management Implementation 494
Single Factor/Multifactor Authentication 496
Accountability 511
Session Management 511
Registration and Proofing of Identity 513
Federated Identity Management 520
Credential Management Systems 524
Integrate Identity as a Third-Party Service 525
On-Premise 526
Cloud 527
Federated 527
Implement and Manage Authorization Mechanisms 528
Role-Based Access Control 528
Rule-Based Access Control 529
Mandatory Access Control 530
Discretionary Access Control 531
Attribute-Based Access Control 531
Manage the Identity and Access Provisioning Lifecycle 533
User Access Review 534
System Account Access Review 535
Provisioning and Deprovisioning 535
Auditing and Enforcement 536
Summary 537
Domain 6: Security Assessment and Testing 539
Design and Validate Assessment, Test, and Audit Strategies 540
Assessment Standards 543
Conduct Security Control Testing 545
Vulnerability Assessment 546
Penetration Testing 554
Log Reviews 564
Synthetic Transactions 565
Code Review and Testing 567
Misuse Case Testing 571
Test Coverage Analysis 573
Interface Testing 574
Collect Security Process Data 575
Account Management 577
Management Review and Approval 579
Key Performance and Risk Indicators 580
Backup Verification Data 583
Training and Awareness 584
Disaster Recovery and Business Continuity 585
Analyze Test Output and Generate Report 587
Conduct or Facilitate Security Audits 590
Internal Audits 591
External Audits 591
Third-Party Audits 592
Integrating Internal and External Audits 593
Auditing Principles...
Introduction xxvii
Domain 1: Security and Risk Management 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2
Information Security 3
Evaluate and Apply Security Governance Principles 6
Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6
Vision, Mission, and Strategy 6
Governance 7
Due Care 10
Determine Compliance Requirements 11
Legal Compliance 12
Jurisdiction 12
Legal Tradition 12
Legal Compliance Expectations 13
Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13
Cyber Crimes and Data Breaches 14
Privacy 36
Understand, Adhere to, and Promote Professional Ethics 49
Ethical Decision-Making 49
Established Standards of Ethical Conduct 51
(ISC)² Ethical Practices 56
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57
Organizational Documents 58
Policy Development 61
Policy Review Process 61
Identify, Analyze, and Prioritize Business Continuity Requirements 62
Develop and Document Scope and Plan 62
Risk Assessment 70
Business Impact Analysis 71
Develop the Business Continuity Plan 73
Contribute to and Enforce Personnel Security Policies and Procedures 80
Key Control Principles 80
Candidate Screening and Hiring 82
Onboarding and Termination Processes 91
Vendor, Consultant, and Contractor Agreements and Controls 96
Privacy in the Workplace 97
Understand and Apply Risk Management Concepts 99
Risk 99
Risk Management Frameworks 99
Risk Assessment Methodologies 108
Understand and Apply Threat Modeling Concepts and Methodologies 111
Threat Modeling Concepts 111
Threat Modeling Methodologies 112
Apply Risk-Based Management Concepts to the Supply Chain 116
Supply Chain Risks 116
Supply Chain Risk Management 119
Establish and Maintain a Security Awareness, Education, and Training Program 121
Security Awareness Overview 122
Developing an Awareness Program 123
Training 127
Summary 128
Domain 2: Asset Security 131
Asset Security Concepts 131
Data Policy 132
Data Governance 132
Data Quality 133
Data Documentation 134
Data Organization 136
Identify and Classify Information and Assets 139
Asset Classification 141
Determine and Maintain Information and Asset Ownership 145
Asset Management Lifecycle 146
Software Asset Management 148
Protect Privacy 152
Cross-Border Privacy and Data Flow Protection 153
Data Owners 161
Data Controllers 162
Data Processors 163
Data Stewards 164
Data Custodians 164
Data Remanence 164
Data Sovereignty 168
