Facebook Pixel
Searching...
English
EnglishEnglish
EspañolSpanish
简体中文Chinese
FrançaisFrench
DeutschGerman
日本語Japanese
PortuguêsPortuguese
ItalianoItalian
한국어Korean
РусскийRussian
NederlandsDutch
العربيةArabic
PolskiPolish
हिन्दीHindi
Tiếng ViệtVietnamese
SvenskaSwedish
ΕλληνικάGreek
TürkçeTurkish
ไทยThai
ČeštinaCzech
RomânăRomanian
MagyarHungarian
УкраїнськаUkrainian
Bahasa IndonesiaIndonesian
DanskDanish
SuomiFinnish
БългарскиBulgarian
עבריתHebrew
NorskNorwegian
HrvatskiCroatian
CatalàCatalan
SlovenčinaSlovak
LietuviųLithuanian
SlovenščinaSlovenian
СрпскиSerbian
EestiEstonian
LatviešuLatvian
فارسیPersian
മലയാളംMalayalam
தமிழ்Tamil
اردوUrdu
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide

by James Michael Stewart 2015 1722 pages
4.28
100+ ratings
Listen
Listen to Summary

Key Takeaways

1. Security Governance is Foundational

Security exists to support the objectives, mission, and goals of the organization.

Business-aligned security. Security isn't just an IT issue; it's a business imperative. Effective security governance aligns security functions with the organization's strategic goals, mission, and objectives. This alignment ensures that security investments directly support the business's success.

Frameworks and compliance. Security governance involves adopting a security framework, such as NIST or COBIT, to provide a structured approach to security implementation. It also requires adhering to legal, regulatory, and contractual obligations, ensuring the organization operates within established boundaries.

Continuous evaluation. Security governance is not a one-time project but a continuous journey. Regular risk assessments, vulnerability assessments, and penetration testing are essential for identifying weaknesses and improving the security posture over time.

2. People are Both the Strongest and Weakest Links

The laws of your jurisdiction are the backstop of organizational security.

Human element. Humans are often the weakest link in security, but they can also be a key asset. Personnel security policies and procedures, including candidate screening, employment agreements, and security awareness training, are crucial for mitigating risks.

Accountability and ethics. Establishing accountability through identification, authentication, authorization, auditing, and accounting is essential for enforcing security policies. Adhering to a formal code of ethics ensures professionalism and responsible behavior in the field of information systems security.

Third-party risks. Managing vendor, consultant, and contractor agreements and controls is vital for mitigating supply chain risks. Third-party governance focuses on verifying compliance with security objectives, requirements, regulations, and contractual obligations.

3. Risk Management is a Cyclical Process

Security is a journey, not a finish line.

Identify, analyze, respond. Risk management is a cyclical process that involves identifying threats and vulnerabilities, assessing risks, and implementing appropriate responses. This process is not a one-time event but an ongoing effort to adapt to changing threats and vulnerabilities.

Quantitative vs. qualitative. Risk analysis can be quantitative, assigning dollar figures to potential losses, or qualitative, using subjective rankings to prioritize risks. A hybrid approach, combining both methods, provides a more balanced view of security concerns.

Risk response options. Organizations have several options for responding to risks, including mitigation, transference, deterrence, avoidance, and acceptance. The selection of a risk response should be based on a cost/benefit analysis and alignment with the organization's risk appetite.

4. Laws, Regulations, and Ethics are Non-Negotiable

Security should be legally defensible.

Compliance is key. Organizations must comply with all applicable laws, regulations, and industry standards. This includes understanding legal and regulatory issues related to cybercrimes, data breaches, intellectual property, import/export controls, transborder data flow, and privacy.

Investigations and ethics. Understanding requirements for investigation types (administrative, criminal, civil, regulatory, industry standards) is crucial for responding to security incidents. Adhering to a formal code of ethics ensures professionalism and responsible behavior in the field of information systems security.

