{"product_id":"the-official-isc2-cissp-cbk-reference-9781119789994","title":"The Official ISC2 CISSP CBK Reference","description":"\u003cb\u003eBook Synopsis\u003c\/b\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cb\u003eTable of Contents\u003c\/b\u003e\u003cbr\u003e\u003cp\u003eForeword xix\u003c\/p\u003e \u003cp\u003eIntroduction xxi\u003c\/p\u003e \u003cp\u003e\u003cb\u003eDomain 1: Security and Risk Management 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUnderstand, Adhere to, and Promote Professional Ethics 2\u003c\/p\u003e \u003cp\u003e(ISC)\u003csup\u003e2\u003c\/sup\u003e Code of Professional Ethics 2\u003c\/p\u003e \u003cp\u003eOrganizational Code of Ethics 3\u003c\/p\u003e \u003cp\u003eUnderstand and Apply Security Concepts 4\u003c\/p\u003e \u003cp\u003eConfidentiality 4\u003c\/p\u003e \u003cp\u003eIntegrity 5\u003c\/p\u003e \u003cp\u003eAvailability 6\u003c\/p\u003e \u003cp\u003eLimitations of the CIA Triad 7\u003c\/p\u003e \u003cp\u003eEvaluate and Apply Security Governance Principles 8\u003c\/p\u003e \u003cp\u003eAlignment of the Security Function to Business Strategy, Goals, Mission, and Objectives 9\u003c\/p\u003e \u003cp\u003eOrganizational Processes 10\u003c\/p\u003e \u003cp\u003eOrganizational Roles and Responsibilities 14\u003c\/p\u003e \u003cp\u003eSecurity Control Frameworks 15\u003c\/p\u003e \u003cp\u003eDue Care and Due Diligence 22\u003c\/p\u003e \u003cp\u003eDetermine Compliance and Other Requirements 23\u003c\/p\u003e \u003cp\u003eLegislative and Regulatory Requirements 23\u003c\/p\u003e \u003cp\u003eIndustry Standards and Other Compliance Requirements 25\u003c\/p\u003e \u003cp\u003ePrivacy Requirements 27\u003c\/p\u003e \u003cp\u003eUnderstand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context 28\u003c\/p\u003e \u003cp\u003eCybercrimes and Data Breaches 28\u003c\/p\u003e \u003cp\u003eLicensing and Intellectual Property Requirements 36\u003c\/p\u003e \u003cp\u003eImport\/Export Controls 39\u003c\/p\u003e \u003cp\u003eTransborder Data Flow 40\u003c\/p\u003e \u003cp\u003ePrivacy 41\u003c\/p\u003e \u003cp\u003eUnderstand Requirements for Investigation Types 48\u003c\/p\u003e \u003cp\u003eAdministrative 49\u003c\/p\u003e \u003cp\u003eCriminal 50\u003c\/p\u003e \u003cp\u003eCivil 52\u003c\/p\u003e \u003cp\u003eRegulatory 53\u003c\/p\u003e \u003cp\u003eIndustry Standards 54\u003c\/p\u003e \u003cp\u003eDevelop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines 55\u003c\/p\u003e \u003cp\u003ePolicies 55\u003c\/p\u003e \u003cp\u003eStandards 56\u003c\/p\u003e \u003cp\u003eProcedures 57\u003c\/p\u003e \u003cp\u003eGuidelines 57\u003c\/p\u003e \u003cp\u003eIdentify, Analyze, and Prioritize Business Continuity Requirements 58\u003c\/p\u003e \u003cp\u003eBusiness Impact Analysis 59\u003c\/p\u003e \u003cp\u003eDevelop and Document the Scope and the Plan 61\u003c\/p\u003e \u003cp\u003eContribute to and Enforce Personnel Security Policies and Procedures 63\u003c\/p\u003e \u003cp\u003eCandidate Screening and Hiring 63\u003c\/p\u003e \u003cp\u003eEmployment Agreements and Policies 64\u003c\/p\u003e \u003cp\u003eOnboarding, Transfers, and Termination