Data Localization or Residency 169
Government and Law Enforcement Access to Data 171
Collection Limitation 172
Understanding Data States 173
Data Issues with Emerging Technologies 173
Ensure Appropriate Asset Retention 175
Retention of Records 178
Determining Appropriate Records Retention 178
Retention of Records in Data Lifecycle 179
Records Retention Best Practices 180
Determine Data Security Controls 181
Technical, Administrative, and Physical Controls 183
Establishing the Baseline Security 185
Scoping and Tailoring 186
Standards Selection 189
Data Protection Methods 198
Establish Information and Asset Handling Requirements 208
Marking and Labeling 208
Handling 209
Declassifying Data 210
Storage 211
Summary 212
Domain 3: Security Architecture and Engineering 213
Implement and Manage Engineering Processes Using Secure Design Principles 215
Saltzer and Schroeder's Principles 216
ISO/IEC 19249 221
Defense in Depth 229
Using Security Principles 230
Understand the Fundamental Concepts of Security Models 230
Bell-LaPadula Model 232
The Biba Integrity Model 234
The Clark-Wilson Model 235
The Brewer-Nash Model 235
Select Controls Based upon Systems Security Requirements 237
Understand Security Capabilities of Information Systems 241
Memory Protection 241
Virtualization 244
Secure Cryptoprocessor 247
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 253
Client-Based Systems 254
Server-Based Systems 255
Database Systems 257
Cryptographic Systems 260
Industrial Control Systems 267
Cloud-Based Systems 271
Distributed Systems 274
Internet of Things 275
Assess and Mitigate Vulnerabilities in Web-Based Systems 278
Injection Vulnerabilities 279
Broken Authentication 280
Sensitive Data Exposure 283
XML External Entities 284
Broken Access Control 284
Security Misconfiguration 285
Cross-Site Scripting 285
Using Components with Known Vulnerabilities 286
Insufficient Logging and Monitoring 286
Cross-Site Request Forgery 287
Assess and Mitigate Vulnerabilities in Mobile Systems 287
Passwords 288
Multifactor Authentication 288
Session Lifetime 289
Wireless Vulnerabilities 290
Mobile Malware 290
Unpatched Operating System or Browser 290
Insecure Devices 291
Mobile Device Management 291
Assess and Mitigate Vulnerabilities in Embedded Devices 292
Apply Cryptography 295
Cryptographic Lifecycle 295
Cryptographic Methods 298
Public Key Infrastructure 311
Key Management Practices 315
Digital Signatures 318
Non-Repudiation 320
Integrity 321
Understand Methods of Cryptanalytic Attacks 325
Digital Rights Management 339
Apply Security Principles to Site and Facility Design 342
Implement Site and Facility Security Controls 343
Physical Access Controls 343
Wiring Closets/Intermediate Distribution Facilities 345
Server Rooms/Data Centers 346
Media Storage Facilities 348
Evidence Storage 349
Restricted and Work Area Security 349
Utilities and Heating, Ventilation, and Air Conditioning 351
Environmental Issues 355
Fire Prevention, Detection, and Suppression 358
Summary 362
Domain 4: Communication and Network Security 363
Implement Secure Design Principles in Network Architectures 364
Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models 365
Internet Protocol Networking 382
Implications of Multilayer Protocols 392
Converged Protocols 394
Software-Defined Networks 395
Wireless Networks 396
Internet, Intranets, and Extranets 409
Demilitarized Zones 410
Virtual LANs 410
Secure Network Components 411
Firewalls 412
Network Address Translation 418
Intrusion Detection System 421
Security Information and Event Management 422
Network Security from Hardware Devices 423
Transmission Media 429
Endpoint Security 442
Implementing Defense in Depth 447
Content Distribution Networks 448
Implement Secure Communication Channels According to Design 449
Secure Voice Communications 449
Multimedia Collaboration 452
Remote Access 458
Data Communications 466
Virtualized Networks 470
Summary 481