Global considerations. Laws and regulations vary across jurisdictions, making it essential to consult with legal counsel and adapt security practices to comply with local requirements. This is especially important for multinational organizations.

5. Asset Security Requires a Lifecycle Approach

Integrity is dependent on confidentiality and access control.

Identify and classify. Identifying and classifying information and assets is the first step in protecting them. Data classification helps determine appropriate security controls and compliance requirements.

Data lifecycle management. Managing the data lifecycle, from collection to destruction, is crucial for ensuring data security. This includes establishing information and asset handling requirements, provisioning resources securely, and managing data roles.

Data states and protection methods. Data security controls should address data states (in use, in transit, at rest) and employ appropriate protection methods, such as Digital Rights Management (DRM), Data Loss Prevention (DLP), and Cloud Access Security Broker (CASB).

6. Cryptography Protects Data in All States

The goal of confidentiality protection is to prevent or minimize unauthorized access to data.

CIA Triad. Cryptography is essential for protecting the confidentiality, integrity, and availability of data. It provides a means for securing data at rest, in transit, and in use.

Symmetric vs. asymmetric. Symmetric key algorithms use a shared secret key for encryption and decryption, while asymmetric key algorithms use public and private key pairs. Both types of cryptography have their strengths and weaknesses.

Hashing and digital signatures. Hashing algorithms create unique message digests for verifying data integrity. Digital signatures, combining hashing and asymmetric cryptography, provide authentication and nonrepudiation.

7. Secure Network Architecture is Essential

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure.

OSI and TCP/IP models. Understanding the OSI and TCP/IP models is crucial for designing secure network architectures. These models provide a framework for understanding how network communications function and how to implement security controls at different layers.

Secure network components. Securing network components, such as hardware, transmission media, and endpoint security, is essential for protecting network communications. This includes implementing secure communication channels, such as voice, multimedia collaboration, and remote access.

Network attacks and mitigation. Preventing or mitigating network attacks requires a thorough understanding of common attack vectors, such as denial-of-service attacks, man-in-the-middle attacks, and spoofing attacks. Implementing appropriate security controls, such as firewalls, intrusion detection systems, and access control lists, is crucial for mitigating these risks.

8. Identity and Access Management are Critical

To have viable accountability, you must be able to support your security decisions and their implementation in a court of law.

Controlling access. Controlling physical and logical access to assets is essential for protecting confidentiality, integrity, and availability. This includes managing identification and authentication of people, devices, and services.

Authorization mechanisms. Implementing and managing authorization mechanisms, such as Role-Based Access Control (RBAC), Rule-based access control, Mandatory Access Control (MAC), Discretionary Access Control (DAC), Attribute Based Access Control (ABAC), and Risk based access control, is crucial for enforcing access control policies.

Identity and access provisioning lifecycle. Managing the identity and access provisioning lifecycle, including account access review, provisioning and deprovisioning, role definition, and privilege escalation, is essential for maintaining a secure environment.

9. Security Assessment and Testing Validate Defenses

The best security plan is useless without one key factor: approval by senior management.

Design and validate strategies. Designing and validating assessment, test, and audit strategies is crucial for ensuring the effectiveness of security controls. This includes internal, external, and third-party assessments.

Security control testing. Conducting security control testing, such as vulnerability assessments, penetration testing, log reviews, and code review and testing, is essential for identifying weaknesses and improving security.

Data analysis and reporting. Collecting security process data, analyzing test output, and generating reports are crucial for identifying areas that require remediation and for demonstrating compliance.

10. Managing Security Operations

Security is a continuous process.

Foundational concepts. Applying foundational security operations concepts, such as need-to-know/least privilege, separation of duties and responsibilities, privileged account management, and job rotation, is essential for maintaining a secure environment.

Resource protection. Applying resource protection, including media management and media protection techniques, is crucial for preventing data loss and unauthorized access.

