加入 Systematic Facebook 擁躉群  

這個頁面上的內容需要較新版本的 Adobe Flash Player。

取得 Adobe Flash Player


想定期知道最新課程及優惠嗎?
免費訂閱本中心的課程通訊!
觀看課程通訊
Reasonable Spread:
Permission email marketing

這個頁面上的內容需要較新版本的 Adobe Flash Player。

取得 Adobe Flash Player

CISSP 國際認可證書課程

  • 課程時間
  • 課程簡介
  • 課程特點
  • 考試須知
  • 課程內容
  • 報章訪問

傳統服務:課程上堂時間表 (地點:旺角   總費用:$3,580)
編號 日期 (dd/mm) 星期 時間 費用 導師  
PS0870DM  20/08 - 17/09
20/8, 27/8, 3/9, 10/9, 17/9
 下載詳細上課日期
10:30am - 5:30pm (lunch: 1:30pm-2:30pm) $3,580 Franco 按此報名

*** 質素保證:免費於任何地點試睇首 3 小時課堂錄影,從而可預先了解導師及教材的質素,才報讀課程來上堂。***
請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560

免費補堂: 學員可於任何地點補看課堂錄影,從而可銜接往後的課堂!
免費重讀: 學員可於課程結束後三個月內於任何地點不限次數地重看課堂錄影,從而可反覆重溫整個課程!
課時: 30 小時
課堂導師: Franco (任教課程清單)

傳統服務的免費補堂或免費重讀若選擇旺角的閒日星期一至四,便需於 6:30p.m. 或之前完成觀看課堂錄影。

推介服務:課堂錄影隨時睇
編號 地點 可預約星期及時間 學費低至 8 折  
PS1706MV 旺角 一至五:11:30 - 22:30   六及日:10:30 - 21:30   (公眾假期休息) 95 折後只需 $3,401 按此報名
PS1706OV 觀塘 一至五:13:30 - 22:00   六及日:12:30 - 21:00   (星期三及公眾假期休息) 9 折後只需 $3,222 按此報名
PS1706PV 北角 一至五:13:30 - 22:00   六及日:12:30 - 21:00   (星期三及公眾假期休息) 9 折後只需 $3,222 按此報名
PS1706SV 沙田 一至五:13:30 - 22:00   六及日:12:30 - 21:00   (星期三及公眾假期休息) 9 折後只需 $3,222 按此報名
PS1706YV 屯門 一至五:13:30 - 22:00   六及日:12:30 - 21:00   (星期三及公眾假期休息) 8 折後只需 $2,864 按此報名
* 各政府部門可使用 P Card 付款  
免費試睇: 首 3 小時,請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560
免費重睇: 學員可於享用時期內於報讀地點不限次數地重看課堂錄影,從而可反覆重溫整個課程!
導師解答: 學員可於觀看某一課堂錄影後提出課堂直接相關的問題,課程導師會樂意為學員以單對單的形式解答!
課時: 30 小時
享用時期: 可於報讀日至 4 星期內觀看整個課程,另加 6 星期備用時期。進度由您控制,可快可慢。
課堂錄影導師: Franco (任教課程清單)
課堂錄影隨時睇: 詳情及示範片段



近年系統和網絡技術發展一日千里,大家開發解決方案 ( Solution ) 或處理電子資訊時除需要考慮功能外,更須注意資訊保安。一旦出現資訊安全事故 ( 例如客戶資料外洩 ),商譽或金錢上的損失均無法想像。故此資訊保安已成為 I.T. 界的 "必修科",僱主聘用 I.T. 同事時亦要求具備資訊保安知識及相關認證,例如 CISSP (Certified Information Systems Security Professional) 。

CISSP 證書制度是由 International Information Systems Security Certification Consortium ( 簡稱 ISC2 ) 建立,CISSP 是一張中立 ( Vendor Neutral) 的認證,當中所涉及的知識不限制於個別器材軟件生產商 (Vendor)。故此 CISSP 的知識應用層面十分廣泛。CISSP 的考試內容主要圍繞下列 8 個 CBK (Common Body of Knowledge)

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity)
  • Asset Security (Protecting Security of Assets)
  • Security Engineering (Engineering and Management of Security)
  • Communication and Network Security (Designing and Protecting Network Security)
  • Identity and Access Management (Controlling Access and Managing Identity)
  • Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  • Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster Recovery)
  • Software Development Security (Understanding, Applying, and Enforcing Software Security)



CISSP

若要考取 CISSP,同學須要

  1. 具備 5 年資訊保安相關的工作經驗。如具備大學學位,則須要4年資訊保安相關的工作經驗
  2. 通過 CISSP 考試 (我們備有大量練習令學員更易通過考試)
  3. 通過 Endorsement 過程
    (本中心的 CISSP 學員可向本中心免費申請 Endorsement 的協助,而本中心會按照 ISC2 指引來免費提供 Endorsement 服務。)
  4. 通過 ISC2 的審核

備註:申請者如未具有足夠的工作經驗,依然可以參加 CISSP,考試後成為 Associate of ISC2,當累積足夠的工作經驗時,便可以申請成為 CISSP。



課程時數: 合共 30 小時 (共 10 堂)
適合人士: 對資訊保安有興趣的人士
授課語言: 以廣東話為主,輔以英語
課程筆記: 本中心導師親自編寫英文為主筆記,而部份英文字附有中文對照。


1. Franco Tsang 親自教授: 本課程由擁有 CISSP, CCIE, RHCE, MCITP 實力經驗俱備的 Franco Tsang 親自教授。
2. Franco 親自編寫筆記: Franco 親自編寫筆記,令你無須「死鋤」如字典般厚及不適合香港讀書格調的書本。
3. 理論與實習並重: Franco 會在課堂上作出大量示範,務求令同學理解抽象的資訊保安概念,以及如何將 CISSP 的知識應用在日常工作上。我們亦有大量練習令學員更易通過考試。
4. 免費重讀: 傳統課堂學員可於課程結束後三個月內免費重看課堂錄影。


CISSP 考試共有 250 條多項選擇題,當中有 25 條題目用作研究,不會計分,考生不能分辨題目是否用作研究,故此所有題目須全力作答。考試 1000 分滿,合格分數為 700 分。導師會在課堂內講解考試程序。

考試合格後,下一步便是通過 Endorsement。考生須得到另一名 ISC2 Certified 的人士推薦,並為考生簽署 Endorsement Form。

本中心的 CISSP 學員可向本中心免費申請 Endorsement 的協助,而本中心會按照 ISC2 指引來免費提供 Endorsement 服務。

最後,ISC2 會隨機抽樣為考生所提供的文件進行 Audit. 通過 Audit 後便可成為 CISSP。

Recently, the following Systematic CISSP course students applied for our help and we endorsed them successfully (including 2012-2017 examinations):

  • Alan Cheung
  • Alan Choi
  • Alan Kwong
  • Alan Lee
  • Albert To
  • Alfred S.Y. Chan
  • Alfred Y.H. Chan
  • Andy Lau
  • Anthony Wu
  • Antony Chan
  • B. Yiu
  • Ben Chan
  • Ben Wong
  • Billy Chan
  • C.F. Ko
  • C.M. Yip
  • Charlaes Ho
  • Charles Wong
  • Chris Ng
  • Chris Ngai
  • Cody Wong
  • Colin Yeung
  • David Lau
  • David Leung
  • Derek Au
  • Derek Yeung
  • Eddie Ho
  • Edmond Chan
  • Edward Tam
  • Eric Wong
  • Eric Wu
  • Ernest Chan
  • F. Tse
  • Frankie Ng
  • G. Cheung
  • Gavin Lo
  • H. S. Lam
  • H. Y. Lin
  • Henry Pang
  • Howard Lee
  • Ivan Chow
  • Ivan Mong
  • J. Chan
  • Jason Li
  • Jason Luk
  • Jeff Ho
  • Joe Chan
  • Joey Ho
  • Johnny Lam
  • Joseph Kwong
  • Joseph Lau
  • Justin Mok
  • K. S. Li
  • K.F. Tang
  • K.W. Chung
  • K.W. Tse
  • Kelvin Tse
  • Kene Lai
  • Kenneth Cheung
  • Kenneth Keung
  • Kenneth Shum
  • L. T. Kwok
  • Lawrence Chan
  • Lawrence Tang
  • M.H. Yip
  • Matthew Chan
  • Maverick Wong
  • P. Yau
  • Paul Wong
  • Ray Lam
  • Ray Tsang
  • Raymond Cheung
  • Raymond Lo
  • Rex Lee
  • Richard Mon
  • Roy Fong
  • Roy Lam
  • Roy Yiu
  • S. F. Choy
  • S. H. Wang
  • S. Sin
  • S. Y. Chu
  • S.H. So
  • S.M. Ho
  • Sam Lo
  • Sammy Leung
  • Samson Tai
  • Simon Leung
  • Simon Yu
  • Stanley Lam
  • Stephanie Chan
  • Steve Wong
  • Steven Tsoi
  • T. W. Cheng
  • Terence Mak
  • Terry Yau
  • Tony Lo
  • Tony Wong
  • Tony Yeung
  • U. Cheung
  • V. Tang
  • Vincent Chan
  • W. H. Ma
  • W. L. Lee
  • W.S Lai
  • W.T. Chiu
  • Willy Poon
  • X. Yao
  • Y. Chang
  • Y. K. Kong
  • Y.C. Chow
  • Y.L. Cheng
  • Y.T. Tang
  • Zero Ho
  • 更多...未能盡錄

Congratulations to them!!