Domain 5: Identity and Access Management 483
Control Physical and Logical Access to Assets 484
Information 485
Systems 486
Devices 487
Facilities 488
Manage Identification and Authentication of People, Devices, and Services 492
Identity Management Implementation 494
Single Factor/Multifactor Authentication 496
Accountability 511
Session Management 511
Registration and Proofing of Identity 513
Federated Identity Management 520
Credential Management Systems 524
Integrate Identity as a Third-Party Service 525
On-Premise 526
Cloud 527
Federated 527
Implement and Manage Authorization Mechanisms 528
Role-Based Access Control 528
Rule-Based Access Control 529
Mandatory Access Control 530
Discretionary Access Control 531
Attribute-Based Access Control 531
Manage the Identity and Access Provisioning Lifecycle 533
User Access Review 534
System Account Access Review 535
Provisioning and Deprovisioning 535
Auditing and Enforcement 536
Summary 537
Domain 6: Security Assessment and Testing 539
Design and Validate Assessment, Test, and Audit Strategies 540
Assessment Standards 543
Conduct Security Control Testing 545
Vulnerability Assessment 546
Penetration Testing 554
Log Reviews 564
Synthetic Transactions 565
Code Review and Testing 567
Misuse Case Testing 571
Test Coverage Analysis 573
Interface Testing 574
Collect Security Process Data 575
Account Management 577
Management Review and Approval 579
Key Performance and Risk Indicators 580
Backup Verification Data 583
Training and Awareness 584
Disaster Recovery and Business Continuity 585
Analyze Test Output and Generate Report 587
Conduct or Facilitate Security Audits 590
Internal Audits 591
External Audits 591
Third-Party Audits 592
Integrating Internal and External Audits 593
Auditing Principles...
Foreword xxv
Introduction xxvii
Domain 1: Security and Risk Management 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2
Information Security 3
Evaluate and Apply Security Governance Principles 6
Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6
Vision, Mission, and Strategy 6
Governance 7
Due Care 10
Determine Compliance Requirements 11
Legal Compliance 12
Jurisdiction 12
Legal Tradition 12
Legal Compliance Expectations 13
Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13
Cyber Crimes and Data Breaches 14
Privacy 36
Understand, Adhere to, and Promote Professional Ethics 49
Ethical Decision-Making 49
Established Standards of Ethical Conduct 51
(ISC)² Ethical Practices 56
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57
Organizational Documents 58
Policy Development 61
Policy Review Process 61
Identify, Analyze, and Prioritize Business Continuity Requirements 62
Develop and Document Scope and Plan 62
Risk Assessment 70
Business Impact Analysis 71
Develop the Business Continuity Plan 73
Contribute to and Enforce Personnel Security Policies and Procedures 80
Key Control Principles 80
Candidate Screening and Hiring 82
Onboarding and Termination Processes 91
Vendor, Consultant, and Contractor Agreements and Controls 96
Privacy in the Workplace 97
Understand and Apply Risk Management Concepts 99
Risk 99
Risk Management Frameworks 99
Risk Assessment Methodologies 108
Understand and Apply Threat Modeling Concepts and Methodologies 111
Threat Modeling Concepts 111
Threat Modeling Methodologies 112
Apply Risk-Based Management Concepts to the Supply Chain 116
Supply Chain Risks 116
Supply Chain Risk Management 119
Establish and Maintain a Security Awareness, Education, and Training Program 121
Security Awareness Overview 122
Developing an Awareness Program 123
Training 127
Summary 128
Domain 2: Asset Security 131
Asset Security Concepts 131
Data Policy 132
Data Governance 132
Data Quality 133
Data Documentation 134
Data Organization 136
Identify and Classify Information and Assets 139
Asset Classification 141
Determine and Maintain Information and Asset Ownership 145
Asset Management Lifecycle 146
Software Asset Management 148
