CISSP  Training Course Training 課程
  Facebook: CISSP  Training Course Training 課程
 
CISSP  Training Course Training 課程
CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程  
CISSP  Training Course Training 課程 CISSP  Training Course Training 課程

想定期知道最新課程及優惠嗎?
免費訂閱本中心的課程通訊!

課堂錄影隨時睇 10 大優點之低至 85 折:回饋社會及協助全港市民進修增值,本中心現正推出低至 85 折優惠!

CISSP 國際認可證書課程 (Premier Cybersecurity Certification)
課程簡稱:CISSP Training Course

  • 課程時間
  • 課程簡介
  • 課程特點
  • 考試須知
  • 課程內容
  • 報章訪問

課程優惠!現凡同時報讀以下三個課程:
即減 $840!報讀其中兩個即減 $480!
課程優惠!現凡同時報讀以下兩個課程:
即減 $740!

傳統服務:課程上堂時間表 (地點:旺角   總費用:$4,480)
學員使用電話或本網頁報名,待本中心確認已為學員留位後,即可使用 轉數快 繳付學費,過程簡便!
編號 日期 (dd/mm) 星期 時間 費用 導師  
PS0160EM  11/01 - 08/02
11/1/2025, 18/1, 25/1, 1/2, 8/2/2025
 下載詳細上課日期
2:30pm - 9:30pm (dinner: 5:30pm-6:30pm) $4,480 Franco 按此報名:CISSP  Training Course Training 課程
* 各政府部門可使用 P Card 付款  
如使用 P Card 繳付考試費,考試費需另加 1.3% 附加費  

*** 質素保證: 免費於任何地點試睇首 3 小時課堂錄影,從而可預先了解導師及教材的質素,才報讀課程來上堂。***
請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560

免費補堂: 學員可於任何地點補看課堂錄影,從而可銜接往後的課堂!
免費重讀: 學員可於課程結束後三個月內於任何地點不限次數地重看課堂錄影,從而可反覆重溫整個課程!
課時: 30 小時
課堂導師: Franco (任教課程清單)


推介服務:課堂錄影隨時睇 (在家觀看 = 0%,在校觀看 = 100%)
學員使用電話或本網頁報名,待本中心確認已為學員留位後,即可使用 轉數快 繳付學費,過程簡便!
編號 地點 可預約星期及時間 學費低至 85 折  
PS2412AV 不限
請參看個別地點
$4,480 按此報名:CISSP  Training Course Training 課程
PS2412MV 旺角 一至五:14:30 - 22:15   六:13:45 - 21:30   日:10:15 - 18:00 (公眾假期休息) 95 折後只需 $4,256 按此報名:CISSP  Training Course Training 課程
PS2412OV 觀塘 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息) 9 折後只需 $4,032 按此報名:CISSP  Training Course Training 課程
PS2412PV 北角 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息) 9 折後只需 $4,032 按此報名:CISSP  Training Course Training 課程
PS2412SV 沙田 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息) 85 折後只需 $3,808 按此報名:CISSP  Training Course Training 課程
PS2412YV 屯門 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期一、三及公眾假期休息) 85 折後只需 $3,808 按此報名:CISSP  Training Course Training 課程
* 各政府部門可使用 P Card 付款  
如使用 P Card 繳付考試費,考試費需另加 1.3% 附加費  
在校免費試睇: 首 3 小時,請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560
在校免費重睇: 學員可於享用時期內於報讀地點不限次數地重看課堂錄影,從而可反覆重溫整個課程!
導師解答: 學員可於觀看某一課堂錄影後提出課堂直接相關的問題,課程導師會樂意為學員以單對單的形式解答!
課時: 30 小時
享用時期: 10 星期。進度由您控制,可快可慢。
課堂錄影導師: Franco (任教課程清單)
在校觀看: 詳情及示範片段


推介服務:課堂錄影隨時睇 (在家觀看 = 30%,在校觀看 = 70%)
學員使用電話或本網頁報名,待本中心確認已為學員留位後,即可使用 轉數快 繳付學費,過程簡便!
編號 地點 星期及時間 費用  
  在家 享用時期內每星期 7 天 (包括公眾假期),每天 24 小時全天候不限次數地觀看。    
PS2412MH 旺角 一至五:14:30 - 22:15   六:13:45 - 21:30   日:10:15 - 18:00 (公眾假期休息) $4,480 按此報名:CISSP  Training Course Training 課程
PS2412OH 觀塘 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息) $4,480 按此報名:CISSP  Training Course Training 課程
PS2412PH 北角 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息) $4,480 按此報名:CISSP  Training Course Training 課程
PS2412SH 沙田 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息) $4,480 按此報名:CISSP  Training Course Training 課程
PS2412YH 屯門 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期一、三及公眾假期休息) $4,480 按此報名:CISSP  Training Course Training 課程
* 各政府部門可使用 P Card 付款  
如使用 P Card 繳付考試費,考試費需另加 1.3% 附加費  
在校免費試睇: 首 3 小時,請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560
在校免費重睇: 學員可於享用時期內於報讀地點不限次數地重看在校觀看的課堂錄影,從而可反覆重溫!
導師解答: 學員可於觀看某一課堂錄影後提出課堂直接相關的問題,課程導師會樂意為學員以單對單的形式解答!
課時: 30 小時
在家及在校觀看: 在家觀看首 9 小時,在校觀看尾 21 小時。
在家觀看時禁用程式: 一些危害課堂錄影版權的程式。
享用時期: 10 星期。進度由您控制,可快可慢。
課堂錄影導師: Franco (任教課程清單)
在家觀看: 服務條款及守則、報讀程序及示範片段