1 General Information
1.1 Steps to get the CISSP certification
1.2 Examination format and scoring
1.3 Registration process
1.4 Exam outline

2 Security and Risk Management
2.1 Confidentiality, integrity and availability
2.1.1 Confidentiality
2.1.2 Integrity
2.1.3 Availability
2.2 Security governance principles and their application
2.2.1 What is security governance?
2.2.2 Align security functions to organization goals, missions and objectives
2.2.2.1 Business case
2.2.2.2 Budget
2.2.2.3 Resources
2.2.3 Organizational processes
2.2.3.1 Acquisitions and Mergers
2.2.3.2 Divestitures and Spinoffs
2.2.3.3 Governance Committees
2.2.4 Security roles and responsibilities
2.2.4.1 Information security officer
2.2.4.2 Oversight committee representation / Security Council
2.2.4.3 End-users
2.2.4.4 Executive Management
2.2.4.5 Information systems security professionals
2.2.4.6 Data owners, information owners, business owners
2.2.4.7 Data custodians, information custodians, stewards
2.2.4.8 Information security auditors
2.2.4.9 Business continuity planers
2.2.4.10 Information technologies professionals
2.2.4.11 Security administrators
2.2.4.12 System administrators
2.2.4.13 Network administrators
2.2.4.14 Physical security administrators
2.2.4.15 Administrative assistants / Receptionists
2.2.4.16 Service desk
2.2.5 Control frameworks
2.2.5.1 NIST SP 800-53
2.2.5.2 ISO 27001:2013
2.2.6 Due Care
2.2.7 Due Diligence
2.3 Compliance
2.3.1 Legislative and regulatory compliance
2.3.2 Privacy requirements compliance
2.3.3 GRC
2.4 Information security in a global context and relevant legal and regulatory issues
2.4.1 Computer crimes
2.4.1.1 Crypto Locker
2.4.1.2 Child Porn
2.4.1.3 Reveton / Citadel
2.4.1.4 Rogue Anti-Virus software
2.4.1.5 Effects of computer crimes
2.4.2 Licensing and intellectual property
2.4.2.1 Patent
2.4.2.2 Trademark
2.4.2.3 Copyright
2.4.2.4 Trade Secret
2.4.2.5 License
2.4.3 Import and export controls
2.4.3.1 International Traffic in Arms Regulations (ITAR)
2.4.3.2 Export Administration Regulations (EAR)
2.4.3.3 Wassenaar Arrangement
2.4.4 Trans-border data flow
2.4.5 Privacy
2.4.6 Data Breaches
2.5 Professional ethics
2.5.1 The relationship between ethics and regulatory requirements
2.5.2 Ethics codes of conducts
2.5.2.1 The Code of Fair Information Practices
2.5.2.2 Internet Architecture Board
2.5.2.3 Computer Ethics Institute (CEI)
2.5.3 ISC2 Code of Ethics
2.5.3.1 Another version for your reference
2.5.3.2 Support organization’s code of ethics
2.5.4 Common ethics fallacies
2.6 Security policy, standards, procedures, and guidelines development and implementation
2.6.1 Security Policy
2.6.1.1 Best Practices of Security Policy
2.6.2 Standards
2.6.3 Procedures
2.6.4 Guidelines
2.6.5 Baselines
2.6.6 An integrated example
2.6.7 Security Planning
2.6.7.1 Strategic Planning
2.6.7.2 Tactical Planning
2.6.7.3 Operational Planning
2.6.7.4 An example of security planning
2.7 Risk Management concepts and its application
2.7.1 Risk and Risk Management overview
2.7.2 Identify threats and vulnerabilities
2.7.2.1 Threats
2.7.2.2 Vulnerabilities
2.7.3 Risk assessment / analysis
2.7.4 Qualitative risk assessment / analysis
2.7.5 Quantitative risk assessment / analysis
2.7.5.1 Asset identification and valuation
2.7.5.2 EF and SLE
2.7.5.3 ARO, LAFE, SAFE and ALE
2.7.6 Concerns when performing qualitative risk assessment / analysis
2.7.7 Concerns when performing quantitative risk assessment / analysis
2.7.8 Hybrid
2.7.9 Other risk assessment methodologies
2.7.9.1 NIST 800-30, NIST 800-39 and NIST 800-66
2.7.9.2 CCTA Risk Analysis and Management Method (CRAMM)
2.7.9.3 Failure mode and effects analysis (FMEA)
2.7.9.4 Facilitated risk analysis process (FRAP)
2.7.9.5 OCTAVE
2.7.9.6 Security Officers Management and Analysis Project (SOMAP)
2.7.9.7 Value at Risk (VaR)
2.7.10 Risk assignment / acceptance
2.7.11 Countermeasure selection and implementation
2.7.11.1 Countermeasure selection
2.7.11.2 Countermeasure implementation
2.7.12 Types of controls
2.7.12.1 Compensating controls
2.7.12.2 Corrective controls
2.7.12.3 Deterrent controls
2.7.12.4 Directive controls
2.7.12.5 Detective controls
2.7.12.6 Preventive controls
2.7.12.7 Recovery controls
2.7.12.8 Control implementations
2.7.12.9 Administrative controls
2.7.12.10 Physical controls
2.7.12.11 Logical controls / Technical controls
2.7.13 An integrated example of controls
2.7.14 Control assessment / monitoring and measurement / reporting
2.7.14.1 Vulnerability assessments
2.7.14.2 Penetration testing
2.7.15 Continuous improvement
2.7.15.1 PDCA cycle / Deming Cycle / Shewhart Cycle
2.7.15.2 Continuous Vs Continual
2.7.16 Risk frameworks / risk management frameworks
2.8 Disaster recovery and business continuity requirements
2.8.1 Project initiation
2.8.2 Develop and document project scope and plan
2.8.3 Business impact analysis (BIA)
2.8.3.1 Maximum tolerable downtime (MTD)
2.8.3.2 Recovery point objective (RPO)
2.9 Personnel security
2.9.1 Before the employment, employment agreement and policy
2.9.2 During the employment
2.9.2.1 Separation of Duties (SOD)
2.9.2.2 Least Privilege (Need to Know)
2.9.2.3 Job Rotation
2.9.2.4 Mandatory Vacations
2.9.3 Employment termination
2.9.4 Vendor, consultant and contractor controls
2.9.5 Privacy and compliance
2.10 Threat Modeling and its application
2.10.1 Example of threat modeling
2.11 Acquisition strategy and practice with security considerations
2.11.1 Hardware, software and services
2.11.2 Third-party assessment and monitoring
2.11.2.1 Minimum security and service level agreement (SLA)
2.12 Information security education / training and awareness training
2.12.1 Security awareness training
2.12.2 Security training
2.12.3 Assurance
2.13 Resources of this domain

3 Asset Security
3.1 Information classification and supporting assets
3.1.1 Classification (concern with access)
3.1.2 Categorization (concern with impact)
3.1.3 Data classification
3.1.3.1 Data owners and data processers
3.1.3.2 Concerns when classifying data
3.2 Ownership
3.3 Privacy protection
3.4 Data retention
3.4.1 Data retention and destruction policy
3.4.2 Hardware and software considerations
3.4.3 Personnel
3.5 Data security controls
3.5.1 Data at Rest with cryptography
3.5.2 Data in Transit with cryptography
3.5.3 Baselines
3.5.4 Scoping and tailoring
3.6 Standards selection
3.6.1 United States
3.6.1.1 Department of Defense
3.6.1.2 National Security Agency (NSA)
3.6.1.3 National Institute of Standards and Technology (NIST)
3.6.2 United Kingdom
3.6.2.1 Communications-Electronics Security Group (CESG)
3.6.3 European Union
3.6.4 International Organization for Standardization (ISO)
3.6.5 International Telecommunications Union (ITU)
3.6.6 NATO Cooperative Cyber Defence Centre of Excellence
3.7 Data Handling
3.7.1 Marking
3.7.2 Handling
3.7.3 Storing
3.7.4 Data remanence
3.7.4.1 Clearing
3.7.4.2 Purging
3.7.4.3 Overwriting
3.7.4.4 Degaussing
3.7.4.5 Encryption
3.7.4.6 Destruction
3.8 Quality control (QC) and quality assurance (QA)
3.9 Resources of this domain