Protect Privacy 152
Cross-Border Privacy and Data Flow Protection 153
Data Owners 161
Data Controllers 162
Data Processors 163
Data Stewards 164
Data Custodians 164
Data Remanence 164
Data Sovereignty 168
Data Localization or Residency 169
Government and Law Enforcement Access to Data 171
Collection Limitation 172
Understanding Data States 173
Data Issues with Emerging Technologies 173
Ensure Appropriate Asset Retention 175
Retention of Records 178
Determining Appropriate Records Retention 178
Retention of Records in Data Lifecycle 179
Records Retention Best Practices 180
Determine Data Security Controls 181
Technical, Administrative, and Physical Controls 183
Establishing the Baseline Security 185
Scoping and Tailoring 186
Standards Selection 189
Data Protection Methods 198
Establish Information and Asset Handling Requirements 208
Marking and Labeling 208
Handling 209
Declassifying Data 210
Storage 211
Summary 212
Domain 3: Security Architecture and Engineering 213
Implement and Manage Engineering Processes Using Secure Design Principles 215
Saltzer and Schroeder's Principles 216
ISO/IEC 19249 221
Defense in Depth 229
Using Security Principles 230
Understand the Fundamental Concepts of Security Models 230
Bell-LaPadula Model 232
The Biba Integrity Model 234
The Clark-Wilson Model 235
The Brewer-Nash Model 235
Select Controls Based upon Systems Security Requirements 237
Understand Security Capabilities of Information Systems 241
Memory Protection 241
Virtualization 244
Secure Cryptoprocessor 247
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 253
Client-Based Systems 254
Server-Based Systems 255
Database Systems 257
Cryptographic Systems 260
Industrial Control Systems 267
Cloud-Based Systems 271
Distributed Systems 274
Internet of Things 275
Assess and Mitigate Vulnerabilities in Web-Based Systems 278
Injection Vulnerabilities 279
Broken Authentication 280
Sensitive Data Exposure 283
XML External Entities 284
Broken Access Control 284
Security Misconfiguration 285
Cross-Site Scripting 285
Using Components with Known Vulnerabilities 286
Insufficient Logging and Monitoring 286
Cross-Site Request Forgery 287
Assess and Mitigate Vulnerabilities in Mobile Systems 287
Passwords 288
Multifactor Authentication 288
Session Lifetime 289
Wireless Vulnerabilities 290
Mobile Malware 290
Unpatched Operating System or Browser 290
Insecure Devices 291
Mobile Device Management 291
Assess and Mitigate Vulnerabilities in Embedded Devices 292
Apply Cryptography 295
Cryptographic Lifecycle 295
Cryptographic Methods 298
Public Key Infrastructure 311
Key Management Practices 315
Digital Signatures 318
Non-Repudiation 320
Integrity 321
Understand Methods of Cryptanalytic Attacks 325
Digital Rights Management 339
Apply Security Principles to Site and Facility Design 342
Implement Site and Facility Security Controls 343
Physical Access Controls 343
Wiring Closets/Intermediate Distribution Facilities 345
Server Rooms/Data Centers 346
Media Storage Facilities 348
Evidence Storage 349
Restricted and Work Area Security 349
Utilities and Heating, Ventilation, and Air Conditioning 351
Environmental Issues 355
Fire Prevention, Detection, and Suppression 358
Summary 362
Domain 4: Communication and Network Security 363
Implement Secure Design Principles in Network Architectures 364
Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models 365
Internet Protocol Networking 382
Implications of Multilayer Protocols 392
Converged Protocols 394
Software-Defined Networks 395
Wireless Networks 396
Internet, Intranets, and Extranets 409
Demilitarized Zones 410
Virtual LANs 410
Secure Network Components 411
Firewalls 412
Network Address Translation 418
Intrusion Detection System 421
Security Information and Event Management 422
Network Security from Hardware Devices 423
Transmission Media 429
Endpoint Security 442
Implementing Defense in Depth 447
Content Distribution Networks 448