Processes 65\u003c\/p\u003e \u003cp\u003eVendor, Consultant, and Contractor Agreements and Controls 67\u003c\/p\u003e \u003cp\u003eCompliance Policy Requirements 67\u003c\/p\u003e \u003cp\u003ePrivacy Policy Requirements 68\u003c\/p\u003e \u003cp\u003eUnderstand and Apply Risk Management Concepts 68\u003c\/p\u003e \u003cp\u003eIdentify Threats and Vulnerabilities 68\u003c\/p\u003e \u003cp\u003eRisk Assessment 70\u003c\/p\u003e \u003cp\u003eRisk Response\/Treatment 72\u003c\/p\u003e \u003cp\u003eCountermeasure Selection and Implementation 73\u003c\/p\u003e \u003cp\u003eApplicable Types of Controls 75\u003c\/p\u003e \u003cp\u003eControl Assessments 76\u003c\/p\u003e \u003cp\u003eMonitoring and Measurement 77\u003c\/p\u003e \u003cp\u003eReporting 77\u003c\/p\u003e \u003cp\u003eContinuous Improvement 78\u003c\/p\u003e \u003cp\u003eRisk Frameworks 78\u003c\/p\u003e \u003cp\u003eUnderstand and Apply Threat Modeling Concepts and Methodologies 83\u003c\/p\u003e \u003cp\u003eThreat Modeling Concepts 84\u003c\/p\u003e \u003cp\u003eThreat Modeling Methodologies 85\u003c\/p\u003e \u003cp\u003eApply Supply Chain Risk Management Concepts 88\u003c\/p\u003e \u003cp\u003eRisks Associated with Hardware, Software, and Services 88\u003c\/p\u003e \u003cp\u003eThird-Party Assessment and Monitoring 89\u003c\/p\u003e \u003cp\u003eMinimum Security Requirements 90\u003c\/p\u003e \u003cp\u003eService-Level\u003c\/p\u003e \u003cp\u003eRequirements 90\u003c\/p\u003e \u003cp\u003eFrameworks 91\u003c\/p\u003e \u003cp\u003eEstablish and Maintain a Security Awareness, Education, and Training Program 92\u003c\/p\u003e \u003cp\u003eMethods and Techniques to Present Awareness and Training 93\u003c\/p\u003e \u003cp\u003ePeriodic Content Reviews 94\u003c\/p\u003e \u003cp\u003eProgram Effectiveness Evaluation 94\u003c\/p\u003e \u003cp\u003eSummary 95\u003c\/p\u003e \u003cp\u003e\u003cb\u003eDomain 2: Asset Security 97\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIdentify and Classify Information and Assets 97\u003c\/p\u003e \u003cp\u003eData Classification and Data Categorization 99\u003c\/p\u003e \u003cp\u003eAsset Classification 101\u003c\/p\u003e \u003cp\u003eEstablish Information and Asset Handling Requirements 104\u003c\/p\u003e \u003cp\u003eMarking and Labeling 104\u003c\/p\u003e \u003cp\u003eHandling 105\u003c\/p\u003e \u003cp\u003eStorage 105\u003c\/p\u003e \u003cp\u003eDeclassification 106\u003c\/p\u003e \u003cp\u003eProvision Resources Securely 108\u003c\/p\u003e \u003cp\u003eInformation and Asset Ownership 108\u003c\/p\u003e \u003cp\u003eAsset Inventory 109\u003c\/p\u003e \u003cp\u003eAsset Management 112\u003c\/p\u003e \u003cp\u003eManage Data Lifecycle 115\u003c\/p\u003e \u003cp\u003eData Roles 116\u003c\/p\u003e \u003cp\u003eData Collection 120\u003c\/p\u003e \u003cp\u003eData Location 120\u003c\/p\u003e \u003cp\u003eData Maintenance 121\u003c\/p\u003e \u003cp\u003eData Retention 122\u003c\/p\u003e \u003cp\u003eData Destruction 123\u003c\/p\u003e \u003cp\u003eData Remanence 123\u003c\/p\u003e \u003cp\u003eEnsure Appropriate Asset Retention 127\u003c\/p\u003e \u003cp\u003eDetermining Appropriate