Contents
Acknowledgments
Introduction
1.0 Security and Risk Management
Objective 1.1 Understand, adhere to, and promote professional ethics
The (ISC)2 Code of Ethics
Code of Ethics Preamble
Code of Ethics Canons
Organizational Code of Ethics
Workplace Ethics Statements and Policies
Other Sources for Ethics Requirements
REVIEW
1.1 QUESTIONS
1.1 ANSWERS
Objective 1.2 Understand and apply security concepts
Security Concepts
Data, Information, Systems, and Entities
Confidentiality
Integrity
Availability
Supporting Tenets of Information Security
Identification
Authentication
Authenticity
Authorization
Auditing and Accountability
Nonrepudiation
Supporting Security Concepts
REVIEW
1.2 QUESTIONS
1.2 ANSWERS
Objective 1.3 Evaluate and apply security governance principles
Security Governance
External Governance
Internal Governance
Alignment of Security Functions to Business Requirements
Business Strategy and Security Strategy
Organizational Processes
Organizational Roles and Responsibilities
Security Control Frameworks
Due Care/Due Diligence
REVIEW
1.3 QUESTIONS
1.3 ANSWERS
Objective 1.4 Determine compliance and other requirements
Compliance
Legal and Regulatory Compliance
Contractual Compliance
Compliance with Industry Standards
Privacy Requirements
REVIEW
1.4 QUESTIONS
1.4 ANSWERS
Objective 1.5 Understand legal and regulatory issues that pertain to information security in a holistic context
Legal and Regulatory Requirements
Cybercrimes
Licensing and Intellectual Property Requirements
Import/Export Controls
Transborder Data Flow
Privacy Issues
REVIEW
1.5 QUESTIONS
1.5 ANSWERS
Objective 1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
Investigations
Administrative Investigations
Civil Investigations
Criminal Investigations
Regulatory Investigations
Industry Standards for Investigations
REVIEW
1.6 QUESTIONS
1.6 ANSWERS
Objective 1.7 Develop, document, and implement security policy, standards, procedures, and guidelines
Internal Governance
Policy
Procedures
Standards
Guidelines
Baselines
REVIEW
1.7 QUESTIONS
1.7 ANSWERS
Objective 1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements
Business Continuity
Business Impact Analysis
Developing the BIA
REVIEW
1.8 QUESTIONS
1.8 ANSWERS
Objective 1.9 Contribute to and enforce personnel security policies and procedures
Personnel Security
Candidate Screening and Hiring
Employment Agreements and Policies
Onboarding, Transfers, and Termination Processes
Vendor, Consultant, and Contractor Agreements and Controls
Compliance Policy Requirements
Privacy Policy Requirements
REVIEW
1.9 QUESTIONS
1.9 ANSWERS
Objective 1.10 Understand and apply risk management concepts
Risk Management
Elements of Risk
Identify Threats and Vulnerabilities
Risk Assessment/Analysis
Risk Response
Risk Frameworks
Countermeasure Selection and Implementation
Applicable Types of Controls
Control Assessments (Security and Privacy)
Monitoring and Measurement
Reporting
Continuous Improvement
REVIEW
1.10 QUESTIONS
1.10 ANSWERS
Objective 1.11 Understand and apply threat modeling concepts and methodologies
Threat Modeling
Threat Components
Threat Modeling Methodologies
REVIEW
1.11 QUESTIONS
1.11 ANSWERS
Objective 1.12 Apply Supply Chain Risk Management (SCRM) concepts
Supply Chain Risk Management
Risks Associated with Hardware, Software, and Services
Third-Party Assessment and Monitoring
Minimum Security Requirements
Service Level Requirements
REVIEW
1.12 QUESTIONS
1.12 ANSWERS
Objective 1.13 Establish and maintain a security awareness, education, and training program
Security Awareness, Education, and Training Program
Methods and Techniques to Present Awareness and Training
Periodic Content Reviews
Program Effectiveness Evaluation
REVIEW
1.13 QUESTIONS
1.13 ANSWERS
2.0 Asset Security
Objective 2.1 Identify and classify information and assets
Asset Classification
Data Classification
REVIEW
2.1 QUESTIONS
2.1 ANSWERS
Objective 2.2 Establish information and asset handling requirements