Implement Secure Communication Channels According to Design 449
Secure Voice Communications 449
Multimedia Collaboration 452
Remote Access 458
Data Communications 466
Virtualized Networks 470
Summary 481
Domain 5: Identity and Access Management 483
Control Physical and Logical Access to Assets 484
Information 485
Systems 486
Devices 487
Facilities 488
Manage Identification and Authentication of People, Devices, and Services 492
Identity Management Implementation 494
Single Factor/Multifactor Authentication 496
Accountability 511
Session Management 511
Registration and Proofing of Identity 513
Federated Identity Management 520
Credential Management Systems 524
Integrate Identity as a Third-Party Service 525
On-Premise 526
Cloud 527
Federated 527
Implement and Manage Authorization Mechanisms 528
Role-Based Access Control 528
Rule-Based Access Control 529
Mandatory Access Control 530
Discretionary Access Control 531
Attribute-Based Access Control 531
Manage the Identity and Access Provisioning Lifecycle 533
User Access Review 534
System Account Access Review 535
Provisioning and Deprovisioning 535
Auditing and Enforcement 536
Summary 537
Domain 6: Security Assessment and Testing 539
Design and Validate Assessment, Test, and Audit Strategies 540
Assessment Standards 543
Conduct Security Control Testing 545
Vulnerability Assessment 546
Penetration Testing 554
Log Reviews 564
Synthetic Transactions 565
Code Review and Testing 567
Misuse Case Testing 571
Test Coverage Analysis 573
Interface Testing 574
Collect Security Process Data 575
Account Management 577
Management Review and Approval 579
Key Performance and Risk Indicators 580
Backup Verification Data 583
Training and Awareness 584
Disaster Recovery and Business Continuity 585
Analyze Test Output and Generate Report 587
Conduct or Facilitate Security Audits 590
Internal Audits 591
External Audits 591
Third-Party Audits 592
Integrating Internal and External Audits 593
Auditing Principles...
Introduction xxvii
Domain 1: Security and Risk Management 1
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 2
Information Security 3
Evaluate and Apply Security Governance Principles 6
Alignment of Security Functions to Business Strategy, Goals, Mission, and Objectives 6
Vision, Mission, and Strategy 6
Governance 7
Due Care 10
Determine Compliance Requirements 11
Legal Compliance 12
Jurisdiction 12
Legal Tradition 12
Legal Compliance Expectations 13
Understand Legal and Regulatory Issues That Pertain to Information Security in a Global Context 13
Cyber Crimes and Data Breaches 14
Privacy 36
Understand, Adhere to, and Promote Professional Ethics 49
Ethical Decision-Making 49
Established Standards of Ethical Conduct 51
(ISC)² Ethical Practices 56
Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 57
Organizational Documents 58
Policy Development 61
Policy Review Process 61
Identify, Analyze, and Prioritize Business Continuity Requirements 62
Develop and Document Scope and Plan 62
Risk Assessment 70
Business Impact Analysis 71
Develop the Business Continuity Plan 73
Contribute to and Enforce Personnel Security Policies and Procedures 80
Key Control Principles 80
Candidate Screening and Hiring 82
Onboarding and Termination Processes 91
Vendor, Consultant, and Contractor Agreements and Controls 96
Privacy in the Workplace 97
Understand and Apply Risk Management Concepts 99
Risk 99
Risk Management Frameworks 99
Risk Assessment Methodologies 108
Understand and Apply Threat Modeling Concepts and Methodologies 111
Threat Modeling Concepts 111
Threat Modeling Methodologies 112
Apply Risk-Based Management Concepts to the Supply Chain 116
Supply Chain Risks 116
Supply Chain Risk Management 119
Establish and Maintain a Security Awareness, Education, and Training Program 121
Security Awareness Overview 122
Developing an Awareness Program 123
Training 127
Summary 128
Domain 2: Asset Security 131