地區 地址 電話 教育局註冊編號
旺角 九龍旺角亞皆老街 109 號,皆旺商業大廈 18 樓 1802 - 1807 室 2332-6544 533459
觀塘 九龍觀塘成業街 7 號寧晉中心 12 樓 G2 室 3563-8425 588571
北角 香港北角馬寶道 41-47 號華寶商業大廈 3 樓 01-02 號舖 3580-1893 591262
沙田 新界沙田石門安群街 3 號京瑞廣場 1 期 10 樓 M 室 2151-9360 604488
屯門 新界屯門屯喜路 2 號屯門柏麗廣場 17 樓 1708 室 3523-1560 592552
注意! 客戶必須查問報讀學校的教育局註冊編號,以確認該校為註冊學校,以免蒙受不必要的損失!



近年系統和網絡技術發展一日千里,大家開發解決方案 ( Solution ) 或處理電子資訊時除需要考慮功能外,更須注意資訊保安。一旦出現資訊安全事故 ( 例如客戶資料外洩 ),商譽或金錢上的損失均無法想像。故此資訊保安已成為 I.T. 界的 "必修科",僱主聘用 I.T. 同事時亦要求具備資訊保安知識及相關認證,例如 CISSP (Certified Information Systems Security Professional) 。

CISSP 證書制度是由 International Information Systems Security Certification Consortium ( 簡稱 ISC2 ) 建立,CISSP 是一張中立 ( Vendor Neutral) 的認證,當中所涉及的知識不限制於個別器材軟件生產商 (Vendor)。故此 CISSP 的知識應用層面十分廣泛。CISSP 的考試內容主要圍繞下列 8 個 CBK (Common Body of Knowledge)

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security



CISSP

若要考取 CISSP,同學須要

  1. 具備 5 年資訊保安相關的工作經驗
  2. 通過 CISSP 考試 (我們備有大量練習令學員更易通過考試)
  3. 通過 Endorsement 過程
    (本中心的 CISSP 學員可向本中心免費申請 Endorsement 的協助,而本中心會按照 ISC2 指引來免費提供 Endorsement 服務。)
  4. 通過 ISC2 的審核

備註:申請者如未具有足夠的工作經驗,依然可以參加 CISSP,考試後成為 Associate of ISC2,當累積足夠的工作經驗時,便可以申請成為 CISSP。



課程名稱: CISSP 國際認可證書課程 (Premier Cybersecurity Certification)
- 簡稱:CISSP Training Course
課程時數: 合共 30 小時 (共 10 堂)
適合人士: 對資訊保安有興趣的人士
授課語言: 以廣東話為主,輔以英語
課程筆記: 本中心導師親自編寫英文為主筆記,而部份英文字附有中文對照。

1. Franco Tsang 親自教授: 本課程由擁有 CISSP, CCIE, RHCE, MCITP 實力經驗俱備的 Franco Tsang 親自教授。
2. Franco 親自編寫筆記: Franco 親自編寫筆記,令你無須「死鋤」如字典般厚及不適合香港讀書格調的書本。
3. 理論與實習並重: Franco 會在課堂上作出大量示範,務求令同學理解抽象的資訊保安概念,以及如何將 CISSP 的知識應用在日常工作上。我們亦有大量練習令學員更易通過考試。
4. 免費重讀: 傳統課堂學員可於課程結束後三個月內免費重看課堂錄影。

導師會在課堂內講解考試程序。

考試合格後,下一步便是通過 Endorsement。考生須得到另一名 ISC2 Certified 的人士推薦,並為考生簽署 Endorsement Form。

本中心的 CISSP 學員可向本中心免費申請 Endorsement 的協助,而本中心會按照 ISC2 指引來免費提供 Endorsement 服務。

最後,ISC2 會隨機抽樣為考生所提供的文件進行 Audit. 通過 Audit 後便可成為 CISSP。

Recently, the following Systematic CISSP course students applied for our help and we endorsed them successfully:

  • A. Chan
  • A. Chung
  • A. Ho
  • A. Pang
  • A. She
  • A. Tsang
  • A. Yao
  • A. Yiu
  • A.Wong
  • Alan Cheung
  • Alan Choi
  • Alan Kwong
  • Alan Lee
  • Albert To
  • Alfred S.Y. Chan
  • Alfred Y.H. Chan
  • Andy Lau
  • Anthony Wu
  • Antony Chan
  • B. Cheung
  • B. Fan
  • B. Ho
  • B. Hui
  • B. Kwok
  • B. Lam
  • B. Lau
  • B. Ng
  • B. Wong
  • B. Yiu
  • Ben Chan
  • Ben Wong
  • Billy Chan
  • C. Chan
  • C. Choi
  • C. Chung
  • C. Lee
  • C. Li
  • C. Ma
  • C. Tang
  • C. Tse
  • C.F. Cho
  • C.F. Ko
  • C.I. Choi
  • C.M. Yip
  • C.N. Yue
  • Chan C. C
  • Charlaes Ho
  • Charles Wong
  • Chris Ng
  • Chris Ngai
  • Cody Wong
  • Colin Yeung
  • D. Fu
  • D. Hui
  • D. Leung
  • D. Sze
  • D. Wong
  • David Lau
  • David Leung
  • Derek Au
  • Derek Yeung
  • E. Lau
  • E. Mok
  • E. T. Lau
  • E. Tsang
  • E. Wong
  • Eddie Ho
  • Edmond Chan
  • Edward Tam
  • Edwin Tang
  • Eric Wong
  • Eric Wu
  • Ernest Chan
  • F. Mok
  • F. Tong
  • F. Tse
  • F. Wong
  • F. Wu
  • Frankie Ng
  • G. Cheung
  • G. Kan
  • G. Lau
  • G. Tang
  • Gavin Lo
  • H. S. Lam
  • H. Seto
  • H. Y. Lin
  • Henry Pang
  • Howard Lee
  • I. Lai
  • I. Sheung
  • Ivan Chow
  • Ivan Mong
  • J. Chan
  • J. Cheng
  • J. Chow
  • J. F. Wong
  • J. Hui
  • J. K. Kwok
  • J. Kwok
  • J. Lai
  • J. Lam
  • J. Lau
  • J. Li
  • J. Mak
  • J. Ng
  • J. Ting
  • J. W. Wong
  • J. Wong
  • J. Yue
  • J.M. Wong
  • Jason Li
  • Jason Luk
  • Jeff Ho
  • Joe Chan
  • Joey Ho
  • Johnny Lam
  • Joseph Kwong
  • Joseph Lau
  • Justin Mok
  • K. Chan
  • K. Cheung
  • K. Choi
  • K. F. Lau
  • K. Fung
  • K. Huen
  • K. Ko
  • K. Kwan
  • K. Li
  • K. Mok
  • K. S. Li
  • K. Tong
  • K. Tsui
  • K. Wong
  • K.F. Fung
  • K.F. Tang
  • K.F. Wong
  • K.W. Chung
  • K.W. Tse
  • Kelvin Tang
  • Kelvin Tse
  • Kene Lai
  • Kenneth Cheung
  • Kenneth Keung
  • Kenneth Shum
  • L. Chung
  • L. Hui
  • L. Ng
  • L. T. Kwok
  • Lawrence Chan
  • Lawrence Tang
  • M. Chan
  • M. Hui
  • M. Leung
  • M. Ng
  • M. Yip
  • M.C. Chan
  • M.H. Yip
  • M.K. Chan
  • Matthew Chan
  • Maverick Wong
  • N. C
  • O. Yun
  • P. Kan
  • P. Kwok
  • P. Lam
  • P. Ng
  • P. Yau
  • P. Yeung
  • Paul Wong
  • R. Chan
  • R. Chung
  • R. Kwong
  • R. Leung
  • R. Yu
  • Ray Lam
  • Ray Tsang
  • Raymond Cheung
  • Raymond Law
  • Raymond Lo
  • Rex Lee
  • Richard Mon
  • Roy Fong
  • Roy Lam
  • Roy Yiu
  • S. F. Choy
  • S. H. Wang
  • S. Hui
  • S. Lam
  • S. Leung
  • S. Mak
  • S. Sin
  • S. Wu
  • S. Y. Chu
  • S. Yip
  • S.H. So
  • S.M. Ho
  • S.W. Lu
  • Sam Lo
  • Sammy Leung
  • Samson Tai
  • Simon Leung
  • Simon Yu
  • Stanley Lam
  • Stephanie Chan
  • Steve Wong
  • Steven Tsoi
  • T. Chan
  • T. Ho
  • T. Hou
  • T. Kwong
  • T. Lam
  • T. Leung
  • T. Sy
  • T. Tao
  • T. Tsui
  • T. W. Cheng
  • T.S. Chan
  • T.Y. Li
  • Terence Mak
  • Terry Ng
  • Terry Yau
  • Tony Lo
  • Tony Wong
  • Tony Yeung
  • U. Cheung
  • V. Tang
  • Vincent Chan
  • W. C. Fung
  • W. H. Ma
  • W. Hon
  • W. Hung
  • W. L. Lee
  • W. Lau
  • W. Li
  • W. T. Tai
  • W. Yeung
  • W. Yip
  • W.C.D. Fung
  • W.S Lai
  • W.S. Chu
  • W.T. Chiu
  • Willy Poon
  • X. Yao
  • Y. C. Choi
  • Y. Chang
  • Y. K. Kong
  • Y. Wong
  • Y.C. Chow
  • Y.L. Cheng
  • Y.T. Tang
  • Zero Ho
  • 更多...未能盡錄