4 Security Engineering
4.1 Engineering processes using secure design principles
4.1.1 Security engineering
4.1.2 Implement and manage security engineering using secure design principles
4.1.2.1 Principles
4.1.2.2 Relationships between principles and Life-cycles
4.2 Security models
4.2.1 Common system components
4.2.1.1 Processors
4.2.1.2 Memory and storage (primary storage)
4.2.1.3 Memory and storage (secondary storage)
4.2.1.4 Memory and storage (virtual storage)
4.2.1.5 Memory and storage (memory protection)
4.2.2 Common architecture frameworks
4.2.2.1 Zachman Framework
4.2.2.2 Sherwood Applied Business Security Architecture Framework
4.2.2.3 The Open Group Architecture Framework (TOGAF)
4.2.2.4 IT Infrastructure Library (ITIL)
4.2.3 Types of security Models
4.2.3.1 State Machine Model
4.2.3.2 Multilevel Lattice Models
4.2.3.3 Noninterference Models
4.2.3.4 Matrix-Based Model
4.2.3.5 Information Flow Model
4.2.4 Examples of security models
4.2.4.1 Bell-LaPadula Confidentiality Model / Bell-LaPadula Model / BLP
4.2.4.2 Biba Integrity Model / Biba Model
4.2.4.3 Clark-Wilson Integrity Model / Clark-Wilson Model
4.2.4.4 Lipner Model
4.2.4.5 Brewer-Nash (The Chinese Wall) Model
4.2.4.6 Graham-Denning Model
4.2.4.7 Harrison-Ruzzo-Ulman Model
4.3 Information system security evaluation models
4.3.1 Certification and accreditation
4.3.1.1 Certification
4.3.1.2 Accreditation
4.3.2 Product evaluation models
4.3.2.1 Trusted Computer System Evaluation Criteria (TCSEC)
4.3.2.2 Information Technology Security Evaluation Criteria (ITSEC)
4.3.2.3 Common Criteria
4.3.3 Industry and international security implementation guidelines
4.3.3.1 ISO / IEC 27001
4.3.3.2 Control Objectives for Information and Related Technology (COBIT)
4.3.3.3 Payment Card Industry Data Security Standard (PCI-DSS)
4.4 Information systems security capabilities
4.4.1 Access control mechanisms
4.4.2 Secure memory management
4.4.2.1 Address space layout randomization (ASLR)
4.4.3 Processor states
4.4.3.1 Supervisor state
4.4.3.2 Problem state
4.4.4 Layering
4.4.5 Data hiding
4.4.6 Abstraction
4.4.7 Trusted Platform Module (TPM) [Cryptographic protections]
4.4.8 Host firewalls and intrusion prevention
4.4.9 Virtualization
4.4.10 Audit and monitoring controls
4.5 Vulnerabilities of security architectures and designs.
4.5.1 Client-based vulnerabilities
4.5.1.1 Desktops and Laptops
4.5.1.2 Mobile devices
4.5.2 Server-Based vulnerabilities
4.5.2.1 Data flow control
4.5.3 Database security
4.5.3.1 Warehousing
4.5.3.2 Inference
4.5.3.3 Aggregation
4.5.3.4 Data mining / KDD
4.5.4 Large-scale parallel data systems
4.5.5 Distributed systems
4.5.5.1 Cloud computing
4.5.5.2 Grid computing
4.5.5.3 Peer to peer (P2P)
4.5.6 Industrial control systems (ICS)
4.6 Assess and mitigate vulnerabilities in web-based systems
4.6.1 XML
4.6.2 SAML
4.6.3 OWASP
4.7 Assess and mitigate vulnerabilities in mobile systems
4.7.1 Remote computing
4.7.2 Mobile workers
4.8 Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems
4.9 Cryptography and its application
4.9.1 Key terms and definitions
4.9.1.1 Ciphertext
4.9.1.2 Plaintext
4.9.1.3 Cryptosystem
4.9.1.4 Encryption
4.9.1.5 Decryption
4.9.1.6 Key / Cryptovariable
4.9.1.7 Nonrepudiation
4.9.1.8 Algorithm
4.9.1.9 Cryptanalysis
4.9.1.10 Cryptology
4.9.1.11 Collision
4.9.1.12 Key space
4.9.1.13 Work factor
4.9.1.14 Initialization vector (IV)
4.9.1.15 Encoding
4.9.1.16 Decoding
4.9.1.17 Transposition / Permutation
4.9.1.18 Substitution
4.9.1.19 SP-Network
4.9.1.20 Confusion
4.9.1.21 Diffusion
4.9.2 Methods of cryptography
4.9.2.1 Stream-based Ciphers
4.9.2.2 Block Ciphers
4.9.3 Encryption systems
4.9.3.1 Null Cipher
4.9.3.2 The Rail Fence
4.9.3.3 Caesar Cipher / Monoalphabetic Cipher
4.9.3.4 Blais de Vigenere / Polyalphabetic Cipher
4.9.3.5 Playfair Cipher
4.9.3.6 Running Key Cipher with modular mathematics
4.9.3.7 One-time Pads
4.9.4 Symmetric encryption algorithms
4.9.4.1 DES (Data Encryption Standard)
4.9.4.2 DES: ECB (Block Cipher Modes of DES)
4.9.4.3 DES: CBC (Block Cipher Modes of DES)
4.9.4.4 DES: CFB (Stream Cipher Modes of DES)
4.9.4.5 DES: OFB (Stream Cipher Modes of DES)
4.9.4.6 DES: CTR (Stream Cipher Modes of DES)
4.9.4.7 Advantages and disadvantages of DES
4.9.4.8 Double DES
4.9.4.9 Triple DES
4.9.4.10 Rijndael / Advanced Encryption Standard (AES)
4.9.4.11 International Data Encryption Algorithm (IDEA)
4.9.4.12 CAST
4.9.4.13 Blowfish
4.9.4.14 Twofish
4.9.4.15 RC4
4.9.4.16 RC5
4.9.4.17 Advantages and disadvantages of symmetric encryption algorithms
4.9.5 Asymmetric encryption algorithms
4.9.5.1 Asymmetric algorithms
4.9.5.2 Message confidentiality
4.9.5.3 Proof of origin (nonrepudiation)
4.9.5.4 Message confidentiality + proof of origin (nonrepudiation)
4.9.5.5 RSA
4.9.5.6 Diffie-Hellmann Algorithm
4.9.5.7 El Gamal
4.9.5.8 Elliptic Curve Cryptography (ECC)
4.9.5.9 Advantages and disadvantages of asymmetric algorithms
4.9.6 Hybrid Cryptography
4.9.7 Hashing and salting
4.9.7.1 MD5 Message Digest Algorithm
4.9.7.2 Secure Hash Algorithm (SHA-1, SHA-2)
4.9.7.3 SHA-3
4.9.7.4 HAVAL
4.9.7.5 RIPEMD-160
4.9.8 Message Authentication Code (MAC)
4.9.8.1 HMAC (Keyed-Hash Message Authentication Code)
4.9.9 Public Key Infrastructure (PKI)
4.9.9.1 Digital signatures and digital signature standard (DSS)
4.9.9.2 Certification Authority (CA) and digital certificates
4.9.9.3 Registration Authority (RA)
4.9.9.4 Validation Authority (VA)
4.9.9.5 Relationships between CA, RA and VA
4.9.9.6 Key management: XML Key Management Specification (XKMS)
4.9.9.7 Key management: Key Escrow
4.9.9.8 Digital Rights Management (DRM)
4.9.10 Cryptanalysis and attacks
4.9.10.1 Ciphertext-Only Attack
4.9.10.2 Known-Plaintext Attack
4.9.10.3 Chosen-Plaintext Attack
4.9.10.4 Chosen-Ciphertext Attack
4.9.10.5 Brute Force
4.9.10.6 Dictionary Attack
4.9.10.7 Frequency Analysis
4.9.10.8 Rainbow Table
4.9.10.9 Birthday Attack
4.9.10.10 Side-channel Attack / Implementation Attack
4.9.10.11 Linear cryptanalysis
4.10 Site and facility design
4.10.1 Roadway Design
4.10.2 Crime Prevention Through Environment Design (CPTED)
4.10.3 Entry points: Doors
4.10.3.1 Mantrap / Portal
4.10.4 Entry points: Windows
4.10.4.1 Types of glasses
4.11 Design and implement physical security
4.11.1 Wiring closets and Ground Potential Rise (GPR)
4.11.2 Server rooms and rack security
4.11.3 Media storage, evidence storage and work (restricted) area security
4.11.4 Data center security
4.11.5 Utilities and HVAC
4.11.5.1 Uninterruptible Power Supply (UPS)
4.11.5.2 Power Conditioner
4.11.5.3 Backup Power Source
4.11.5.4 HVAC
4.11.6 Fire prevention detection, suppression
4.11.6.1 Fire detection
4.11.6.2 Fire suppression
4.12 Resources of this domain