Incident management. Conducting incident management, including detection, response, mitigation, reporting, recovery, remediation, and lessons learned, is essential for minimizing the impact of security incidents.

11. Preventing and Responding to Incidents

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure.

Detective and preventative measures. Operating and maintaining detective and preventative measures, such as firewalls, intrusion detection systems, intrusion prevention systems, whitelisting/blacklisting, and anti-malware, is crucial for protecting against security threats.

Patch and vulnerability management. Implementing and supporting patch and vulnerability management is essential for reducing vulnerabilities and preventing exploitation.

Change management. Understanding and participating in change management processes is crucial for ensuring that changes do not introduce new vulnerabilities or disrupt security controls.

12. Software Development Security is Proactive

Security is established by understanding the assets of an organization that need protection and understanding the threats that could cause harm to those assets.

SDLC integration. Understanding and integrating security in the Software Development Life Cycle (SDLC) is crucial for building secure applications. This includes using secure coding guidelines and standards.

Security controls in ecosystems. Identifying and applying security controls in software development ecosystems, including programming languages, libraries, and tool sets, is essential for preventing vulnerabilities.

Assessing software security. Assessing the effectiveness of software security, including auditing and logging of changes and risk analysis and mitigation, is crucial for ensuring that applications are secure.

Last updated:

Review Summary

4.28 out of 5
Average of 100+ ratings from Goodreads and Amazon.

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide receives mixed reviews. Many readers find it comprehensive and helpful for exam preparation, praising its content coverage and online resources. However, some criticize its dry writing style, lack of visual aids, and repetitive content. The book's organization and practice questions are generally appreciated. While some readers found it essential for passing the exam, others felt it was overly dense and could be condensed. Overall, it's considered a valuable resource for CISSP candidates, despite its limitations.

Your rating:

About the Author

James Michael Stewart is an accomplished author and expert in the field of information security. He has written numerous books and study guides, specializing in cybersecurity certifications. Stewart's work is known for its comprehensive coverage of complex topics, making him a respected figure in the industry. His writing style is thorough and detailed, aiming to provide readers with a deep understanding of information security concepts. While some readers find his approach dry, many appreciate the depth of knowledge he imparts. Stewart's contributions to the CISSP study guide demonstrate his expertise and commitment to educating professionals in the field of information security.

0:00
-0:00
1x
Dan
Andrew
Michelle
Lauren
Select Speed
1.0×
+
200 words per minute
Create a free account to unlock:
Requests: Request new book summaries
Bookmarks: Save your favorite books
History: Revisit books later
Recommendations: Get personalized suggestions
Ratings: Rate books & see your ratings
Try Full Access for 7 Days
Listen, bookmark, and more
Compare Features Free Pro
📖 Read Summaries
All summaries are free to read in 40 languages
🎧 Listen to Summaries
Listen to unlimited summaries in 40 languages
❤️ Unlimited Bookmarks
Free users are limited to 10
📜 Unlimited History
Free users are limited to 10
Risk-Free Timeline
Today: Get Instant Access
Listen to full summaries of 73,530 books. That's 12,000+ hours of audio!
Day 4: Trial Reminder
We'll send you a notification that your trial is ending soon.
Day 7: Your subscription begins
You'll be charged on Mar 22,
cancel anytime before.
Consume 2.8x More Books
2.8x more books Listening Reading
Our users love us
100,000+ readers
"...I can 10x the number of books I can read..."
"...exceptionally accurate, engaging, and beautifully presented..."
"...better than any amazon review when I'm making a book-buying decision..."
Save 62%
Yearly
$119.88 $44.99/year
$3.75/mo
Monthly
$9.99/mo
Try Free & Unlock
7 days free, then $44.99/year. Cancel anytime.
Settings
Appearance
Black Friday Sale 🎉
$20 off Lifetime Access
$79.99 $59.99
Upgrade Now →