Congratulations to them!!






課程名稱:CISSP 國際認可證書課程 (Premier Cybersecurity Certification)
- 簡稱:CISSP Training Course


1 Introduction
1.1 Steps to get the CISSP certification

2 Security and Risk Management
2.1 Understand, adhere to, and promote professional ethics
2.1.1 ISC2 Code of Professional Ethics
2.1.2 Organizational code of ethics
2.2 Understand and apply security concepts
2.2.1 Confidentiality, integrity, and availability, authenticity, and nonrepudiation (5 Pillars of Information Security)
2.2.2 Confidentiality
2.2.3 Integrity
2.2.4 Availability
2.2.5 Authenticity
2.2.6 Nonrepudiation
2.3 Evaluate, apply, and sustain security governance principles
2.3.1 Alignment of the security function to business strategy, goals, mission, and objectives
2.3.1.1 Business case
2.3.1.2 Budget
2.3.1.3 Resources
2.3.2 Organizational processes (e.g., acquisitions, divestitures, governance committees)
2.3.2.1 Acquisitions and Mergers
2.3.2.2 Divestitures and Spinoffs
2.3.2.3 Governance Committees
2.3.3 Organizational roles and responsibilities
2.3.3.1 Information security officer / Chief information security officer (CISO)
2.3.3.2 Oversight committee representation / Security Council
2.3.3.3 End-users
2.3.3.4 Executive Management
2.3.3.5 Information Systems Security Professionals
2.3.3.6 Data owners, information owners, business owners
2.3.3.7 Data custodians, information custodians, stewards
2.3.3.8 Auditors
2.3.3.9 Business Continuity Planners
2.3.3.10 Information Technologies Professionals
2.3.3.11 Administrative assistants / Receptionists
2.3.3.12 Service desk
2.3.3.13 Conclusion of this section
2.3.4 Security control frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecure (SABSA), Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP))
2.3.4.1 ISO (International Organization for Standardization)
2.3.4.2 NIST (National Institute of Standards and Technology)
2.3.4.3 COBIT (Control Objectives for Information and Related Technology)
2.3.4.4 SABSA (Sherwood Applied Business Security Architecture)
2.3.4.5 PCI (Payment Card Industry)
2.3.4.6 FedRAMP (Federal Risk and Authorization Management Program)
2.3.5 Due care/due diligence
2.3.5.1 Due Care
2.3.5.2 Due Diligence
2.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
2.4.1 Cybercrimes and data breaches
2.4.1.1 Cybercrimes
2.4.1.2 Data Breaches
2.4.2 Licensing and Intellectual Property requirements
2.4.2.1 Licensing
2.4.2.2 Intellectual Property
2.4.2.3 Patent
2.4.2.4 Trademark
2.4.2.5 Copyright
2.4.2.6 Trade Secret
2.4.3 Import/export controls
2.4.3.1 International Traffic in Arms Regulations (ITAR)
2.4.3.2 Export Administration Regulations (EAR)
2.4.4 Transborder data flow
2.4.5 Issues related to privacy (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act)
2.4.5.1 General Data Protection Regulation (GDPR)
2.4.5.2 California Consumer Privacy Act (CCPA)
2.4.5.3 Personal Information Protection Law (PIPL)
2.4.5.4 Protection of Personal Information Act (POPIA)
2.4.6 Contractual, legal, industry standards, and regulatory requirement
2.5 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
2.5.1 Administrative
2.5.2 Criminal
2.5.3 Civil
2.5.4 Regulatory
2.5.5 Industry Standards
2.6 Develop, document, and implement security policy, standards, procedures, and guidelines
2.6.1 Security Policy
2.6.2 Standards
2.6.3 Procedures
2.6.4 Guidelines
2.6.5 An integrated example of security policy, standards, procedures, and guidelines
2.6.5.1 Security policy
2.6.5.2 Standard
2.6.5.3 Procedure
2.6.5.4 Guideline
