CISSP Certified Information System Security Professional Exam Preparation Training

About Course

CISSP Program Overview

The CISSP® certification is one of the most renowned achievements within the realm of information security. Our training course is meticulously crafted to endow participants with the technical skills and managerial prowess necessary to effectively design, build, and oversee an organization’s security framework, aligning with globally recognized information security norms. (ISC)² is a globally recognized nonprofit organization dedicated to advancing the information security field. The CISSP® was the first credential in information security to meet the stringent requirements of ISO/IEC Standard 17024. It is looked upon as an objective measure of excellence and a highly reputed standard of achievement.

Course Content

Introduction
The idea of a summary is a short text to prepare students for the activities within the topic or week. The text is shown on the course page under the topic name.

Domain 1: Security and Risk Management
Domain 2: Asset Security
Domain 3: Security Architecture and Engineering
Domain 4: Communication and Network Security
Domain 5: Identity and Access Management (IAM)
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8: Software Development Security
Domain 1 Security and Risk Management
1.1 Understand, adhere to, and promote professional ethics (2-4 items)
» ISC2 Code of Professional Ethics
» Organizational code of ethics
1.2 Understand and apply security concepts
» Confidentiality, integrity, and availability, authenticity and nonrepudiation (5 Pillars of Information Security)
1.3: Evaluate, apply, and sustain security governance principles
» Alignment of the security function to business strategy, goals, mission, and objectives
» Organizational processes (e.g., acquisitions, divestitures, governance committees)
» Organizational roles and responsibilities
» Security control frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST)
Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA)
Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP))
1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
» Cybercrimes and data breaches
» Licensing and Intellectual Property requirements
» Import/export controls
» Transborder data flow
» Issues related to privacy (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act)
» Contractual, legal, industry standards, and regulatory requirements.
1.5: Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, and industry standards)
1.6: Develop, document, and implement security policy, standards, procedures, and guidelines
1.7: Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
» External dependencies
1.8: Contribute to and enforce personnel security policies and procedures
» Candidate screening and hiring
» Employment Agreements and policy-driven requirements
» Onboarding, transfers, and termination processes
» Vendor, consultant, and contractor agreements and controls
1.9: Understand and apply risk management concepts
» Threat and vulnerability identification
» Risk analysis, assessment, and scope
» Risk response and treatment (e.g., cybersecurity insurance)
» Applicable types of controls (e.g., preventive, detection, corrective)
» Control assessments (e.g., security and privacy)
» Continuous monitoring and measurement
» Reporting (e.g., internal, external)
» Continuous improvement (e.g., risk maturity modeling)
» Risk frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT)
1.10: Understand and apply threat modeling concepts and methodologies.
1.11: Apply supply chain risk management (SCRM) concepts
» Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
» Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)
1.12: Establish and maintain a security awareness, education, and training program
» Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)
» Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)
» Program effectiveness evaluation
Domain 2 Asset Security
2.1 Identify and classify information and assets
» Data classification
» Asset Classification
2.2 Establish information and asset handling requirements
2.3 Provision information and assets securely
» Information and asset ownership
» Asset inventory (e.g., tangible, intangible)
» Asset management
2.4 Manage data lifecycle
» Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
» Data collection
» Data location
» Data maintenance
» Data retention
» Data remanence
» Data destruction
2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
2.6 Determine data security controls and compliance requirements
» Data states (e.g., in use, in transit, at rest)
» Scoping and tailoring
» Standards selection
» Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP) Cloud Access Security Broker (CASB))
Domain 3 Security Architecture and Engineering
3.1 Research, implement, and manage engineering processes using secure design principles
» Threat modeling
» Least privilege
» Defense in depth
» Secure defaults
» Fail securely
» Separation of Duties (SoD)
» Keep it simple and small
» Zero Trust or trust but verify
» Privacy by design
» Shared responsibility
» Secure access service edge
3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
3.3 Select controls based on systems security requirements
3.4 Understand the security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
» Client-based systems
» Server-based systems
» Database systems
» Cryptographic systems
» Industrial Control Systems (ICS)
» Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
» Distributed systems
» Internet of Things (IoT)
» Microservices (e.g., application programming interface (API))
» Containerization
» Serverless
» Embedded systems
» High-Performance Computing (HPC) systems
» Edge computing systems
» Virtualized systems
3.6 Select and determine cryptographic solutions
» Cryptographic life cycle (e.g., keys, algorithm selection)
» Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
» Public Key Infrastructure (PKI) (e.g., quantum key distribution)
» Key management practices (e.g., rotation)
» Digital signatures and digital certificates (e.g., non-repudiation, integrity)
3.7 Understand methods of cryptanalytic attacks
» Brute force
» Ciphertext only
» Known plaintext
» Frequency analysis
» Chosen ciphertext
» Implementation attacks
» Side-channel
» Fault injection
» Timing
» Man-in-the-Middle (MITM)
» Pass the hash
» Kerberos exploitation
» Ransomware
3.8 Apply security principles to site and facility design
3.9 Design site and facility security controls
» Wiring closets/intermediate distribution facilities
» Server rooms/data centers
» Media storage facilities
» Evidence storage
» Restricted and work area security
» Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
» Environmental issues (e.g., natural disasters, man-made)
» Fire prevention, detection, and suppression
» Power (e.g., redundant, backup)
3.10: Manage the information system lifecycle
» Stakeholders’ needs and requirements
» Requirements analysis
» Architectural design
» Development /implementation
» Integration
» Verification and validation
» Transition/deployment
» Operations and maintenance/sustainment
» Retirement/disposal
Domain 4 Communication and Network Security