Asset Security Concepts 131
Data Policy 132
Data Governance 132
Data Quality 133
Data Documentation 134
Data Organization 136
Identify and Classify Information and Assets 139
Asset Classification 141
Determine and Maintain Information and Asset Ownership 145
Asset Management Lifecycle 146
Software Asset Management 148
Protect Privacy 152
Cross-Border Privacy and Data Flow Protection 153
Data Owners 161
Data Controllers 162
Data Processors 163
Data Stewards 164
Data Custodians 164
Data Remanence 164
Data Sovereignty 168
Data Localization or Residency 169
Government and Law Enforcement Access to Data 171
Collection Limitation 172
Understanding Data States 173
Data Issues with Emerging Technologies 173
Ensure Appropriate Asset Retention 175
Retention of Records 178
Determining Appropriate Records Retention 178
Retention of Records in Data Lifecycle 179
Records Retention Best Practices 180
Determine Data Security Controls 181
Technical, Administrative, and Physical Controls 183
Establishing the Baseline Security 185
Scoping and Tailoring 186
Standards Selection 189
Data Protection Methods 198
Establish Information and Asset Handling Requirements 208
Marking and Labeling 208
Handling 209
Declassifying Data 210
Storage 211
Summary 212
Domain 3: Security Architecture and Engineering 213
Implement and Manage Engineering Processes Using Secure Design Principles 215
Saltzer and Schroeder's Principles 216
ISO/IEC 19249 221
Defense in Depth 229
Using Security Principles 230
Understand the Fundamental Concepts of Security Models 230
Bell-LaPadula Model 232
The Biba Integrity Model 234
The Clark-Wilson Model 235
The Brewer-Nash Model 235
Select Controls Based upon Systems Security Requirements 237
Understand Security Capabilities of Information Systems 241
Memory Protection 241
Virtualization 244
Secure Cryptoprocessor 247
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 253
Client-Based Systems 254
Server-Based Systems 255
Database Systems 257
Cryptographic Systems 260
Industrial Control Systems 267
Cloud-Based Systems 271
Distributed Systems 274
Internet of Things 275
Assess and Mitigate Vulnerabilities in Web-Based Systems 278
Injection Vulnerabilities 279
Broken Authentication 280
Sensitive Data Exposure 283
XML External Entities 284
Broken Access Control 284
Security Misconfiguration 285
Cross-Site Scripting 285
Using Components with Known Vulnerabilities 286
Insufficient Logging and Monitoring 286
Cross-Site Request Forgery 287
Assess and Mitigate Vulnerabilities in Mobile Systems 287
Passwords 288
Multifactor Authentication 288
Session Lifetime 289
Wireless Vulnerabilities 290
Mobile Malware 290
Unpatched Operating System or Browser 290
Insecure Devices 291
Mobile Device Management 291
Assess and Mitigate Vulnerabilities in Embedded Devices 292
Apply Cryptography 295
Cryptographic Lifecycle 295
Cryptographic Methods 298
Public Key Infrastructure 311
Key Management Practices 315
Digital Signatures 318
Non-Repudiation 320
Integrity 321
Understand Methods of Cryptanalytic Attacks 325
Digital Rights Management 339
Apply Security Principles to Site and Facility Design 342
Implement Site and Facility Security Controls 343
Physical Access Controls 343
Wiring Closets/Intermediate Distribution Facilities 345
Server Rooms/Data Centers 346
Media Storage Facilities 348
Evidence Storage 349
Restricted and Work Area Security 349
Utilities and Heating, Ventilation, and Air Conditioning 351
Environmental Issues 355
Fire Prevention, Detection, and Suppression 358
Summary 362
Domain 4: Communication and Network Security 363
Implement Secure Design Principles in Network Architectures 364
Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models 365
Internet Protocol Networking 382
Implications of Multilayer Protocols 392
Converged Protocols 394
Software-Defined Networks 395
Wireless Networks 396
Internet, Intranets, and Extranets 409
Demilitarized Zones 410
Virtual LANs 410