2.7 Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
2.7.1 Business impact analysis (BIA)
2.7.1.1 Maximum tolerable downtime (MTD)
2.7.1.2 Recovery point objective (RPO)
2.7.1.3 Recovery time objective (RTO)
2.7.2 External dependencies
2.8 Contribute to and enforce personnel security policies and procedures
2.8.1 Candidate screening and hiring
2.8.2 Employment agreements and policy driven requirements
2.8.3 Onboarding, transfers, and termination processes
2.8.3.1 Separation of Duties / Segregation of Duties (SoD)
2.8.3.2 Need-to-know / Least privilege
2.8.3.3 Job rotation
2.8.3.4 Mandatory vacations
2.8.3.5 Termination processes
2.8.4 Vendor, consultant, and contractor agreements and controls
2.9 Understand and apply risk management concepts
2.9.1 Threat and vulnerability identification
2.9.1.1 Threats
2.9.1.2 Vulnerabilities
2.9.2 Risk analysis, assessment, and scope
2.9.2.1 Qualitative risk assessment / analysis
2.9.2.2 Quantitative risk assessment / analysis
2.9.2.2.1 Asset identification and valuation
2.9.2.2.2 Calculate Exposure factor (EF) and Single-loss expectancy (SLE)
2.9.2.2.3 Assess Annualized Rate of Occurrence (ARO), LAFE and SAFE
2.9.2.2.4 Calculate Annualized loss expectancy (ALE) and countermeasure selection
2.9.2.3 Hybrid
2.9.3 Risk response and treatment (e.g., cybersecurity insurance)
2.9.4 Applicable types of controls (e.g., preventive, detection, corrective)
2.9.4.1 Types of controls
2.9.4.1.1 Compensating controls
2.9.4.1.2 Corrective controls
2.9.4.1.3 Deterrent controls
2.9.4.1.4 Detective controls
2.9.4.1.5 Preventive controls
2.9.4.1.6 Recovery controls
2.9.5 Control assessments (e.g., security and privacy)
2.9.6 Continuous monitoring and measurement
2.9.7 Reporting (e.g., internal, external)
2.9.7.1 Internal Reporting
2.9.7.2 External Reporting
2.9.7.3 SOC Reports (System and Organization Controls)
2.9.7.3.1 SOC 1
2.9.7.3.2 SOC 2 (with type 1 and type 2)
2.9.7.3.3 SOC 3
2.9.8 Continuous improvement (e.g., risk maturity modeling)
2.9.8.1 Risk maturity modeling
2.9.9 Risk frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA) Payment Card Industry (PCI))
2.9.9.1 International Organization for Standardization (ISO)
2.9.9.2 National Institute of Standards and Technology (NIST)
2.9.9.3 Control Objectives for Information and Related Technology (COBIT)
2.9.9.4 Sherwood Applied Business Security Architecture (SABSA)
2.9.9.5 Payment Card Industry (PCI)
2.10 Understand and apply threat modeling concepts and methodologies
2.10.1 STRIDE
2.10.2 PASTA (Process for Attack Simulation and Threat Analysis)
2.10.3 Other threat models
2.10.4 Reduction analysis
2.11 Apply supply chain risk management (SCRM) concepts
2.11.1 Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
2.11.1.1 Product tampering
2.11.1.2 Counterfeit
2.11.1.3 Implants
2.11.2 Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)
2.11.2.1 Third-Party Assessment and Monitoring
2.11.2.2 Minimum Security Requirements
2.11.2.3 Silicon Root of Trust
2.11.2.4 Physically Unclonable Function (PUF)
2.11.2.5 Software Bill of Materials (SBOM)
2.12 Establish and maintain a security awareness, education, and training program
2.12.1 Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)
2.12.1.1 Social Engineering
2.12.1.2 Phishing
2.12.1.3 Security Champions
2.12.1.4 Gamification
2.12.2 Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)
2.12.2.1 Emerging technologies and trends
2.12.2.1.1 Cryptocurrency
2.12.2.1.2 Artificial Intelligence (AI)
2.12.2.1.3 Blockchain
2.12.3 Program effectiveness evaluation