Records Retention 129\u003c\/p\u003e \u003cp\u003eRecords Retention Best Practices 130\u003c\/p\u003e \u003cp\u003eDetermine Data Security Controls and Compliance Requirements 131\u003c\/p\u003e \u003cp\u003eData States 133\u003c\/p\u003e \u003cp\u003eScoping and Tailoring 135\u003c\/p\u003e \u003cp\u003eStandards Selection 137\u003c\/p\u003e \u003cp\u003eData Protection Methods 141\u003c\/p\u003e \u003cp\u003eSummary 144\u003c\/p\u003e \u003cp\u003e\u003cb\u003eDomain 3: Security Architecture and Engineering 147\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eResearch, Implement, and Manage Engineering Processes Using Secure Design Principles 149\u003c\/p\u003e \u003cp\u003eISO\/IEC 19249 150\u003c\/p\u003e \u003cp\u003eThreat Modeling 157\u003c\/p\u003e \u003cp\u003eSecure Defaults 160\u003c\/p\u003e \u003cp\u003eFail Securely 161\u003c\/p\u003e \u003cp\u003eSeparation of Duties 161\u003c\/p\u003e \u003cp\u003eKeep It Simple 162\u003c\/p\u003e \u003cp\u003eTrust, but Verify 162\u003c\/p\u003e \u003cp\u003eZero Trust 163\u003c\/p\u003e \u003cp\u003ePrivacy by Design 165\u003c\/p\u003e \u003cp\u003eShared Responsibility 166\u003c\/p\u003e \u003cp\u003eDefense in Depth 167\u003c\/p\u003e \u003cp\u003eUnderstand the Fundamental Concepts of Security Models 168\u003c\/p\u003e \u003cp\u003ePrimer on Common Model Components 168\u003c\/p\u003e \u003cp\u003eInformation Flow Model 169\u003c\/p\u003e \u003cp\u003eNoninterference Model 169\u003c\/p\u003e \u003cp\u003eBell–LaPadula Model 170\u003c\/p\u003e \u003cp\u003eBiba Integrity Model 172\u003c\/p\u003e \u003cp\u003eClark–Wilson Model 173\u003c\/p\u003e \u003cp\u003eBrewer–Nash Model 173\u003c\/p\u003e \u003cp\u003eTake-Grant Model 175\u003c\/p\u003e \u003cp\u003eSelect Controls Based Upon Systems Security Requirements 175\u003c\/p\u003e \u003cp\u003eUnderstand Security Capabilities of Information Systems 179\u003c\/p\u003e \u003cp\u003eMemory Protection 180\u003c\/p\u003e \u003cp\u003eSecure Cryptoprocessor 182\u003c\/p\u003e \u003cp\u003eAssess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 187\u003c\/p\u003e \u003cp\u003eClient-Based Systems 187\u003c\/p\u003e \u003cp\u003eServer-Based Systems 189\u003c\/p\u003e \u003cp\u003eDatabase Systems 191\u003c\/p\u003e \u003cp\u003eCryptographic Systems 194\u003c\/p\u003e \u003cp\u003eIndustrial Control Systems 200\u003c\/p\u003e \u003cp\u003eCloud-Based Systems 203\u003c\/p\u003e \u003cp\u003eDistributed Systems 207\u003c\/p\u003e \u003cp\u003eInternet of Things 208\u003c\/p\u003e \u003cp\u003eMicroservices 212\u003c\/p\u003e \u003cp\u003eContainerization 214\u003c\/p\u003e \u003cp\u003eServerless 215\u003c\/p\u003e \u003cp\u003eEmbedded Systems 216\u003c\/p\u003e \u003cp\u003eHigh-Performance Computing Systems 219\u003c\/p\u003e \u003cp\u003eEdge Computing Systems 220\u003c\/p\u003e \u003cp\u003eVirtualized Systems 221\u003c\/p\u003e \u003cp\u003eSelect and Determine Cryptographic Solutions 224\u003c\/p\u003e \u003cp\u003eCryptography Basics 225\u003c\/p\u003e \u003cp\u003eCryptographic Lifecycle 226\u003c\/p\u003e \u003cp\u003eCryptographic Methods 229\u003c\/p\u003e \u003cp\u003ePublic Key Infrastructure 243\u003c\/p\u003e \u003cp\u003eKey Management Practices 246\u003c\/p\u003e \u003cp\u003eDigital Signatures and Digital Certificates 250\u003c\/p\u003e \u003cp\u003eNonrepudiation 252\u003c\/p\u003e \u003cp\u003eIntegrity 253\u003c\/p\u003e \u003cp\u003eUnderstand Methods of Cryptanalytic Attacks 257\u003c\/p\u003e \u003cp\u003eBrute Force 258\u003c\/p\u003e \u003cp\u003eCiphertext Only 260\u003c\/p\u003e \u003cp\u003eKnown Plaintext 260\u003c\/p\u003e \u003cp\u003eChosen Plaintext Attack 260\u003c\/p\u003e \u003cp\u003eFrequency Analysis 261\u003c\/p\u003e \u003cp\u003eChosen Ciphertext 261\u003c\/p\u003e \u003cp\u003eImplementation Attacks 261\u003c\/p\u003e \u003cp\u003eSide-Channel Attacks 261\u003c\/p\u003e \u003cp\u003eFault Injection 263\u003c\/p\u003e \u003cp\u003eTiming Attacks 263\u003c\/p\u003e \u003cp\u003eMan-in-the-Middle 263\u003c\/p\u003e \u003cp\u003ePass the Hash 263\u003c\/p\u003e \u003cp\u003eKerberos Exploitation 264\u003c\/p\u003e \u003cp\u003eRansomware 264\u003c\/p\u003e \u003cp\u003eApply Security Principles to Site and Facility Design 265\u003c\/p\u003e \u003cp\u003eDesign Site and Facility Security Controls 265\u003c\/p\u003e \u003cp\u003eWiring Closets\/Intermediate Distribution Facilities 266\u003c\/p\u003e \u003cp\u003eServer Rooms\/Data Centers 267\u003c\/p\u003e \u003cp\u003eMedia Storage Facilities 268\u003c\/p\u003e \u003cp\u003eEvidence Storage 269\u003c\/p\u003e \u003cp\u003eRestricted and Work Area Security 270\u003c\/p\u003e \u003cp\u003eUtilities and Heating, Ventilation, and Air Conditioning 272\u003c\/p\u003e \u003cp\u003eEnvironmental Issues 275\u003c\/p\u003e \u003cp\u003eFire Prevention, Detection, and Suppression 277\u003c\/p\u003e \u003cp\u003eSummary 281\u003c\/p\u003e \u003cp\u003e\u003cb\u003eDomain 4: Communication and Network Security 283\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAssess and Implement Secure Design Principles in Network Architectures 283\u003c\/p\u003e \u003cp\u003eOpen System Interconnection and Transmission Control Protocol\/Internet Protocol Models 285\u003c\/p\u003e \u003cp\u003eThe OSI Reference Model 286\u003c\/p\u003e \u003cp\u003eThe TCP\/IP Reference Model 299\u003c\/p\u003e \u003cp\u003eInternet Protocol Networking 302\u003c\/p\u003e \u003cp\u003eSecure Protocols 311\u003c\/p\u003e \u003cp\u003eImplications of Multilayer Protocols 313\u003c\/p\u003e \u003cp\u003eConverged Protocols 315\u003c\/p\u003e \u003cp\u003eMicrosegmentation 316\u003c\/p\u003e \u003cp\u003eWireless Networks 319\u003c\/p\u003e \u003cp\u003eCellular Networks 333\u003c\/p\u003e \u003cp\u003eContent Distribution Networks 334\u003c\/p\u003e \u003cp\u003eSecure Network Components 335\u003c\/p\u003e \u003cp\u003eOperation of Hardware 335\u003c\/p\u003e \u003cp\u003eRepeaters, Concentrators, and Amplifiers 341\u003c\/p\u003e \u003cp\u003eHubs 341\u003c\/p\u003e \u003cp\u003eBridges 342\u003c\/p\u003e \u003cp\u003eSwitches 342\u003c\/p\u003e \u003cp\u003eRouters 343\u003c\/p\u003e \u003cp\u003eGateways 343\u003c\/p\u003e \u003cp\u003eProxies 343\u003c\/p\u003e \u003cp\u003eTransmission Media 345\u003c\/p\u003e \u003cp\u003eNetwork Access Control 352\u003c\/p\u003e \u003cp\u003eEndpoint Security 354\u003c\/p\u003e \u003cp\u003eMobile Devices 355\u003c\/p\u003e \u003cp\u003eImplement Secure Communication Channels According to Design 357\u003c\/p\u003e \u003cp\u003eVoice 357\u003c\/p\u003e \u003cp\u003eMultimedia Collaboration 359\u003c\/p\u003e \u003cp\u003eRemote Access 365\u003c\/p\u003e \u003cp\u003eData Communications 371\u003c\/p\u003e \u003cp\u003eVirtualized Networks 373\u003c\/p\u003e \u003cp\u003eThird-Party\u003c\/p\u003e \u003cp\u003eConnectivity 374\u003c\/p\u003e \u003cp\u003eSummary 374\u003c\/p\u003e \u003cp\u003e\u003cb\u003eDomain 5: Identity and Access Management 377\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eControl Physical and Logical Access to Assets 378\u003c\/p\u003e \u003cp\u003eAccess Control Definitions 378\u003c\/p\u003e \u003cp\u003eInformation 379\u003c\/p\u003e \u003cp\u003eSystems 380\u003c\/p\u003e \u003cp\u003eDevices 381\u003c\/p\u003e \u003cp\u003eFacilities 383\u003c\/p\u003e \u003cp\u003eApplications 386\u003c\/p\u003e \u003cp\u003eManage Identification and Authentication of People, Devices, and Services 387\u003c\/p\u003e \u003cp\u003eIdentity Management Implementation 388\u003c\/p\u003e \u003cp\u003eSingle\/Multifactor Authentication 389\u003c\/p\u003e \u003cp\u003eAccountability 396\u003c\/p\u003e \u003cp\u003eSession Management 396\u003c\/p\u003e \u003cp\u003eRegistration, Proofing, and Establishment of Identity 397\u003c\/p\u003e \u003cp\u003eFederated Identity Management 399\u003c\/p\u003e \u003cp\u003eCredential Management Systems 399\u003c\/p\u003e \u003cp\u003eSingle Sign-On 400\u003c\/p\u003e \u003cp\u003eJust-In-Time 401\u003c\/p\u003e \u003cp\u003eFederated Identity with a Third-Party Service 401\u003c\/p\u003e \u003cp\u003eOn Premises 402\u003c\/p\u003e \u003cp\u003eCloud 403\u003c\/p\u003e \u003cp\u003eHybrid 403\u003c\/p\u003e \u003cp\u003eImplement and Manage Authorization Mechanisms 404\u003c\/p\u003e \u003cp\u003eRole-Based Access Control 405\u003c\/p\u003e \u003cp\u003eRule-Based Access Control 405\u003c\/p\u003e \u003cp\u003eMandatory Access Control 406\u003c\/p\u003e \u003cp\u003eDiscretionary Access Control 406\u003c\/p\u003e \u003cp\u003eAttribute-Based Access Control 407\u003c\/p\u003e \u003cp\u003eRisk-Based Access Control 408\u003c\/p\u003e \u003cp\u003eManage the Identity and Access Provisioning Lifecycle 408\u003c\/p\u003e \u003cp\u003eAccount Access Review 409\u003c\/p\u003e \u003cp\u003eAccount Usage Review 411\u003c\/p\u003e \u003cp\u003eProvisioning and Deprovisioning 411\u003c\/p\u003e \u003cp\u003eRole Definition 412\u003c\/p\u003e \u003cp\u003ePrivilege Escalation 413\u003c\/p\u003e \u003cp\u003eImplement Authentication Systems 414\u003c\/p\u003e \u003cp\u003eOpenID Connect\/Open Authorization 414\u003c\/p\u003e \u003cp\u003eSecurity Assertion Markup Language 415\u003c\/p\u003e \u003cp\u003eKerberos 416\u003c\/p\u003e \u003cp\u003eRemote Authentication Dial-In User Service\/Terminal Access Controller Access Control System Plus 417\u003c\/p\u003e \u003cp\u003eSummary 418\u003c\/p\u003e \u003cp\u003e\u003cb\u003eDomain 6: Security Assessment and Testing 419\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eDesign and Validate Assessment, Test, and Audit Strategies 420\u003c\/p\u003e \u003cp\u003eInternal 421\u003c\/p\u003e \u003cp\u003eExternal 422\u003c\/p\u003e \u003cp\u003eThird-Party 423\u003c\/p\u003e \u003cp\u003eConduct Security Control Testing 423\u003c\/p\u003e \u003cp\u003eVulnerability Assessment 423\u003c\/p\u003e \u003cp\u003ePenetration Testing 428\u003c\/p\u003e \u003cp\u003eLog Reviews 435\u003c\/p\u003e \u003cp\u003eSynthetic Transactions 435\u003c\/p\u003e \u003cp\u003eCode Review and Testing 436\u003c\/p\u003e \u003cp\u003eMisuse Case Testing 437\u003c\/p\u003e \u003cp\u003eTest Coverage Analysis 438\u003c\/p\u003e \u003cp\u003eInterface Testing 439\u003c\/p\u003e \u003cp\u003eBreach Attack Simulations 440\u003c\/p\u003e \u003cp\u003eCompliance Checks 441\u003c\/p\u003e \u003cp\u003eCollect Security Process Data 442\u003c\/p\u003e \u003cp\u003eTechnical Controls and Processes 443\u003c\/p\u003e \u003cp\u003eAdministrative Controls 443\u003c\/p\u003e \u003cp\u003eAccount Management 444\u003c\/p\u003e \u003cp\u003eManagement Review and Approval 445\u003c\/p\u003e \u003cp\u003eManagement Reviews for Compliance 446\u003c\/p\u003e \u003cp\u003eKey Performance and Risk Indicators 447\u003c\/p\u003e \u003cp\u003eBackup Verification Data 450\u003c\/p\u003e \u003cp\u003eTraining and Awareness 450\u003c\/p\u003e \u003cp\u003eDisaster Recovery and Business Continuity 451\u003c\/p\u003e \u003cp\u003eAnalyze Test Output and Generate Report 452\u003c\/p\u003e \u003cp\u003eTypical Audit Report Contents 453\u003c\/p\u003e \u003cp\u003eRemediation 454\u003c\/p\u003e \u003cp\u003eException Handling 455\u003c\/p\u003e \u003cp\u003eEthical Disclosure 456\u003c\/p\u003e \u003cp\u003eConduct or Facilitate Security Audits 458\u003c\/p\u003e \u003cp\u003eDesigning an Audit Program 458\u003c\/p\u003e \u003cp\u003eInternal Audits 459\u003c\/p\u003e \u003cp\u003eExternal Audits 460\u003c\/p\u003e \u003cp\u003eThird-Party Audits 460\u003c\/p\u003e \u003cp\u003eSummary 461\u003c\/p\u003e \u003cp\u003e\u003cb\u003eDomain 7: Security Operations 463\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUnderstand and Comply with Investigations 464\u003c\/p\u003e \u003cp\u003eEvidence Collection and Handling 465\u003c\/p\u003e \u003cp\u003eReporting and Documentation 467\u003c\/p\u003e \u003cp\u003eInvestigative Techniques 469\u003c\/p\u003e \u003cp\u003eDigital Forensics Tools, Tactics, and Procedures 470\u003c\/p\u003e \u003cp\u003eArtifacts 475\u003c\/p\u003e \u003cp\u003eConduct Logging and Monitoring Activities 478\u003c\/p\u003e \u003cp\u003eIntrusion Detection and Prevention 478\u003c\/p\u003e \u003cp\u003eSecurity Information and Event Management 480\u003c\/p\u003e \u003cp\u003eContinuous Monitoring 481\u003c\/p\u003e \u003cp\u003eEgress Monitoring 483\u003c\/p\u003e \u003cp\u003eLog Management 484\u003c\/p\u003e \u003cp\u003eThreat Intelligence 486\u003c\/p\u003e \u003cp\u003eUser and Entity Behavior Analytics 488\u003c\/p\u003e \u003cp\u003ePerform Configuration Management 