5 Communication and Network Security
5.1 Network architecture and its design principles
5.1.1 OSI reference model
5.1.1.1 Layer 7: Application Layer
5.1.1.2 Layer 6: Presentation Layer
5.1.1.3 Layer 5: Session Layer
5.1.1.4 Layer 4: Transport Layer
5.1.1.5 Layer 3: Network Layer
5.1.1.6 Layer 2: Data Link Layer
5.1.1.7 Layer 1: Physical Layer
5.1.2 TCP / IP model
5.1.2.1 Application Layer
5.1.2.2 Transport Layer
5.1.2.3 Internet Layer
5.1.2.4 Network Interface Layer
5.1.3 OSI reference model VS TCP / IP model
5.1.4 IP networking
5.1.4.1 IPv4 addressing
5.1.4.2 IPv6 addressing
5.1.4.3 Transmission Control Protocol (TCP)
5.1.4.4 User Datagram Protocol (UDP)
5.1.4.5 Ports
5.1.4.6 Routing protocols
5.1.4.7 RIPv1, RIPv2 and RIPng
5.1.4.8 OSPFv2 and OSPFv3
5.1.4.9 Border Gateway Protocol (BGP)
5.1.4.10 Dynamic Host Configuration Protocol (DHCP)
5.1.4.11 Internet Control Message Protocol (ICMP)
5.1.4.12 Domain Name Service (DNS)
5.1.4.13 Lightweight Directory Access Protocol (LDAP)
5.1.4.14 Network Basic Input Output System (NetBIOS)
5.1.4.15 Common Internet File System (CIFS) / Server Message Block (SMB)
5.1.4.16 Network Information Service (NIS / NIS+)
5.1.4.17 Simple Mail Transfer Protocol (SMTP) / Extended Simple Mail Transfer Protocol (ESMTP)
5.1.4.18 File Transfer Protocol (FTP)
5.1.4.19 Secure FTP with TLS (FTPS)
5.1.4.20 SSH File Transfer Protocol (SFTP)
5.1.4.21 FTP over SSH
5.1.4.22 FTP Transfer modes: Active mode (PORT mode)
5.1.4.23 FTP Transfer modes: Passive mode (PASV mode)
5.1.4.24 Trivial File Transfer Protocol (TFTP)
5.1.4.25 Hypertext Transfer Protocol (HTTP)
5.1.5 Converged protocols
5.1.5.1 Fibre Channel (FC)
5.1.5.2 Internet Small Computer System Interface (iSCSI)
5.1.5.3 Fiber Channel over Internet Protocol (FCIP / FCoIP)
5.1.5.4 Fibre Channel over Ethernet (FCoE)
5.1.5.5 InfiniBand (IB)
5.1.5.6 Multiprotocol Label Switching (MPLS)
5.1.5.7 MPLS Pseudowires / L2VPN
5.1.5.8 Voice over IP (VoIP)
5.1.5.9 Session Initiation Protocol (SIP)
5.1.6 Multilayer protocols
5.1.6.1 DNP3
5.1.6.2 Modbus
5.1.7 Software-defined networks / Software-defined networking (SDN)
5.1.8 Wireless networks
5.1.8.1 Wi-Fi
5.1.8.2 Open system authentication
5.1.8.3 Shared key authentication
5.1.8.4 Wired equivalent privacy (WEP)
5.1.8.5 Wi-Fi protected access (WPA) / Wi-Fi protected access II (WPA2)
5.1.8.6 “Parking lot” attack
5.1.8.7 SSID flaw
5.1.9 Cryptography used to maintain communication security
5.1.9.1 Certificate-based authentication
5.1.9.2 Client certificates
5.1.9.3 Server certificates
5.1.9.4 Code signing / Object signing
5.1.9.5 Secure / Multipurpose Internet Mail Extension (S/MIME)
5.2 Secure network components
5.2.1 Operation of hardware
5.2.1.1 Modems
5.2.1.2 Multiplexers
5.2.1.3 Switches and bridges
5.2.1.4 Hubs / Repeaters
5.2.1.5 Routers
5.2.1.6 Wireless access points (WAP / AP)
5.2.2 Transmission media
5.2.2.1 Shielded Twisted Pair (STP)
5.2.2.2 Unshielded Twisted Pair (UTP)
5.2.2.3 Coaxial Cable (Coax)
5.2.2.4 Fiber Optic / Optical Fiber
5.2.2.5 Plastic Optical Fiber
5.2.3 Network access control devices
5.2.3.1 Firewalls
5.2.3.2 Network Address Translation (NAT)
5.2.3.3 Port Address Translation (PAT)
5.2.3.4 Proxies
5.2.4 Endpoint security / Physical devices
5.2.5 Content-distribution networks (CDN)
5.3 Secure communication channels
5.3.1 Voice
5.3.2 Multimedia collaboration
5.3.2.1 Remote meeting technology
5.3.2.2 Instant messaging (IM)
5.3.2.3 Extensible Messaging and Presence Protocol (XMPP) / Jabber
5.3.2.4 Internet Relay Chat (IRC)
5.3.3 IPsec VPN
5.3.3.1 IPsec VPN: Authentication Header (AH)
5.3.3.2 IPsec VPN: Encapsulating Secure Payload (ESP)
5.3.4 Screen scraping
5.3.5 Virtual desktop / application
5.3.6 Virtual LAN (VLAN)
5.3.7 Transport Layer Security (TLS) / Secure Sockets Layer (SSL)
5.3.7.1 TLS VPN / SSL VPN
5.3.8 Virtualized networks
5.3.8.1 vNetwork Standard Switch (vSwitch, vSS)
5.3.8.2 vNetwork Distributed Switch (dvSwitch, vDS)
5.3.8.3 Virtual Storage Area Network (VSAN)
5.3.9 Circuit switched and packet switched networks
5.3.9.1 Circuit switched networks
5.3.9.2 Packet switched networks
5.4 Network attacks
5.4.1 Layered Defense Model
5.4.2 Domain litigation (訴訟)
5.4.3 Open mail relay and SPAM
5.4.4 Scanning
5.4.4.1 Port scanning
5.4.4.2 Port scanning: FIN scanning / X-mas scanning / Null scanning
5.4.5 Fragmentation
5.4.5.1 Teardrop
5.4.5.2 Overlapping fragment attack
5.4.5.3 Source Routing Exploitation
5.4.6 Denial of service and spoofing
5.4.6.1 SYN Flood
5.4.6.2 DDoS
5.4.6.3 Smurf attack
5.4.6.4 Email spoofing
5.4.6.5 DNS spoofing
5.4.7 Prevent network attacks
5.4.7.1 Intrusion Detection System (IDS)
5.4.7.2 Intrusion Prevention System (IPS)
5.4.7.3 Security event management (SEM)
5.5 Resources of this domain

6 Identity and Access Management
6.1 Control physical and logical access to assets
6.1.1 Logical access control
6.1.1.1 Access control of information
6.1.1.2 Centralized access control
6.1.1.3 Decentralized access control
6.1.1.4 Hybrid access control
6.1.2 Physical access control
6.1.2.1 Physical Access Control System (PACS)
6.2 Identification and authentication
6.2.1 Identification methods
6.2.2 Identification guidelines
6.2.3 Identification implementation
6.2.3.1 Password management
6.2.3.2 Account management
6.2.3.3 Profile management
6.2.3.4 Directory management and Lightweight Directory Access Protocol (LDAP)
6.2.3.5 X.500 and X.400
6.2.3.6 Single Sign-On (SSO)
6.2.3.7 Kerberos
6.2.4 Single / Multi-factor authentication
6.2.4.1 Biometric
6.2.5 Federated identity management
6.2.6 Session management
6.2.7 Registration and proof of identity
6.2.8 Credential management systems
6.2.9 Accountability
6.3 Identity as a service (IDaaS) and Third-Party identity service integration
6.4 Authorization
6.4.1 Role-Based Access Control (RBAC)
6.4.1.1 Non-RBAC
6.4.1.2 Limited RBAC
6.4.1.3 Hybrid RBAC
6.4.1.4 Full RBAC
6.4.2 Rule-Based Access Control
6.4.3 Discretionary Access Control (DAC)
6.4.4 Mandatory Access Control (MAC)
6.5 Prevent and mitigate access control attacks and IAM
6.5.1 Identity and access provisioning lifecycle
6.6 Resources of this domain

7 Security Assessment and Testing
7.1 Assessment and test strategies
7.2 Security control testing
7.2.1 Vulnerability assessment
7.2.2 Penetration testing
7.2.3 Log reviews
7.2.4 RUM / EUM and Synthetic transactions
7.2.4.1 RUM / EUM
7.2.4.2 Synthetic transactions
7.2.5 Code Review and Testing
7.2.5.1 Black-Box-Testing vs. White-Box-Testing
7.2.5.2 Dynamic Testing vs. Static Testing
7.2.5.3 Manual Testing vs. Automatic Testing
7.2.5.4 Lifecycle
7.2.6 Misuse Case Testing / Negative Testing
7.2.7 Code Coverage Analysis / Test Coverage Analysis
7.2.8 Interface Testing
7.3 Security process data collection, analysis and reporting
7.4 Internal and third party audit
7.5 Resources of this domain

8 Security Operations
8.1 Investigation types
8.1.1 Civil law
8.1.2 Common law
8.1.2.1 Criminal law
8.1.2.2 Regulatory law
8.1.3 eDiscovery
8.2 Supporting investigations
8.2.1 Evidence collection and handling
8.2.1.1 Chain of Custody
8.2.1.2 Interviewing
8.2.2 Reporting and documenting
8.2.3 Investigation techniques
8.2.3.1 Root Cause Analysis (RCA)
8.2.3.2 Incident handling
8.2.4 Digital forensics
8.3 Conducting logging and monitoring activities
8.3.1 Intrusion detection and intrusion prevention
8.3.1.1 Intrusion Detection System (IDS)
8.3.1.2 Intrusion Prevention System (IPS)
8.3.2 Security information and event management (SIEM)
8.3.3 Continuous monitoring
8.3.4 Egress monitoring
8.3.4.1 Data Leak / Loss Prevention (DLP)
8.3.4.2 Steganography
8.3.5 Watermarking
8.4 Configuration management (resource provisioning)
8.5 Applying foundational security operations concepts
8.5.1 Need-to-know / least privilege
8.5.2 Separation of duties and responsibilities
8.5.3 Monitor special privileges
8.5.3.1 Administrators / System administrators
8.5.3.2 Operators
8.5.3.3 Security administrators, help desk, ordinary users
8.5.4 Job rotation
8.5.5 Information lifecycle
8.5.6 Service level agreement (SLA)
8.6 Resource protection techniques
8.6.1 Media management
8.6.1.1 Archival and offline storage
8.6.1.2 Cloud and virtual storage
8.6.2 Hardware and software asset management
8.7 Incident management
8.7.1 Detection
8.7.1.1 Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
8.7.1.2 Anti-malware systems
8.7.1.3 SIEM
8.7.2 Response
8.7.3 Mitigation
8.7.4 Reporting
8.7.5 Recovery
8.7.6 Remediation and Lessons learned
8.8 Preventive measures
8.8.1 Firewalls
8.8.1.1 Bastion Host
8.8.1.2 Dual-Homed Firewall
8.8.1.3 Screened Host
8.8.1.4 Screened Subnet
8.8.2 Intrusion detection and prevention systems
8.8.3 Whitelisting, blacklisting and greylisting
8.8.4 Sandboxing, third-party security services, and honeypots / honeynets, anti-malware
8.8.4.1 Sandboxing and anti-malware
8.8.4.2 Third-party security services
8.8.4.3 Honeypots / Honeynets and anti-malware
8.9 Change management processes and patch / vulnerability management
8.10 Recovery Strategies
8.10.1 Backup storage strategies
8.10.1.1 Electronic vaulting and offsite storage
8.10.1.2 Remote journaling and offsite storage
8.10.1.3 Database shadowing
8.10.1.4 Tape rotation
8.10.2 Recovery site strategies and multiple processing sites
8.10.3 System resilience, high availability, quality of service and fault tolerance
8.10.3.1 System resilience
8.10.3.2 High availability and fault tolerance
8.10.3.3 Quality of service
8.11 Disaster recovery procedures
8.11.1 Response and assessment
8.11.2 Personnel and communications
8.11.3 Restoration and assessment
8.11.4 Training and awareness
8.12 Participate in business continuity plan and disaster recovery plan testing and exercises
8.12.1 Read-through
8.12.2 Walkthrough
8.12.3 Simulation
8.12.4 Parallel
8.12.5 Full interruption
8.13 Implement and manage physical security
8.13.1 Perimeter
8.13.1.1 Gates and fences
8.13.1.2 Perimeter Intrusion Detection
8.13.1.3 Lighting
8.13.2 Internal security
8.13.2.1 CCTV
8.13.2.2 Visitor controls / escort requirements
8.13.2.3 Keys and locks
8.14 Participate in addressing personnel safety concerns
8.14.1 Duress
8.14.2 Travel monitoring
8.15 Resources of this domain