3 Domain 2: Asset Security
3.1 Identify and classify information and assets
3.1.1 Data classification
3.1.2 Asset Classification
3.2 Establish information and asset handling requirements
3.2.1 Other regulations
3.3 Provision information and assets securely
3.3.1 Information and asset ownership
3.3.2 Asset inventory (e.g., tangible, intangible)
3.3.3 Asset management
3.4 Manage data lifecycle
3.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
3.4.1.1 Data Owners
3.4.1.2 Data Controllers
3.4.1.3 Data Custodians
3.4.1.4 Data Processors
3.4.1.5 Data Users/Subjects
3.4.2 Data collection
3.4.3 Data location
3.4.4 Data maintenance
3.4.5 Data retention
3.4.6 Data remanence
3.4.7 Data destruction
3.4.7.1 Data sanitization methods
3.4.7.1.1 Clearing
3.4.7.1.2 Purging
3.4.7.1.3 Overwriting
3.4.7.1.4 Degaussing
3.4.7.1.5 Destruction
3.5 Ensure appropriate asset retention (e.g., End of Life (EOL), End of Support)
3.5.1 EOL (End of Life) Management
3.5.2 EOS (End of Support) Management
3.5.3 Data Retention Compliance
3.6 Determine data security controls and compliance requirements
3.6.1 Data states (e.g., in use, in transit, at rest)
3.6.1.1 In use
3.6.1.2 In transit
3.6.1.3 At rest
3.6.2 Scoping, tailoring and baseline
3.6.3 Standards selection
3.6.4 Data protection methods (e.g., Digital Rights Management (DRM), data loss prevention (DLP), cloud access security broker (CASB))
3.6.4.1 Traditional backup (Full, differential and incremental backup, journaling)
3.6.4.2 Other Backup Approaches (Database mirroring, disk mirroring / storage replication, snapshots, multi regions / availability zones, vaulting)
3.6.4.2.1 Database mirroring
3.6.4.2.2 Disk Mirroring
3.6.4.2.3 Storage Replication
3.6.4.2.4 Snapshot
3.6.4.3 Data Deduplication
3.6.4.4 Digital Rights Management (DRM)
3.6.4.5 Data Loss Prevention (DLP)
3.6.4.6 Cloud Access Security Broker (CASB)

4 Domain 3: Security Architecture and Engineering
4.1 Research, implement, and manage engineering processes using secure design principles
4.1.1 Threat modeling
4.1.2 Least privilege
4.1.3 Defense in depth
4.1.4 Secure defaults
4.1.5 Fail securely
4.1.6 Segregation of Duties (SoD)
4.1.7 Keep it simple and small
4.1.8 Zero trust or trust but verify
4.1.9 Privacy by design
4.1.10 Shared responsibility
4.1.11 Secure access service edge
4.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
4.2.1 Bell-LaPadula Confidentiality Model / Bell-LaPadula Model / BLP with star property
4.2.2 Biba Integrity Model / Biba Model with star property
4.2.3 Clark-Wilson Model
4.3 Select controls based upon systems security requirements
4.4 Understand security capabilities of Information Systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
4.4.1 Memory protection
4.4.1.1 Supervisor state and user state
4.4.1.2 Buffer-overflow and Address space layout randomization (ASLR)
4.4.1.3 Concerns
4.4.2 Virtualization
4.4.3 Secure cryptoprocessor, Trusted Platform Module (TPM), encryption/decryption
4.4.3.1 Trusted Platform Module (TPM)
4.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
4.5.1 Client-based systems
4.5.2 Server-based systems
4.5.3 Database systems
4.5.3.1 Inference
4.5.3.2 Aggregation
4.5.3.3 Data mining / Knowledge Discovery in Databases (KDD)