Information and Asset Handling
Handling Requirements
Information Classification and Handling Systems
REVIEW
2.2 QUESTIONS
2.2 ANSWERS
Objective 2.3 Provision resources securely
Securing Resources
Asset Ownership
Asset Inventory
Asset Management
REVIEW
2.3 QUESTIONS
2.3 ANSWERS
Objective 2.4 Manage data lifecycle
Managing the Data Life Cycle
Data Roles
Data Collection
Data Location
Data Maintenance
Data Retention
Data Remanence
Data Destruction
REVIEW
2.4 QUESTIONS
2.4 ANSWERS
Objective 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
Asset Retention
Asset Life Cycle
End-of-Life and End-of-Support
REVIEW
2.5 QUESTIONS
2.5 ANSWERS
Objective 2.6 Determine data security controls and compliance requirements
Data Security and Compliance
Data States
Control Standards Selection
Scoping and Tailoring Data Security Controls
Data Protection Methods
REVIEW
2.6 QUESTIONS
2.6 ANSWERS
3.0 Security Architecture and Engineering
Objective 3.1 Research, implement, and manage engineering processes using secure design principles
Threat Modeling
Least Privilege
Defense in Depth
Secure Defaults
Fail Securely
Separation of Duties
Keep It Simple
Zero Trust
Privacy by Design
Trust But Verify
Shared Responsibility
REVIEW
3.1 QUESTIONS
3.1 ANSWERS
Objective 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
Security Models
Terms and Concepts
System States and Processing Modes
Confidentiality Models
Integrity Models
Other Access Control Models
REVIEW
3.2 QUESTIONS
3.2 ANSWERS
Objective 3.3 Select controls based upon systems security requirements
Selecting Security Controls
Performance and Functional Requirements
Data Protection Requirements
Governance Requirements
Interface Requirements
Risk Response Requirements
REVIEW
3.3 QUESTIONS
3.3 ANSWERS
Objective 3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
Information System Security Capabilities
Hardware and Firmware System Security
Secure Processing
REVIEW
3.4 QUESTIONS
3.4 ANSWERS
Objective 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
Vulnerabilities of Security Architectures, Designs, and Solutions
Client-Based Systems
Server-Based Systems
Distributed Systems
Database Systems
Cryptographic Systems
Industrial Control Systems
Internet of Things
Embedded Systems
Cloud-Based Systems
Virtualized Systems
Containerization
Microservices
Serverless
High-Performance Computing Systems
Edge Computing Systems
REVIEW
3.5 QUESTIONS
3.5 ANSWERS
Objective 3.6 Select and determine cryptographic solutions
Cryptography
Cryptographic Life Cycle
Cryptographic Methods
Integrity
Hybrid Cryptography
Digital Certificates
Public Key Infrastructure
Nonrepudiation and Digital Signatures
Key Management Practices
REVIEW
3.6 QUESTIONS
3.6 ANSWERS
Objective 3.7 Understand methods of cryptanalytic attacks
Cryptanalytic Attacks
Brute Force
Ciphertext Only
Known Plaintext
Chosen Ciphertext and Chosen Plaintext
Frequency Analysis
Implementation
Side Channel
Fault Injection
Timing
Man-in-the-Middle (On-Path)
Pass the Hash
Kerberos Exploitation
Ransomware
REVIEW
3.7 QUESTIONS
3.7 ANSWERS
Objective 3.8 Apply security principles to site and facility design
Site and Facility Design
Site Planning
Secure Design Principles
REVIEW
3.8 QUESTIONS
3.8 ANSWERS
Objective 3.9 Design site and facility security controls
Designing Facility Security Controls
Crime Prevention Through Environmental Design
Key Facility Areas of Concern
REVIEW
3.9 QUESTIONS
3.9 ANSWERS
4.0 Communication and Network Security
Objective 4.1 Assess and implement secure design principles in network architectures
Fundamental Networking Concepts
Open Systems Interconnection and Transmission Control Protocol/Internet Protocol Models
Internet Protocol Networking
Secure Protocols
Application of Secure Networking Concepts
Implications of Multilayer Protocols
Converged Protocols
Micro-segmentation
Wireless Technologies
Wireless Theory and Signaling
Wi-Fi
Bluetooth
Zigbee
Satellite
Li-Fi
Cellular Networks
Content Distribution Networks