9 Software Development Security
9.1 Software development lifecycle
9.1.1 Development methodologies
9.1.1.1 Waterfall
9.1.1.2 Agile
9.1.2 Maturity model
9.1.3 Operation and maintenance
9.1.4 Change management
9.1.5 Integrated Product Team (DevOps)
9.2 Security controls in development environments
9.2.1 Security of the software environments
9.2.1.1 Open source and “security by obscurity”
9.2.1.2 Security issues of programming languages
9.2.1.3 Von Neumann model
9.2.1.4 ACID in database transactions
9.2.1.5 Database View
9.2.2 Security weaknesses and vulnerabilities at the source-code level
9.2.2.1 Buffer Overflow and escalation of privilege
9.2.2.2 Input / output validation
9.2.2.3 Covert Channels
9.2.2.4 TOC (Time of Check) / TOU (Time of Use)
9.2.2.5 Cross-site scripting (XSS)
9.2.3 Configuration management as an aspect of secure coding
9.2.4 Code repositories
9.2.4.1 Physical security
9.2.4.2 System security
9.2.4.3 Operational security
9.2.4.4 Software security
9.2.4.5 Communications
9.2.4.6 Information / data backup
9.2.5 Application programming interfaces
9.2.5.1 REST / RESTful API
9.2.5.2 OAuth
9.3 Assess the effectiveness of software security
9.3.1 Certification and accreditation
9.3.2 Auditing and logging of changes
9.3.3 Risk analysis and mitigation
9.3.4 Code signing and code signing certificate
9.3.5 Regression and acceptance testing
9.3.5.1 Regression testing
9.3.5.2 Acceptance testing
9.4 Assess security impact of acquired software and SwA (Software Assurance)
9.4.1 Generic acquisition process
9.4.1.1 Planning Phase
9.4.1.2 Contracting Phase
9.4.1.3 Monitoring and Acceptance Phase
9.4.1.4 Follow-on
9.4.2 Relationship between acquisition processes and IEEE 1062, PMBOK, NIST SP 800-64, DoDI 5000.2, ISO / IEC 12207
9.5 Resources of this domain

10 Appendix
10.1 Trusted Computing Base (TCB)
10.2 Security Kernels and Reference Monitors
10.3 Cleanroom
From: Franco Tsang [mailto:francotsang@systematic.com.hk] Sent: Monday, May 29, 2017 12:27 PM To: 'nethrillam@systematic.com.hk' Subject: Modify webpage (CISSP 國際認可證書課程 (免費提供認可服務), PS) Hi Nethril, If you have time, could you please update the webpage? The details can be found at the bottom of this email. Course affected: CISSP 國際認可證書課程 (免費提供認可服務) Course Code: PS Course Website: http://www.systematic.com.hk/cissp Thanks a lot. Best Regards, Franco ________________________________________

1 General Information
1.1 Steps to get the CISSP certification
1.2 Examination format and scoring
1.3 Registration process
1.4 Exam outline

2 Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity)
2.1 Confidentiality, integrity and availability
2.1.1 Confidentiality
2.1.2 Integrity
2.1.3 Availability
2.2 Security governance principles and their application
2.2.1 What is security governance?
2.2.2 Align security functions to organization goals, missions and objectives
2.2.2.1 Business case
2.2.2.2 Budget
2.2.2.3 Resources
2.2.3 Organizational processes
2.2.3.1 Acquisitions and Mergers
2.2.3.2 Divestitures and Spinoffs
2.2.3.3 Governance Committees
2.2.4 Security roles and responsibilities
2.2.4.1 Information security officer
2.2.4.2 Oversight committee representation / Security Council
2.2.4.3 End-users
2.2.4.4 Executive Management
2.2.4.5 Information systems security professionals
2.2.4.6 Data owners, information owners, business owners
2.2.4.7 Data custodians, information custodians, stewards
2.2.4.8 Information security auditors
2.2.4.9 Business continuity planers
2.2.4.10 Information technologies professionals
2.2.4.11 Security administrators
2.2.4.12 System administrators
2.2.4.13 Network administrators
2.2.4.14 Physical security administrators
2.2.4.15 Administrative assistants / Receptionists
2.2.4.16 Service desk
2.2.5 Control frameworks
2.2.5.1 NIST SP 800-53
2.2.5.2 ISO 27001:2013
2.2.6 Due Care
2.2.7 Due Diligence
2.3 Compliance
2.3.1 Legislative and regulatory compliance
2.3.2 Privacy requirements compliance
2.3.3 GRC
2.4 Information security in a global context and relevant legal and regulatory issues
2.4.1 Computer crimes
2.4.1.1 Crypto Locker
2.4.1.2 Child Porn
2.4.1.3 Reveton / Citadel
2.4.1.4 Rogue Anti-Virus software
2.4.1.5 Effects of computer crimes
2.4.2 Licensing and intellectual property
2.4.2.1 Patent
2.4.2.2 Trademark
2.4.2.3 Copyright
2.4.2.4 Trade Secret
2.4.2.5 License
2.4.3 Import and export controls
2.4.3.1 International Traffic in Arms Regulations (ITAR)
2.4.3.2 Export Administration Regulations (EAR)
2.4.3.3 Wassenaar Arrangement
2.4.4 Trans-border data flow
2.4.5 Privacy
2.4.6 Data Breaches
2.5 Professional ethics
2.5.1 The relationship between ethics and regulatory requirements
2.5.2 Ethics codes of conducts
2.5.2.1 The Code of Fair Information Practices
2.5.2.2 Internet Architecture Board
2.5.2.3 Computer Ethics Institute (CEI)
2.5.3 ISC2 Code of Ethics
2.5.3.1 Another version for your reference
2.5.3.2 Support organization’s code of ethics
2.5.4 Common ethics fallacies
2.6 Security policy, standards, procedures, and guidelines development and implementation
2.6.1 Security Policy
2.6.1.1 Best Practices of Security Policy
2.6.2 Standards
2.6.3 Procedures
2.6.4 Guidelines
2.6.5 Baselines
2.6.6 An integrated example
2.6.7 Security Planning
2.6.7.1 Strategic Planning
2.6.7.2 Tactical Planning
2.6.7.3 Operational Planning
2.6.7.4 An example of security planning
2.7 Risk Management concepts and its application
2.7.1 Risk and Risk Management overview
2.7.2 Identify threats and vulnerabilities
2.7.2.1 Threats
2.7.2.2 Vulnerabilities
2.7.3 Risk assessment / analysis
2.7.4 Qualitative risk assessment / analysis
2.7.5 Quantitative risk assessment / analysis
2.7.5.1 Asset identification and valuation
2.7.5.2 EF and SLE
2.7.5.3 ARO, LAFE, SAFE and ALE
2.7.6 Concerns when performing qualitative risk assessment / analysis
2.7.7 Concerns when performing quantitative risk assessment / analysis
2.7.8 Hybrid
2.7.9 Other risk assessment methodologies
2.7.9.1 NIST 800-30, NIST 800-39 and NIST 800-66
2.7.9.2 CCTA Risk Analysis and Management Method (CRAMM)
2.7.9.3 Failure mode and effects analysis (FMEA)
2.7.9.4 Facilitated risk analysis process (FRAP)
2.7.9.5 OCTAVE
2.7.9.6 Security Officers Management and Analysis Project (SOMAP)
2.7.9.7 Value at Risk (VaR)
2.7.10 Risk assignment / acceptance
2.7.11 Countermeasure selection and implementation
2.7.11.1 Countermeasure selection
2.7.11.2 Countermeasure implementation
2.7.12 Types of controls
2.7.12.1 Compensating controls
2.7.12.2 Corrective controls
2.7.12.3 Deterrent controls
2.7.12.4 Directive controls
2.7.12.5 Detective controls
2.7.12.6 Preventive controls
2.7.12.7 Recovery controls
2.7.12.8 Control implementations
2.7.12.9 Administrative controls
2.7.12.10 Physical controls
2.7.12.11 Logical controls / Technical controls
2.7.13 An integrated example of controls
2.7.14 Control assessment / monitoring and measurement / reporting
2.7.14.1 Vulnerability assessments
2.7.14.2 Penetration testing
2.7.15 Continuous improvement
2.7.15.1 PDCA cycle / Deming Cycle / Shewhart Cycle
2.7.15.2 Continuous Vs Continual
2.7.16 Risk frameworks / risk management frameworks
2.8 Disaster recovery and business continuity requirements
2.8.1 Project initiation
2.8.2 Develop and document project scope and plan
2.8.3 Business impact analysis (BIA)
2.8.3.1 Maximum tolerable downtime (MTD)
2.8.3.2 Recovery point objective (RPO)
2.9 Personnel security
2.9.1 Before the employment, employment agreement and policy
2.9.2 During the employment
2.9.2.1 Separation of Duties (SOD)
2.9.2.2 Least Privilege (Need to Know)
2.9.2.3 Job Rotation
2.9.2.4 Mandatory Vacations
2.9.3 Employment termination
2.9.4 Vendor, consultant and contractor controls
2.9.5 Privacy and compliance
2.10 Threat Modeling and its application
2.10.1 Example of threat modeling
2.11 Acquisition strategy and practice with security considerations
2.11.1 Hardware, software and services
2.11.2 Third-party assessment and monitoring
2.11.2.1 Minimum security and service level agreement (SLA)
2.12 Information security education / training and awareness training
2.12.1 Security awareness training
2.12.2 Security training
2.12.3 Assurance
2.13 Resources of this domain