4.5.4 Cryptographic systems
4.5.5 Operational Technology/industrial control systems (ICS)
4.5.6 Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
4.5.7 Distributed systems
4.5.8 Internet of Things (IoT)
4.5.9 Microservices (e.g., application programming interface (API), including SQL injection, SSRF, XSS, CSRF / XSRF))
4.5.10 Containerization
4.5.11 Serverless
4.5.12 Embedded systems
4.5.13 High-Performance Computing systems
4.5.14 Edge computing systems
4.5.15 Virtualized systems
4.6 Select and determine cryptographic solutions
4.6.1 Cryptographic life cycle (e.g., keys, algorithm selection)
4.6.2 Integrity (e.g., hashing)
4.6.2.1 Cryptographic hash function
4.6.2.2 Common cryptographic hash functions
4.6.2.3 HMAC
4.6.2.4 Salt
4.6.3 Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
4.6.3.1 Stream-based Ciphers
4.6.3.2 Block Ciphers
4.6.3.3 Block Cipher Modes of Operation
4.6.3.3.1 Electronic Code Book (ECB) mode
4.6.3.3.2 Cipher Block Chaining (CBC) mode
4.6.3.3.3 Cipher Feedback (CFB) mode
4.6.3.3.4 Counter (CTR) mode
4.6.3.3.5 Some points about various modes
4.6.3.3.6 Some other modes
4.6.3.3.6.1 Galois/counter (GCM) / AES-GCM-SIV
4.6.3.4 Symmetric
4.6.3.5 Common symmetric encryption algorithms
4.6.3.6 AES
4.6.3.7 Advantages and disadvantages of symmetric encryption algorithms
4.6.4 Asymmetric, Digital signatures and digital certificates (e.g., non-repudiation, integrity)
4.6.4.1 General concepts
4.6.4.2 Digital signature
4.6.4.3 RSA
4.6.4.3.1 RSA encryption and decryption
4.6.4.3.2 RSA digital signature
4.6.4.4 Diffie–Hellman key exchange
4.6.4.5 ElGamal
4.6.4.5.1 ElGamal encryption and decryption
4.6.4.5.2 ElGamal digital signature and DSA (Digital Signature Algorithm)
4.6.4.6 Elliptic curves (ECC)
4.6.4.6.1 Elliptic Diffie-Hellman Key Exchange (ECDH)
4.6.4.6.2 Elliptic ElGamal Public Key Cryptosystem
4.6.4.6.3 Elliptic Curve Digital Signature Algorithm (ECDSA)
4.6.4.7 Advantages and disadvantages of asymmetric algorithms
4.6.5 Quantum cryptography and quantum key distribution
4.6.6 Public key infrastructure (PKI)
4.6.6.1 Registration Authority (RA)
4.6.6.2 Validation Authority (VA)
4.6.6.3 Subordinate or intermediate certificates
4.6.7 Key management practices (e.g., rotation)
4.7 Understand methods of cryptanalytic attacks
4.7.1 Brute force
4.7.2 Ciphertext only
4.7.3 Known plaintext
4.7.4 Frequency analysis
4.7.5 Chosen ciphertext
4.7.6 Implementation attacks
4.7.7 Side-channel and and timing
4.7.8 Fault injection
4.7.9 Man-in-the-middle (MITM)
4.7.10 Pass the hash
4.7.11 Kerberos exploitation
4.7.12 Ransomware
4.8 Design site and facility security controls
4.8.1 Wiring closets/intermediate distribution frame
4.8.2 Server rooms/data centers
4.8.2.1 Mantrap
4.8.3 Media storage facilities, evidence storage, restricted and work area security
4.8.4 Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
4.8.5 Environmental issues (e.g., natural disasters, man-made)
4.8.6 Fire prevention, detection, and suppression
4.8.6.1 Fire detection
4.8.6.2 Fire prevention and suppression
4.8.7 Power (e.g., redundant, backup)
4.8.7.1 Uninterruptible Power Supply (UPS)
4.8.7.2 Backup Power Source
4.9 Manage the information system lifecycle