REVIEW
4.1 QUESTIONS
4.1 ANSWERS
Objective 4.2 Secure network components
Network Security Design and Components
Operation of Hardware
Transmission Media
Endpoint Security
REVIEW
4.2 QUESTIONS
4.2 ANSWERS
Objective 4.3 Implement secure communication channels according to design
Securing Communications Channels
Voice
Multimedia Collaboration
Remote Access
Data Communications
Virtualized Networks
Third-Party Connectivity
REVIEW
4.3 QUESTIONS
4.3 ANSWERS
5.0 Identity and Access Management (IAM)
Objective 5.1 Control physical and logical access to assets
Controlling Logical and Physical Access
Logical Access
Physical Access
REVIEW
5.1 QUESTIONS
5.1 ANSWERS
Objective 5.2 Manage identification and authentication of people, devices, and services
Identification and Authentication
Identity Management Implementation
Single/Multifactor Authentication
Accountability
Session Management
Registration, Proofing, and Establishment of Identity
Federated Identity Management
Credential Management Systems
Single Sign-On
Just-in-Time
REVIEW
5.2 QUESTIONS
5.2 ANSWERS
Objective 5.3 Federated identity with a third-party service
Third-Party Identity Services
On-Premise
Cloud
Hybrid
REVIEW
5.3 QUESTIONS
5.3 ANSWERS
Objective 5.4 Implement and manage authorization mechanisms
Authorization Mechanisms and Models
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Rule-Based Access Control
Attribute-Based Access Control
Risk-Based Access Control
REVIEW
5.4 QUESTIONS
5.4 ANSWERS
Objective 5.5 Manage the identity and access provisioning lifecycle
Identity and Access Provisioning Life Cycle
Provisioning and Deprovisioning
Role Definition
Privilege Escalation
Account Access Review
REVIEW
5.5 QUESTIONS
5.5 ANSWERS
Objective 5.6 Implement authentication systems
Authentication Systems
Open Authorization
OpenID Connect
Security Assertion Markup Language
Kerberos
Remote Access Authentication and Authorization
REVIEW
5.6 QUESTIONS
5.6 ANSWERS
6.0 Security Assessment and Testing
Objective 6.1 Design and validate assessment, test, and audit strategies
Defining Assessments, Tests, and Audits
Designing and Validating Evaluations
Goals and Strategies
Use of Internal, External, and Third-Party Assessors
REVIEW
6.1 QUESTIONS
6.1 ANSWERS
Objective 6.2 Conduct security control testing
Security Control Testing
Vulnerability Assessment
Penetration Testing
Log Reviews
Synthetic Transactions
Code Review and Testing
Misuse Case Testing
Test Coverage Analysis
Interface Testing
Breach Attack Simulations
Compliance Checks
REVIEW
6.2 QUESTIONS
6.2 ANSWERS
Objective 6.3 Collect security process data (e.g., technical and administrative)
Security Data
Security Process Data
REVIEW
6.3 QUESTIONS
6.3 ANSWERS
Objective 6.4 Analyze test output and generate report
Test Results and Reporting
Analyzing the Test Results
Reporting
Remediation, Exception Handling, and Ethical Disclosure
REVIEW
6.4 QUESTIONS
6.4 ANSWERS
Objective 6.5 Conduct or facilitate security audits
Conducting Security Audits
Internal Security Auditors
External Security Auditors
Third-Party Security Auditors
REVIEW
6.5 QUESTIONS
6.5 ANSWERS
7.0 Security Operations
Objective 7.1 Understand and comply with investigations
Investigations
Forensic Investigations
Evidence Collection and Handling
Digital Forensics Tools, Tactics, and Procedures
Investigative Techniques
Reporting and Documentation
REVIEW
7.1 QUESTIONS
7.1 ANSWERS
Objective 7.2 Conduct logging and monitoring activities
Logging and Monitoring
Continuous Monitoring
Intrusion Detection and Prevention
Security Information and Event Management
Egress Monitoring
Log Management
Threat Intelligence
User and Entity Behavior Analytics
REVIEW
7.2 QUESTIONS
7.2 ANSWERS
Objective 7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
Configuration Management Activities
Provisioning
Baselining
Automating the Configuration Management Process
REVIEW
7.3 QUESTIONS
7.3 ANSWERS
Objective 7.4 Apply foundational security operations concepts