3 Asset Security (Protecting Security of Assets)
3.1 Information classification and supporting assets
3.1.1 Classification (concern with access)
3.1.2 Categorization (concern with impact)
3.1.3 Data classification
3.1.3.1 Data owners and data processers
3.1.3.2 Concerns when classifying data
3.2 Ownership
3.3 Privacy protection
3.4 Data retention
3.4.1 Data retention and destruction policy
3.4.2 Hardware and software considerations
3.4.3 Personnel
3.5 Data security controls
3.5.1 Data at Rest with cryptography
3.5.2 Data in Transit with cryptography
3.5.3 Baselines
3.5.4 Scoping and tailoring
3.6 Standards selection
3.6.1 United States
3.6.1.1 Department of Defense
3.6.1.2 National Security Agency (NSA)
3.6.1.3 National Institute of Standards and Technology (NIST)
3.6.2 United Kingdom
3.6.2.1 Communications-Electronics Security Group (CESG)
3.6.3 European Union
3.6.4 International Organization for Standardization (ISO)
3.6.5 International Telecommunications Union (ITU)
3.6.6 NATO Cooperative Cyber Defence Centre of Excellence
3.7 Data Handling
3.7.1 Marking
3.7.2 Handling
3.7.3 Storing
3.7.4 Data remanence
3.7.4.1 Clearing
3.7.4.2 Purging
3.7.4.3 Overwriting
3.7.4.4 Degaussing
3.7.4.5 Encryption
3.7.4.6 Destruction
3.8 Quality control (QC) and quality assurance (QA)
3.9 Resources of this domain

4 Security Engineering (Engineering and Management of Security)
4.1 Engineering processes using secure design principles
4.1.1 Security engineering
4.1.2 Implement and manage security engineering using secure design principles
4.1.2.1 Principles
4.1.2.2 Relationships between principles and Life-cycles
4.2 Security models
4.2.1 Common system components
4.2.1.1 Processors
4.2.1.2 Memory and storage (primary storage)
4.2.1.3 Memory and storage (secondary storage)
4.2.1.4 Memory and storage (virtual storage)
4.2.1.5 Memory and storage (memory protection)
4.2.2 Common architecture frameworks
4.2.2.1 Zachman Framework
4.2.2.2 Sherwood Applied Business Security Architecture Framework
4.2.2.3 The Open Group Architecture Framework (TOGAF)
4.2.2.4 IT Infrastructure Library (ITIL)
4.2.3 Types of security Models
4.2.3.1 State Machine Model
4.2.3.2 Multilevel Lattice Models
4.2.3.3 Noninterference Models
4.2.3.4 Matrix-Based Model
4.2.3.5 Information Flow Model
4.2.4 Examples of security models
4.2.4.1 Bell-LaPadula Confidentiality Model / Bell-LaPadula Model / BLP
4.2.4.2 Biba Integrity Model / Biba Model
4.2.4.3 Clark-Wilson Integrity Model / Clark-Wilson Model
4.2.4.4 Lipner Model
4.2.4.5 Brewer-Nash (The Chinese Wall) Model
4.2.4.6 Graham-Denning Model
4.2.4.7 Harrison-Ruzzo-Ulman Model
4.3 Information system security evaluation models
4.3.1 Certification and accreditation
4.3.1.1 Certification
4.3.1.2 Accreditation
4.3.2 Product evaluation models
4.3.2.1 Trusted Computer System Evaluation Criteria (TCSEC)
4.3.2.2 Information Technology Security Evaluation Criteria (ITSEC)
4.3.2.3 Common Criteria
4.3.3 Industry and international security implementation guidelines
4.3.3.1 ISO / IEC 27001
4.3.3.2 Control Objectives for Information and Related Technology (COBIT)
4.3.3.3 Payment Card Industry Data Security Standard (PCI-DSS)
4.4 Information systems security capabilities
4.4.1 Access control mechanisms
4.4.2 Secure memory management
4.4.2.1 Address space layout randomization (ASLR)
4.4.3 Processor states
4.4.3.1 Supervisor state
4.4.3.2 Problem state
4.4.4 Layering
4.4.5 Data hiding
4.4.6 Abstraction
4.4.7 Trusted Platform Module (TPM) [Cryptographic protections]
4.4.8 Host firewalls and intrusion prevention
4.4.9 Virtualization
4.4.10 Audit and monitoring controls
4.5 Vulnerabilities of security architectures and designs.
4.5.1 Client-based vulnerabilities
4.5.1.1 Desktops and Laptops
4.5.1.2 Mobile devices
4.5.2 Server-Based vulnerabilities
4.5.2.1 Data flow control
4.5.3 Database security
4.5.3.1 Warehousing
4.5.3.2 Inference
4.5.3.3 Aggregation
4.5.3.4 Data mining / KDD
4.5.4 Large-scale parallel data systems
4.5.5 Distributed systems
4.5.5.1 Cloud computing
4.5.5.2 Grid computing
4.5.5.3 Peer to peer (P2P)
4.5.6 Industrial control systems (ICS)
4.6 Assess and mitigate vulnerabilities in web-based systems
4.6.1 XML
4.6.2 SAML
4.6.3 OWASP
4.7 Assess and mitigate vulnerabilities in mobile systems
4.7.1 Remote computing
4.7.2 Mobile workers
4.8 Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems
4.9 Cryptography and its application
4.9.1 Key terms and definitions
4.9.1.1 Ciphertext
4.9.1.2 Plaintext
4.9.1.3 Cryptosystem
4.9.1.4 Encryption
4.9.1.5 Decryption
4.9.1.6 Key / Cryptovariable
4.9.1.7 Nonrepudiation
4.9.1.8 Algorithm
4.9.1.9 Cryptanalysis
4.9.1.10 Cryptology
4.9.1.11 Collision
4.9.1.12 Key space
4.9.1.13 Work factor
4.9.1.14 Initialization vector (IV)
4.9.1.15 Encoding
4.9.1.16 Decoding
4.9.1.17 Transposition / Permutation
4.9.1.18 Substitution
4.9.1.19 SP-Network
4.9.1.20 Confusion
4.9.1.21 Diffusion
4.9.2 Methods of cryptography
4.9.2.1 Stream-based Ciphers
4.9.2.2 Block Ciphers
4.9.3 Encryption systems
4.9.3.1 Null Cipher
4.9.3.2 The Rail Fence
4.9.3.3 Caesar Cipher / Monoalphabetic Cipher
4.9.3.4 Blais de Vigenere / Polyalphabetic Cipher
4.9.3.5 Playfair Cipher
4.9.3.6 Running Key Cipher with modular mathematics
4.9.3.7 One-time Pads
4.9.4 Symmetric encryption algorithms
4.9.4.1 DES (Data Encryption Standard)
4.9.4.2 DES: ECB (Block Cipher Modes of DES)
4.9.4.3 DES: CBC (Block Cipher Modes of DES)
4.9.4.4 DES: CFB (Stream Cipher Modes of DES)
4.9.4.5 DES: OFB (Stream Cipher Modes of DES)
4.9.4.6 DES: CTR (Stream Cipher Modes of DES)
4.9.4.7 Advantages and disadvantages of DES
4.9.4.8 Double DES
4.9.4.9 Triple DES
4.9.4.10 Rijndael / Advanced Encryption Standard (AES)
4.9.4.11 International Data Encryption Algorithm (IDEA)
4.9.4.12 CAST
4.9.4.13 Blowfish
4.9.4.14 Twofish
4.9.4.15 RC4
4.9.4.16 RC5
4.9.4.17 Advantages and disadvantages of symmetric encryption algorithms
4.9.5 Asymmetric encryption algorithms
4.9.5.1 Asymmetric algorithms
4.9.5.2 Message confidentiality
4.9.5.3 Proof of origin (nonrepudiation)
4.9.5.4 Message confidentiality + proof of origin (nonrepudiation)
4.9.5.5 RSA
4.9.5.6 Diffie-Hellmann Algorithm
4.9.5.7 El Gamal
4.9.5.8 Elliptic Curve Cryptography (ECC)
4.9.5.9 Advantages and disadvantages of asymmetric algorithms
4.9.6 Hybrid Cryptography
4.9.7 Hashing and salting
4.9.7.1 MD5 Message Digest Algorithm
4.9.7.2 Secure Hash Algorithm (SHA-1, SHA-2)
4.9.7.3 SHA-3
4.9.7.4 HAVAL
4.9.7.5 RIPEMD-160
4.9.8 Message Authentication Code (MAC)
4.9.8.1 HMAC (Keyed-Hash Message Authentication Code)
4.9.9 Public Key Infrastructure (PKI)
4.9.9.1 Digital signatures and digital signature standard (DSS)
4.9.9.2 Certification Authority (CA) and digital certificates
4.9.9.3 Registration Authority (RA)
4.9.9.4 Validation Authority (VA)
4.9.9.5 Relationships between CA, RA and VA
4.9.9.6 Key management: XML Key Management Specification (XKMS)
4.9.9.7 Key management: Key Escrow
4.9.9.8 Digital Rights Management (DRM)
4.9.10 Cryptanalysis and attacks
4.9.10.1 Ciphertext-Only Attack
4.9.10.2 Known-Plaintext Attack
4.9.10.3 Chosen-Plaintext Attack
4.9.10.4 Chosen-Ciphertext Attack
4.9.10.5 Brute Force
4.9.10.6 Dictionary Attack
4.9.10.7 Frequency Analysis
4.9.10.8 Rainbow Table
4.9.10.9 Birthday Attack
4.9.10.10 Side-channel Attack / Implementation Attack
4.9.10.11 Linear cryptanalysis
4.10 Site and facility design
4.10.1 Roadway Design
4.10.2 Crime Prevention Through Environment Design (CPTED)
4.10.3 Entry points: Doors
4.10.3.1 Mantrap / Portal
4.10.4 Entry points: Windows
4.10.4.1 Types of glasses
4.11 Design and implement physical security
4.11.1 Wiring closets and Ground Potential Rise (GPR)
4.11.2 Server rooms and rack security
4.11.3 Media storage, evidence storage and work (restricted) area security
4.11.4 Data center security
4.11.5 Utilities and HVAC
4.11.5.1 Uninterruptible Power Supply (UPS)
4.11.5.2 Power Conditioner
4.11.5.3 Backup Power Source
4.11.5.4 HVAC
4.11.6 Fire prevention detection, suppression
4.11.6.1 Fire detection
4.11.6.2 Fire suppression
4.12 Resources of this domain