489\u003c\/p\u003e \u003cp\u003eProvisioning 490\u003c\/p\u003e \u003cp\u003eAsset Inventory 492\u003c\/p\u003e \u003cp\u003eBaselining 492\u003c\/p\u003e \u003cp\u003eAutomation 493\u003c\/p\u003e \u003cp\u003eApply Foundational Security Operations Concepts 494\u003c\/p\u003e \u003cp\u003eNeed-to-Know\/Least Privilege 494\u003c\/p\u003e \u003cp\u003eSeparation of Duties and Responsibilities 495\u003c\/p\u003e \u003cp\u003ePrivileged Account Management 496\u003c\/p\u003e \u003cp\u003eJob Rotation 498\u003c\/p\u003e \u003cp\u003eService-Level\u003c\/p\u003e \u003cp\u003eAgreements 498\u003c\/p\u003e \u003cp\u003eApply Resource Protection 499\u003c\/p\u003e \u003cp\u003eMedia Management 500\u003c\/p\u003e \u003cp\u003eMedia Protection Techniques 501\u003c\/p\u003e \u003cp\u003eConduct Incident Management 502\u003c\/p\u003e \u003cp\u003eIncident Management Plan 503\u003c\/p\u003e \u003cp\u003eDetection 505\u003c\/p\u003e \u003cp\u003eResponse 506\u003c\/p\u003e \u003cp\u003eMitigation 507\u003c\/p\u003e \u003cp\u003eReporting 508\u003c\/p\u003e \u003cp\u003eRecovery 510\u003c\/p\u003e \u003cp\u003eRemediation 510\u003c\/p\u003e \u003cp\u003eLessons Learned 511\u003c\/p\u003e \u003cp\u003eOperate and Maintain Detective and Preventative Measures 511\u003c\/p\u003e \u003cp\u003eFirewalls 512\u003c\/p\u003e \u003cp\u003eIntrusion Detection Systems and Intrusion Prevention Systems 514\u003c\/p\u003e \u003cp\u003eWhitelisting\/Blacklisting 515\u003c\/p\u003e \u003cp\u003eThird-Party-Provided Security Services 515\u003c\/p\u003e \u003cp\u003eSandboxing 517\u003c\/p\u003e \u003cp\u003eHoneypots\/Honeynets 517\u003c\/p\u003e \u003cp\u003eAnti-malware 518\u003c\/p\u003e \u003cp\u003eMachine Learning and Artificial Intelligence Based Tools 518\u003c\/p\u003e \u003cp\u003eImplement and Support Patch and Vulnerability Management 519\u003c\/p\u003e \u003cp\u003ePatch Management 519\u003c\/p\u003e \u003cp\u003eVulnerability Management 521\u003c\/p\u003e \u003cp\u003eUnderstand and Participate in Change Management Processes 522\u003c\/p\u003e \u003cp\u003eImplement Recovery Strategies 523\u003c\/p\u003e \u003cp\u003eBackup Storage Strategies 524\u003c\/p\u003e \u003cp\u003eRecovery Site Strategies 527\u003c\/p\u003e \u003cp\u003eMultiple Processing Sites 527\u003c\/p\u003e \u003cp\u003eSystem Resilience, High Availability, Quality of Service, and Fault Tolerance 528\u003c\/p\u003e \u003cp\u003eImplement Disaster Recovery Processes 529\u003c\/p\u003e \u003cp\u003eResponse 529\u003c\/p\u003e \u003cp\u003ePersonnel 530\u003c\/p\u003e \u003cp\u003eCommunications 531\u003c\/p\u003e \u003cp\u003eAssessment 532\u003c\/p\u003e \u003cp\u003eRestoration 533\u003c\/p\u003e \u003cp\u003eTraining and Awareness 534\u003c\/p\u003e \u003cp\u003eLessons Learned 534\u003c\/p\u003e \u003cp\u003eTest Disaster Recovery Plans 535\u003c\/p\u003e \u003cp\u003eRead-through\/Tabletop 536\u003c\/p\u003e \u003cp\u003eWalkthrough 536\u003c\/p\u003e \u003cp\u003eSimulation 537\u003c\/p\u003e \u003cp\u003eParallel 537\u003c\/p\u003e \u003cp\u003eFull Interruption 537\u003c\/p\u003e \u003cp\u003eParticipate in Business Continuity Planning