Security Operations
Need-to-Know/Least Privilege
Separation of Duties and Responsibilities
Privileged Account Management
Job Rotation
Service Level Agreements
REVIEW
7.4 QUESTIONS
7.4 ANSWERS
Objective 7.5 Apply resource protection
Media Management and Protection
Media Management
Media Protection Techniques
REVIEW
7.5 QUESTIONS
7.5 ANSWERS
Objective 7.6 Conduct incident management
Security Incident Management
Incident Management Life Cycle
REVIEW
7.6 QUESTIONS
7.6 ANSWERS
Objective 7.7 Operate and maintain detective and preventative measures
Detective and Preventive Controls
Allow-Listing and Deny-Listing
Firewalls
Intrusion Detection Systems and Intrusion Prevention Systems
Third-Party Provided Security Services
Honeypots and Honeynets
Anti-malware
Sandboxing
Machine Learning and Artificial Intelligence
REVIEW
7.7 QUESTIONS
7.7 ANSWERS
Objective 7.8 Implement and support patch and vulnerability management
Patch and Vulnerability Management
Managing Vulnerabilities
Managing Patches and Updates
REVIEW
7.8 QUESTIONS
7.8 ANSWERS
Objective 7.9 Understand and participate in change management processes
Change Management
Change Management Processes
REVIEW
7.9 QUESTIONS
7.9 ANSWERS
Objective 7.10 Implement recovery strategies
Recovery Strategies
Backup Storage Strategies
Recovery Site Strategies
Multiple Processing Sites
Resiliency
High Availability
Quality of Service
Fault Tolerance
REVIEW
7.10 QUESTIONS
7.10 ANSWERS
Objective 7.11 Implement Disaster Recovery (DR) processes
Disaster Recovery
Saving Lives and Preventing Harm to People
The Disaster Recovery Plan
Response
Personnel
Communications
Assessment
Restoration
Training and Awareness
Lessons Learned
REVIEW
7.11 QUESTIONS
7.11 ANSWERS
Objective 7.12 Test Disaster Recovery Plans (DRP)
Testing the Disaster Recovery Plan
Read-Through/Tabletop
Walk-Through
Simulation
Parallel Testing
Full Interruption
REVIEW
7.12 QUESTIONS
7.12 ANSWERS
Objective 7.13 Participate in Business Continuity (BC) planning and exercises
Business Continuity
Business Continuity Planning
Business Continuity Exercises
REVIEW
7.13 QUESTIONS
7.13 ANSWERS
Objective 7.14 Implement and manage physical security
Physical Security
Perimeter Security Controls
Internal Security Controls
REVIEW
7.14 QUESTIONS
7.14 ANSWERS
Objective 7.15 Address personnel safety and security concerns
Personnel Safety and Security
Travel
Security Training and Awareness
Emergency Management
Duress
REVIEW
7.15 QUESTIONS
7.15 ANSWERS
8.0 Software Development Security
Objective 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
Software Development Life Cycle
Development Methodologies
Maturity Models
Operation and Maintenance
Change Management
Integrated Product Team
REVIEW
8.1 QUESTIONS
8.1 ANSWERS
Objective 8.2 Identify and apply security controls in software development ecosystems
Security Controls in Software Development
Programming Languages
Libraries
Tool Sets
Integrated Development Environment
Runtime
Continuous Integration and Continuous Delivery
Security Orchestration, Automation, and Response
Software Configuration Management
Code Repositories
Application Security Testing
REVIEW
8.2 QUESTIONS
8.2 ANSWERS
Objective 8.3 Assess the effectiveness of software security
Software Security Effectiveness
Auditing and Logging Changes
Risk Analysis and Mitigation
REVIEW
8.3 QUESTIONS
8.3 ANSWERS
Objective 8.4 Assess security impact of acquired software
Security Impact of Acquired Software
Commercial-off-the-Shelf Software
Open-Source Software
Third-Party Software
Managed Services
REVIEW
8.4 QUESTIONS
8.4 ANSWERS
Objective 8.5 Define and apply secure coding guidelines and standards
Secure Coding Guidelines and Standards
Security Weaknesses and Vulnerabilities at the Source-Code Level
Security of Application Programming Interfaces
Secure Coding Practices
Software-Defined Security
REVIEW
8.5 QUESTIONS
8.5 ANSWERS
A About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Technical Support
Index