5 Communication and Network Security (Designing and Protecting Network Security)
5.1 Network architecture and its design principles
5.1.1 OSI reference model
5.1.1.1 Layer 7: Application Layer
5.1.1.2 Layer 6: Presentation Layer
5.1.1.3 Layer 5: Session Layer
5.1.1.4 Layer 4: Transport Layer
5.1.1.5 Layer 3: Network Layer
5.1.1.6 Layer 2: Data Link Layer
5.1.1.7 Layer 1: Physical Layer
5.1.2 TCP / IP model
5.1.2.1 Application Layer
5.1.2.2 Transport Layer
5.1.2.3 Internet Layer
5.1.2.4 Network Interface Layer
5.1.3 OSI reference model VS TCP / IP model
5.1.4 IP networking
5.1.4.1 IPv4 addressing
5.1.4.2 IPv6 addressing
5.1.4.3 Transmission Control Protocol (TCP)
5.1.4.4 User Datagram Protocol (UDP)
5.1.4.5 Ports
5.1.4.6 Routing protocols
5.1.4.7 RIPv1, RIPv2 and RIPng
5.1.4.8 OSPFv2 and OSPFv3
5.1.4.9 Border Gateway Protocol (BGP)
5.1.4.10 Dynamic Host Configuration Protocol (DHCP)
5.1.4.11 Internet Control Message Protocol (ICMP)
5.1.4.12 Domain Name Service (DNS)
5.1.4.13 Lightweight Directory Access Protocol (LDAP)
5.1.4.14 Network Basic Input Output System (NetBIOS)
5.1.4.15 Common Internet File System (CIFS) / Server Message Block (SMB)
5.1.4.16 Network Information Service (NIS / NIS+)
5.1.4.17 Simple Mail Transfer Protocol (SMTP) / Extended Simple Mail Transfer Protocol (ESMTP)
5.1.4.18 File Transfer Protocol (FTP)
5.1.4.19 Secure FTP with TLS (FTPS)
5.1.4.20 SSH File Transfer Protocol (SFTP)
5.1.4.21 FTP over SSH
5.1.4.22 FTP Transfer modes: Active mode (PORT mode)
5.1.4.23 FTP Transfer modes: Passive mode (PASV mode)
5.1.4.24 Trivial File Transfer Protocol (TFTP)
5.1.4.25 Hypertext Transfer Protocol (HTTP)
5.1.5 Converged protocols
5.1.5.1 Fibre Channel (FC)
5.1.5.2 Internet Small Computer System Interface (iSCSI)
5.1.5.3 Fiber Channel over Internet Protocol (FCIP / FCoIP)
5.1.5.4 Fibre Channel over Ethernet (FCoE)
5.1.5.5 InfiniBand (IB)
5.1.5.6 Multiprotocol Label Switching (MPLS)
5.1.5.7 MPLS Pseudowires / L2VPN
5.1.5.8 Voice over IP (VoIP)
5.1.5.9 Session Initiation Protocol (SIP)
5.1.6 Multilayer protocols
5.1.6.1 DNP3
5.1.6.2 Modbus
5.1.7 Software-defined networks / Software-defined networking (SDN)
5.1.8 Wireless networks
5.1.8.1 Wi-Fi
5.1.8.2 Open system authentication
5.1.8.3 Shared key authentication
5.1.8.4 Wired equivalent privacy (WEP)
5.1.8.5 Wi-Fi protected access (WPA) / Wi-Fi protected access II (WPA2)
5.1.8.6 “Parking lot” attack
5.1.8.7 SSID flaw
5.1.9 Cryptography used to maintain communication security
5.1.9.1 Certificate-based authentication
5.1.9.2 Client certificates
5.1.9.3 Server certificates
5.1.9.4 Code signing / Object signing
5.1.9.5 Secure / Multipurpose Internet Mail Extension (S/MIME)
5.2 Secure network components
5.2.1 Operation of hardware
5.2.1.1 Modems
5.2.1.2 Multiplexers
5.2.1.3 Switches and bridges
5.2.1.4 Hubs / Repeaters
5.2.1.5 Routers
5.2.1.6 Wireless access points (WAP / AP)
5.2.2 Transmission media
5.2.2.1 Shielded Twisted Pair (STP)
5.2.2.2 Unshielded Twisted Pair (UTP)
5.2.2.3 Coaxial Cable (Coax)
5.2.2.4 Fiber Optic / Optical Fiber
5.2.2.5 Plastic Optical Fiber
5.2.3 Network access control devices
5.2.3.1 Firewalls
5.2.3.2 Network Address Translation (NAT)
5.2.3.3 Port Address Translation (PAT)
5.2.3.4 Proxies
5.2.4 Endpoint security / Physical devices
5.2.5 Content-distribution networks (CDN)
5.3 Secure communication channels
5.3.1 Voice
5.3.2 Multimedia collaboration
5.3.2.1 Remote meeting technology
5.3.2.2 Instant messaging (IM)
5.3.2.3 Extensible Messaging and Presence Protocol (XMPP) / Jabber
5.3.2.4 Internet Relay Chat (IRC)
5.3.3 IPsec VPN
5.3.3.1 IPsec VPN: Authentication Header (AH)
5.3.3.2 IPsec VPN: Encapsulating Secure Payload (ESP)
5.3.4 Screen scraping
5.3.5 Virtual desktop / application
5.3.6 Virtual LAN (VLAN)
5.3.7 Transport Layer Security (TLS) / Secure Sockets Layer (SSL)
5.3.7.1 TLS VPN / SSL VPN
5.3.8 Virtualized networks
5.3.8.1 vNetwork Standard Switch (vSwitch, vSS)
5.3.8.2 vNetwork Distributed Switch (dvSwitch, vDS)
5.3.8.3 Virtual Storage Area Network (VSAN)
5.3.9 Circuit switched and packet switched networks
5.3.9.1 Circuit switched networks
5.3.9.2 Packet switched networks
5.4 Network attacks
5.4.1 Layered Defense Model
5.4.2 Domain litigation (訴訟)
5.4.3 Open mail relay and SPAM
5.4.4 Scanning
5.4.4.1 Port scanning
5.4.4.2 Port scanning: FIN scanning / X-mas scanning / Null scanning
5.4.5 Fragmentation
5.4.5.1 Teardrop
5.4.5.2 Overlapping fragment attack
5.4.5.3 Source Routing Exploitation
5.4.6 Denial of service and spoofing
5.4.6.1 SYN Flood
5.4.6.2 DDoS
5.4.6.3 Smurf attack
5.4.6.4 Email spoofing
5.4.6.5 DNS spoofing
5.4.7 Prevent network attacks
5.4.7.1 Intrusion Detection System (IDS)
5.4.7.2 Intrusion Prevention System (IPS)
5.4.7.3 Security event management (SEM)
5.5 Resources of this domain