Secure Network Components 411
Firewalls 412
Network Address Translation 418
Intrusion Detection System 421
Security Information and Event Management 422
Network Security from Hardware Devices 423
Transmission Media 429
Endpoint Security 442
Implementing Defense in Depth 447
Content Distribution Networks 448
Implement Secure Communication Channels According to Design 449
Secure Voice Communications 449
Multimedia Collaboration 452
Remote Access 458
Data Communications 466
Virtualized Networks 470
Summary 481
Domain 5: Identity and Access Management 483
Control Physical and Logical Access to Assets 484
Information 485
Systems 486
Devices 487
Facilities 488
Manage Identification and Authentication of People, Devices, and Services 492
Identity Management Implementation 494
Single Factor/Multifactor Authentication 496
Accountability 511
Session Management 511
Registration and Proofing of Identity 513
Federated Identity Management 520
Credential Management Systems 524
Integrate Identity as a Third-Party Service 525
On-Premise 526
Cloud 527
Federated 527
Implement and Manage Authorization Mechanisms 528
Role-Based Access Control 528
Rule-Based Access Control 529
Mandatory Access Control 530
Discretionary Access Control 531
Attribute-Based Access Control 531
Manage the Identity and Access Provisioning Lifecycle 533
User Access Review 534
System Account Access Review 535
Provisioning and Deprovisioning 535
Auditing and Enforcement 536
Summary 537
Domain 6: Security Assessment and Testing 539
Design and Validate Assessment, Test, and Audit Strategies 540
Assessment Standards 543
Conduct Security Control Testing 545
Vulnerability Assessment 546
Penetration Testing 554
Log Reviews 564
Synthetic Transactions 565
Code Review and Testing 567
Misuse Case Testing 571
Test Coverage Analysis 573
Interface Testing 574
Collect Security Process Data 575
Account Management 577
Management Review and Approval 579
Key Performance and Risk Indicators 580
Backup Verification Data 583
Training and Awareness 584
Disaster Recovery and Business Continuity 585
Analyze Test Output and Generate Report 587
Conduct or Facilitate Security Audits 590
Internal Audits 591
External Audits 591
Third-Party Audits 592
Integrating Internal and External Audits 593
Auditing Principles...
Details
Erscheinungsjahr: | 2019 |
---|---|
Medium: | Buch |
Seiten: | 928 |
Inhalt: |
Foreword xxvIntroduction xxviiDomain 1: Security and Risk Management 1Understand and Apply Concepts of Confidentiality
Integrity and Availability 2Information Security 3Evaluate and Apply Security Governance Principles 6Alignment of Security Functions |
ISBN-13: | 9781119423348 |
ISBN-10: | 1119423341 |
Sprache: | Englisch |
Einband: | Gebunden |
Autor: |
John Warsinske
Mark Graff Kevin Henry Christopher Hoover Ben Malisow Sean Murphy C. Paul Oakes George Pajari Jeff T. Parker David Seidl Mike Vasquez |
Orchester: |
Graff, Mark
Henry, Kevin |
Auflage: | 5. Auflage |
Hersteller: | John Wiley & Sons |
Maße: | 188 x 185 x 51 mm |
Von/Mit: | John Warsinske (u. a.) |
Erscheinungsdatum: | 07.06.2019 |
Gewicht: | 1,652 kg |
Details
Erscheinungsjahr: | 2019 |
---|---|
Medium: | Buch |
Seiten: | 928 |
Inhalt: |
Foreword xxvIntroduction xxviiDomain 1: Security and Risk Management 1Understand and Apply Concepts of Confidentiality
Integrity and Availability 2Information Security 3Evaluate and Apply Security Governance Principles 6Alignment of Security Functions |
ISBN-13: | 9781119423348 |
ISBN-10: | 1119423341 |
Sprache: | Englisch |
Einband: | Gebunden |
Autor: |
John Warsinske
Mark Graff Kevin Henry Christopher Hoover Ben Malisow Sean Murphy C. Paul Oakes George Pajari Jeff T. Parker David Seidl Mike Vasquez |
Orchester: |
Graff, Mark
Henry, Kevin |
Auflage: | 5. Auflage |
Hersteller: | John Wiley & Sons |
Maße: | 188 x 185 x 51 mm |
Von/Mit: | John Warsinske (u. a.) |
Erscheinungsdatum: | 07.06.2019 |
Gewicht: | 1,652 kg |
Warnhinweis