CISSP: Certified Information System Security Professional

Chapter 1: The Information Security Environment

• Justify an organizational code of ethics.
• Relate confidentiality, integrity, availability, non-repudiation, authenticity, privacy, and safety to due care and due diligence.
• Relate information security governance to organizational business strategies, goals, missions, and objectives.
• Apply the concepts of cybercrime to data breaches and other information security compromises.
• Relate legal, contractual, and regulatory requirements for privacy and data protection to information security objectives.
• Relate transborder data movement and import-export issues to data protection, privacy, and intellectual property protection.

Chapter 2: Information Asset Security

• Relate IT asset management and data security lifecycle models to information security.
• Explain the use of information classification and categorization as two separate but related processes.
• Describe the different data states and their information security considerations.
• Describe the different roles involved in the use of information and the security considerations for these roles.
• Describe the different types and categories of information security controls and their use.
• Select data security standards to meet organizational compliance requirements.

Chapter 3: Identity and Access Management (IAM)

• Explain the identity lifecycle as it applies to human and nonhuman users.
• Compare and contrast access control models, mechanisms, and concepts.
• Explain the role of authentication, authorization, and accounting in achieving information security goals and objectives.
• Explain how IAM implementations must protect physical and logical assets.
• Describe the role of credentials and the identity store in IAM systems.

Chapter 4: Security Architecture and Engineering

• Describe the major components of security engineering standards.
• Explain major architectural models for information security.
• Explain the security capabilities implemented in hardware and firmware.
• Apply security principles to different information systems architectures and their environments.
• Determine the best application of cryptographic approaches to solving organizational information security needs.
• Manage the use of certificates and digital signatures to meet organizational information security needs.
• Discover the implications of the failure to use cryptographic techniques to protect the supply chain.
• Apply different cryptographic management solutions to meet organizational information security needs.
• Verify cryptographic solutions are working and meeting the evolving threat of the real world.
• Describe defenses against common cryptographic attacks.
• Develop a management checklist to determine the organization’s cryptologic state of health and readiness.

Chapter 5: Communication and Network Security

• Describe the architectural characteristics, relevant technologies, protocols, and security considerations of each OSI model layer.
• Explain the application of secure design practices in developing network infrastructure.
• Describe the evolution of methods to secure IP communications protocols.
• Explain the security implications of bound (cable and fiber) and unbound (wireless) network environments.
• Describe the evolution of, and security implications for, key network devices.
• Evaluate and contrast the security issues with voice communications in traditional and VoIP infrastructures.
• Describe and contrast the security considerations for key remote access technologies.
• Explain the security implications of software-defined networking (SDN) and network virtualization technologies.

Chapter 6: Software Development Security

• Recognize software elements that can put information systems security at risk.
• Identify and illustrate major causes of security weaknesses in source code.
• Illustrate major causes of security weaknesses in database and data warehouse systems.
• Explain the applicability of the OWASP framework to various web architectures.
• Select malware mitigation strategies appropriate to organizational information security needs.
• Contrast the ways different software development methodologies, frameworks, and guidelines contribute to systems security.
• Explain the implementation of security controls for software development ecosystems.
• Choose an appropriate mix of security testing, assessment, controls, and management methods for different systems and application environments.

Chapter 7: Security Assessment and Testing

• Describe the purpose, process, and objectives of formal and informal security assessment and testing.
• Apply professional and organizational ethics to security assessment and testing.
• Explain internal, external, and third-party assessment and testing.
• Explain management and governance issues related to planning and conducting security assessments.
• Explain the role of assessment in data-driven security decision-making.

Chapter 8: Security Operations

• Show how to efficiently and effectively gather and assess security data.
• Explain the security benefits of effective change management and change control.
• Develop incident response policies and plans.
• Link incident response to security controls and their operational use.
• Relate security controls to improving and achieving required availability of information assets and systems.
• Understand the security and safety ramifications of facilities, systems, and infrastructure characteristics.

Chapter 9: Putting It All Together

• Explain how governance frameworks and processes relate to the operational use of information security controls.
• Relate the process of conducting forensic investigations to information security operations.
• Relate business continuity and disaster recovery preparedness to information security operations.
• Explain how education, training, awareness, and engagement strengthen and enforce information security processes.
• Show how to operationalize information systems and IT supply chain risk management.