CISSP Certified Information System Security Professional Exam Preparation Training

About Course

What Will You Learn?

Course Content

Introduction The idea of a summary is a short text to prepare students for the activities within the topic or week. The text is shown on the course page under the topic name.

Domain 1: Security and Risk Management

Domain 2: Asset Security

Domain 3: Security Architecture and Engineering

Domain 4: Communication and Network Security

Domain 5: Identity and Access Management (IAM)

Domain 6: Security Assessment and Testing

Domain 7: Security Operations

Domain 8: Software Development Security

Domain 1 Security and Risk Management

1.1 Understand, adhere to, and promote professional ethics (2-4 items)

» ISC2 Code of Professional Ethics

» Organizational code of ethics

1.2 Understand and apply security concepts

» Confidentiality, integrity, and availability, authenticity and nonrepudiation (5 Pillars of Information Security)

1.3: Evaluate, apply, and sustain security governance principles

» Alignment of the security function to business strategy, goals, mission, and objectives

» Organizational processes (e.g., acquisitions, divestitures, governance committees)

» Organizational roles and responsibilities

» Security control frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST)

Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA)

Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP))

1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context

» Cybercrimes and data breaches

» Licensing and Intellectual Property requirements

» Import/export controls

» Transborder data flow

» Issues related to privacy (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act)

» Contractual, legal, industry standards, and regulatory requirements.

1.5: Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, and industry standards)

1.6: Develop, document, and implement security policy, standards, procedures, and guidelines

1.7: Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements

» External dependencies

1.8: Contribute to and enforce personnel security policies and procedures

» Candidate screening and hiring

» Employment Agreements and policy-driven requirements

» Onboarding, transfers, and termination processes

» Vendor, consultant, and contractor agreements and controls

1.9: Understand and apply risk management concepts

» Threat and vulnerability identification

» Risk analysis, assessment, and scope

» Risk response and treatment (e.g., cybersecurity insurance)

» Applicable types of controls (e.g., preventive, detection, corrective)

» Control assessments (e.g., security and privacy)

» Continuous monitoring and measurement

» Reporting (e.g., internal, external)

» Continuous improvement (e.g., risk maturity modeling)

» Risk frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT)

1.10: Understand and apply threat modeling concepts and methodologies.

1.11: Apply supply chain risk management (SCRM) concepts

» Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)

» Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)

1.12: Establish and maintain a security awareness, education, and training program

» Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)

» Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)

» Program effectiveness evaluation

Domain 2 Asset Security

2.1 Identify and classify information and assets

» Data classification

» Asset Classification

2.2 Establish information and asset handling requirements

2.3 Provision information and assets securely

» Information and asset ownership

» Asset inventory (e.g., tangible, intangible)

» Asset management

2.4 Manage data lifecycle

» Data roles (i.e., owners, controllers, custodians, processors, users/subjects)

» Data collection

» Data location

» Data maintenance

» Data retention

» Data remanence

» Data destruction

2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))

2.6 Determine data security controls and compliance requirements

» Data states (e.g., in use, in transit, at rest)

Introduction
The idea of a summary is a short text to prepare students for the activities within the topic or week. The text is shown on the course page under the topic name.