6 Identity and Access Management (Controlling Access and Managing Identity)
6.1 Control physical and logical access to assets
6.1.1 Logical access control
6.1.1.1 Access control of information
6.1.1.2 Centralized access control
6.1.1.3 Decentralized access control
6.1.1.4 Hybrid access control
6.1.2 Physical access control
6.1.2.1 Physical Access Control System (PACS)
6.2 Identification and authentication
6.2.1 Identification methods
6.2.2 Identification guidelines
6.2.3 Identification implementation
6.2.3.1 Password management
6.2.3.2 Account management
6.2.3.3 Profile management
6.2.3.4 Directory management and Lightweight Directory Access Protocol (LDAP)
6.2.3.5 X.500 and X.400
6.2.3.6 Single Sign-On (SSO)
6.2.3.7 Kerberos
6.2.4 Single / Multi-factor authentication
6.2.4.1 Biometric
6.2.5 Federated identity management
6.2.6 Session management
6.2.7 Registration and proof of identity
6.2.8 Credential management systems
6.2.9 Accountability
6.3 Identity as a service (IDaaS) and Third-Party identity service integration
6.4 Authorization
6.4.1 Role-Based Access Control (RBAC)
6.4.1.1 Non-RBAC
6.4.1.2 Limited RBAC
6.4.1.3 Hybrid RBAC
6.4.1.4 Full RBAC
6.4.2 Rule-Based Access Control
6.4.3 Discretionary Access Control (DAC)
6.4.4 Mandatory Access Control (MAC)
6.5 Prevent and mitigate access control attacks and IAM
6.5.1 Identity and access provisioning lifecycle
6.6 Resources of this domain

7 Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
7.1 Assessment and test strategies
7.2 Security control testing
7.2.1 Vulnerability assessment
7.2.2 Penetration testing
7.2.3 Log reviews
7.2.4 RUM / EUM and Synthetic transactions
7.2.4.1 RUM / EUM
7.2.4.2 Synthetic transactions
7.2.5 Code Review and Testing
7.2.5.1 Black-Box-Testing vs. White-Box-Testing
7.2.5.2 Dynamic Testing vs. Static Testing
7.2.5.3 Manual Testing vs. Automatic Testing
7.2.5.4 Lifecycle
7.2.6 Misuse Case Testing / Negative Testing
7.2.7 Code Coverage Analysis / Test Coverage Analysis
7.2.8 Interface Testing
7.3 Security process data collection, analysis and reporting
7.4 Internal and third party audit
7.5 Resources of this domain

8 Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster Recovery)
8.1 Investigation types
8.1.1 Civil law
8.1.2 Common law
8.1.2.1 Criminal law
8.1.2.2 Regulatory law
8.1.3 eDiscovery
8.2 Supporting investigations
8.2.1 Evidence collection and handling
8.2.1.1 Chain of Custody
8.2.1.2 Interviewing
8.2.2 Reporting and documenting
8.2.3 Investigation techniques
8.2.3.1 Root Cause Analysis (RCA)
8.2.3.2 Incident handling
8.2.4 Digital forensics
8.3 Conducting logging and monitoring activities
8.3.1 Intrusion detection and intrusion prevention
8.3.1.1 Intrusion Detection System (IDS)
8.3.1.2 Intrusion Prevention System (IPS)
8.3.2 Security information and event management (SIEM)
8.3.3 Continuous monitoring
8.3.4 Egress monitoring
8.3.4.1 Data Leak / Loss Prevention (DLP)
8.3.4.2 Steganography
8.3.5 Watermarking
8.4 Configuration management (resource provisioning)
8.5 Applying foundational security operations concepts
8.5.1 Need-to-know / least privilege
8.5.2 Separation of duties and responsibilities
8.5.3 Monitor special privileges
8.5.3.1 Administrators / System administrators
8.5.3.2 Operators
8.5.3.3 Security administrators, help desk, ordinary users
8.5.4 Job rotation
8.5.5 Information lifecycle
8.5.6 Service level agreement (SLA)
8.6 Resource protection techniques
8.6.1 Media management
8.6.1.1 Archival and offline storage
8.6.1.2 Cloud and virtual storage
8.6.2 Hardware and software asset management
8.7 Incident management
8.7.1 Detection
8.7.1.1 Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
8.7.1.2 Anti-malware systems
8.7.1.3 SIEM
8.7.2 Response
8.7.3 Mitigation
8.7.4 Reporting
8.7.5 Recovery
8.7.6 Remediation and Lessons learned
8.8 Preventive measures
8.8.1 Firewalls
8.8.1.1 Bastion Host
8.8.1.2 Dual-Homed Firewall
8.8.1.3 Screened Host
8.8.1.4 Screened Subnet
8.8.2 Intrusion detection and prevention systems
8.8.3 Whitelisting, blacklisting and greylisting
8.8.4 Sandboxing, third-party security services, and honeypots / honeynets, anti-malware
8.8.4.1 Sandboxing and anti-malware
8.8.4.2 Third-party security services
8.8.4.3 Honeypots / Honeynets and anti-malware
8.9 Change management processes and patch / vulnerability management
8.10 Recovery Strategies
8.10.1 Backup storage strategies
8.10.1.1 Electronic vaulting and offsite storage
8.10.1.2 Remote journaling and offsite storage
8.10.1.3 Database shadowing
8.10.1.4 Tape rotation
8.10.2 Recovery site strategies and multiple processing sites
8.10.3 System resilience, high availability, quality of service and fault tolerance
8.10.3.1 System resilience
8.10.3.2 High availability and fault tolerance
8.10.3.3 Quality of service
8.11 Disaster recovery procedures
8.11.1 Response and assessment
8.11.2 Personnel and communications
8.11.3 Restoration and assessment
8.11.4 Training and awareness
8.12 Participate in business continuity plan and disaster recovery plan testing and exercises
8.12.1 Read-through
8.12.2 Walkthrough
8.12.3 Simulation
8.12.4 Parallel
8.12.5 Full interruption
8.13 Implement and manage physical security
8.13.1 Perimeter
8.13.1.1 Gates and fences
8.13.1.2 Perimeter Intrusion Detection
8.13.1.3 Lighting
8.13.2 Internal security
8.13.2.1 CCTV
8.13.2.2 Visitor controls / escort requirements
8.13.2.3 Keys and locks
8.14 Participate in addressing personnel safety concerns
8.14.1 Duress
8.14.2 Travel monitoring
8.15 Resources of this domain

9 Software Development Security (Understanding, Applying, and Enforcing Software Security)
9.1 Software development lifecycle
9.1.1 Development methodologies
9.1.1.1 Waterfall
9.1.1.2 Agile
9.1.2 Maturity model
9.1.3 Operation and maintenance
9.1.4 Change management
9.1.5 Integrated Product Team (DevOps)
9.2 Security controls in development environments
9.2.1 Security of the software environments
9.2.1.1 Open source and “security by obscurity”
9.2.1.2 Security issues of programming languages
9.2.1.3 Von Neumann model
9.2.1.4 ACID in database transactions
9.2.1.5 Database View
9.2.2 Security weaknesses and vulnerabilities at the source-code level
9.2.2.1 Buffer Overflow and escalation of privilege
9.2.2.2 Input / output validation
9.2.2.3 Covert Channels
9.2.2.4 TOC (Time of Check) / TOU (Time of Use)
9.2.2.5 Cross-site scripting (XSS)
9.2.3 Configuration management as an aspect of secure coding
9.2.4 Code repositories
9.2.4.1 Physical security
9.2.4.2 System security
9.2.4.3 Operational security
9.2.4.4 Software security
9.2.4.5 Communications
9.2.4.6 Information / data backup
9.2.5 Application programming interfaces
9.2.5.1 REST / RESTful API
9.2.5.2 OAuth
9.3 Assess the effectiveness of software security
9.3.1 Certification and accreditation
9.3.2 Auditing and logging of changes
9.3.3 Risk analysis and mitigation
9.3.4 Code signing and code signing certificate
9.3.5 Regression and acceptance testing
9.3.5.1 Regression testing
9.3.5.2 Acceptance testing
9.4 Assess security impact of acquired software and SwA (Software Assurance)
9.4.1 Generic acquisition process
9.4.1.1 Planning Phase
9.4.1.2 Contracting Phase
9.4.1.3 Monitoring and Acceptance Phase
9.4.1.4 Follow-on
9.4.2 Relationship between acquisition processes and IEEE 1062, PMBOK, NIST SP 800-64, DoDI 5000.2, ISO / IEC 12207
9.5 Resources of this domain

10 Appendix
10.1 Trusted Computing Base (TCB)
10.2 Security Kernels and Reference Monitors
10.3 Cleanroom


本中心開辦的 CISSP 國際認可證書課程成績卓越,本地媒體都爭相為本課程進行專訪,以下是《東方日報》的教育專題訪問內容。

【點擊觀看《東方日報》詳細報導】

 

 


這個頁面上的內容需要較新版本的 Adobe Flash Player。

取得 Adobe Flash Player


更多綜合課程
  法律課程
  • 代理人的法律責任
  • 公司董事和合夥人的法律責任
  • 婚姻的法律責任
  • 遺產繼承的合法權益
  英文課程
  • IPA 拼音:級別 1 2 3 4
  普通話課程
  • 基礎普通話拼音課程 (免費)
  • 進階普通話拼音課程
  • 普通話會話:級別 1 2 3
  西班牙語文課程
  • 級別 1 2 3
  中醫課程
  • 濕疹與皮膚敏感病
  • 暗瘡與色斑 | 鼻敏感與感冒
  • 脫髮與白髮 | 從五官看健康
  攝影課程
  • 攝影初級
  • 攝影中級 (風景專題)
  • 戶外實景攝影實習
  風水命理課程
  • 紫微斗數:級別 1 2 3
  • 子平八字:級別 1 2 3
  • 八字風水:級別 1 2 3
  • 奇門遁甲:級別 1 2 3

這個頁面上的內容需要較新版本的 Adobe Flash Player。

取得 Adobe Flash Player