and Exercises 538\u003c\/p\u003e \u003cp\u003eImplement and Manage Physical Security 539\u003c\/p\u003e \u003cp\u003ePerimeter Security Controls 541\u003c\/p\u003e \u003cp\u003eInternal Security Controls 543\u003c\/p\u003e \u003cp\u003eAddress Personnel Safety and Security Concerns 545\u003c\/p\u003e \u003cp\u003eTravel 545\u003c\/p\u003e \u003cp\u003eSecurity Training and Awareness 546\u003c\/p\u003e \u003cp\u003eEmergency Management 546\u003c\/p\u003e \u003cp\u003eDuress 547\u003c\/p\u003e \u003cp\u003eSummary 548\u003c\/p\u003e \u003cp\u003e\u003cb\u003eDomain 8: Software Development Security 549\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUnderstand and Integrate Security in the Software Development Life Cycle (SDLC) 550\u003c\/p\u003e \u003cp\u003eDevelopment Methodologies 551\u003c\/p\u003e \u003cp\u003eMaturity Models 561\u003c\/p\u003e \u003cp\u003eOperation and Maintenance 567\u003c\/p\u003e \u003cp\u003eChange Management 568\u003c\/p\u003e \u003cp\u003eIntegrated Product Team 571\u003c\/p\u003e \u003cp\u003eIdentify and Apply Security Controls in Software Development Ecosystems 572\u003c\/p\u003e \u003cp\u003eProgramming Languages 572\u003c\/p\u003e \u003cp\u003eLibraries 577\u003c\/p\u003e \u003cp\u003eToolsets 578\u003c\/p\u003e \u003cp\u003eIntegrated Development Environment 579\u003c\/p\u003e \u003cp\u003eRuntime 580\u003c\/p\u003e \u003cp\u003eContinuous Integration and Continuous Delivery 581\u003c\/p\u003e \u003cp\u003eSecurity Orchestration, Automation, and Response 583\u003c\/p\u003e \u003cp\u003eSoftware Configuration Management 585\u003c\/p\u003e \u003cp\u003eCode Repositories 586\u003c\/p\u003e \u003cp\u003eApplication Security Testing 588\u003c\/p\u003e \u003cp\u003eAssess the Effectiveness of Software Security 590\u003c\/p\u003e \u003cp\u003eAuditing and Logging of Changes 590\u003c\/p\u003e \u003cp\u003eRisk Analysis and Mitigation 595\u003c\/p\u003e \u003cp\u003eAssess Security Impact of Acquired Software 599\u003c\/p\u003e \u003cp\u003eCommercial Off-the-Shelf 599\u003c\/p\u003e \u003cp\u003eOpen Source 601\u003c\/p\u003e \u003cp\u003eThird-Party 602\u003c\/p\u003e \u003cp\u003eManaged Services (SaaS, IaaS, PaaS) 602\u003c\/p\u003e \u003cp\u003eDefine and Apply Secure Coding Guidelines and Standards 604\u003c\/p\u003e \u003cp\u003eSecurity Weaknesses and Vulnerabilities at the Source-Code Level 605\u003c\/p\u003e \u003cp\u003eSecurity of Application Programming Interfaces 613\u003c\/p\u003e \u003cp\u003eAPI Security Best Practices 613\u003c\/p\u003e \u003cp\u003eSecure Coding Practices 618\u003c\/p\u003e \u003cp\u003eSoftware-Defined Security 621\u003c\/p\u003e \u003cp\u003eSummary 624\u003c\/p\u003e \u003cp\u003eIndex 625\u003c\/p\u003e","brand":"John Wiley \u0026 Sons Inc","offers":[{"title":"Default Title","offer_id":48866416066903,"sku":"9781119789994","price":66.6,"currency_code":"GBP","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0817\/1739\/5799\/files\/9781119789994.jpg?v=1722278536","url":"https:\/\/bookcurl.com\/products\/the-official-isc2-cissp-cbk-reference-9781119789994","provider":"Book Curl","version":"1.0","type":"link"}