5 Domain 4: Communication and Network Security
5.1 Apply secure design principles in network architectures
5.1.1 Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
5.1.1.1 OSI reference model
5.1.1.1.1 Layer 7: Application Layer
5.1.1.1.2 Layer 6: Presentation Layer
5.1.1.1.3 Layer 5: Session Layer
5.1.1.1.4 Layer 4: Transport Layer
5.1.1.1.5 Layer 3: Network Layer
5.1.1.1.6 Layer 2: Data Link Layer
5.1.1.1.7 Layer 1: Physical Layer
5.1.1.2 TCP / IP model
5.1.1.2.1 Application Layer
5.1.1.2.2 Transport Layer
5.1.1.2.3 Internet Layer
5.1.1.2.4 Network Interface Layer
5.1.2 Internet Protocol (IP) version 4 and 6 (IPv6) (e.g., unicast, broadcast, multicast, anycast)
5.1.2.1 Internet Protocol version 4 (IPv4)
5.1.2.2 Internet Protocol version 6 (IPv6)
5.1.3 Secure protocols (e.g., Internet Protocol Security (IPSec), Secure Shell (SSH), Secure Sockets Layer (SSL)/Transport Layer Security (TLS))
5.1.3.1 IPSec and IPSec VPN
5.1.3.1.1 IPsec VPN: Authentication Header (AH)
5.1.3.1.2 IPsec VPN: Encapsulating Secure Payload (ESP)
5.1.3.1.3 IPSec operation modes
5.1.3.2 Transport Layer Security (TLS) / Secure Sockets Layer (SSL)
5.1.3.3 SSH (Secure Shell)
5.1.4 Implications of multilayer protocols
5.1.5 Converged protocols (e.g., Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP), InfiniBand over Ethernet, Compute Express Link)
5.1.5.1 Fibre Channel (FC) and Fibre Channel over Ethernet (FCoE)
5.1.5.2 Internet Small Computer System Interface (iSCSI)
5.1.5.3 Voice over IP (VoIP)
5.1.5.3.1 Session Initiation Protocol (SIP)
5.1.5.4 InfiniBand over Ethernet / RoCE
5.1.5.5 Compute Express Link
5.1.6 Transport architecture (e.g., topology, data/control/management plane, cut-through/store-and-forward)
5.1.6.1 Topology
5.1.6.2 Control Plane
5.1.6.3 Data Plane
5.1.6.4 Management Plane
5.1.6.5 Cut-Through
5.1.6.6 Store-and-Forward
5.1.7 Performance metrics (e.g., bandwidth, latency, jitter, throughput, signal-to-noise ratio)
5.1.7.1 Bandwidth
5.1.7.2 Latency
5.1.7.3 Jitter
5.1.7.4 Throughput
5.1.7.5 Signal-to-Noise Ratio (SNR)
5.1.8 Traffic flows (e.g., north-south, east-west)
5.1.8.1 North-South
5.1.8.2 East-West
5.1.9 Physical segmentation (e.g., in-band, out-of-band, air-gapped)
5.1.9.1 In-Band
5.1.9.2 Out-of-Band Management (OOB)
5.1.9.3 Air-Gapped
5.1.10 Logical segmentation (e.g., virtual local area networks (VLANs), virtual private networks (VPNs), virtual routing and forwarding, virtual domain)
5.1.10.1 Virtual Local Area Networks (VLANs)
5.1.10.2 Virtual Private Networks (VPNs)
5.1.10.3 Virtual Routing and Forwarding (VRF)
5.1.10.4 Virtual Domain
5.1.11 Micro-segmentation (e.g., network overlays/encapsulation; distributed firewalls, routers, intrusion detection system (IDS)/intrusion prevention system (IPS), zero trust)
5.1.11.1 Network Overlays/Encapsulation
5.1.11.2 Distributed Firewalls
5.1.11.3 Distributed Routers
5.1.12 Edge networks (e.g., ingress/egress, peering)
5.1.12.1 Ingress/egress
5.1.12.2 Peering
5.1.13 Wireless networks (e.g., Bluetooth, Wi-Fi, Zigbee, satellite)
5.1.13.1 Bluetooth
5.1.13.2 Wi-Fi
5.1.13.3 Zigbee
5.1.13.4 Satellite
5.1.14 Cellular/mobile networks (e.g., 4G, 5G)
5.1.14.1 4G
5.1.14.2 5G
5.1.15 Content distribution networks (CDN)
5.1.16 Software defined networks (SDN), (e.g., application programming interface (API), Software-Defined Wide-Area Network, network functions virtualization)
5.1.16.1 SDN and application programming interface (API)
5.1.16.2 Software-Defined Wide-Area Network (SD-WAN)
5.1.16.3 Network functions virtualization
5.1.17 Virtual Private Cloud (VPC)
5.1.18 Monitoring and management (e.g., network observability, traffic flow/shaping, capacity management, fault detection and handling)
5.2 Secure network components
5.2.1 Operation of infrastructure (e.g., redundant power, warranty, support)
5.2.2 Transmission media (e.g., physical security of media, signal propagation quality)
5.2.2.1 Physical security of media
5.2.2.2 Signal Propagation Quality
5.2.3 Network Access Control (NAC) systems (e.g., physical, and virtual solutions)
5.2.3.1 Physical NAC
5.2.3.2 Virtual NAC
5.2.4 Endpoint security (e.g., host-based)
5.3 Implement secure communication channels according to design
5.3.1 Voice, video, and collaboration (e.g., conferencing, Zoom rooms)
5.3.1.1 Voice
5.3.1.2 Video and collaboration
5.3.2 Remote access (e.g., network administrative functions)
5.3.3 Data communications (e.g., backhaul networks, satellite)
5.3.3.1 Backhaul networks
5.3.3.2 Satellite
5.3.3.3 Email security
5.3.3.3.1 SPF (Sender Policy Framework)
5.3.3.3.2 DKIM (DomainKeys Identified Mail)
5.3.3.3.3 DMARC (Domain-based Message Authentication, Reporting & Conformance)
5.3.4 Third-party connectivity (e.g., telecom providers, hardware support)
5.3.4.1 Telecom providers
5.3.4.2 Hardware support

6 Domain 5: Identity and Access Management (IAM)
6.1 Control physical and logical access to assets
6.1.1 Information and Systems
6.1.2 Devices and MDM
6.1.3 Facilities and PACS
6.1.4 Applications and services
6.2 Design identification and authentication strategy (e.g., people, devices, and services)
6.2.1 Groups and Roles
6.2.1.1 Groups
6.2.1.2 Roles
6.2.2 Authentication, Authorization and Accounting (AAA) (e.g., multi-factor authentication (MFA), password-less authentication)
6.2.2.1 Authentication
6.2.2.1.1 Multi-Factor Authentication (MFA)
6.2.2.1.2 Password-less Authentication
6.2.2.1.2.1 Biometric
6.2.2.2 Authorization
6.2.2.3 Accounting
6.2.2.4 AAA Servers / AAA Protocols
6.2.3 Session management
6.2.4 Registration, proofing, and establishment of identity
6.2.5 Federated Identity Management (FIM)
6.2.5.1 SAML (Security Assertion Markup Language)
6.2.5.2 OAuth
6.2.5.3 OpenID Connect (OIDC)
6.2.6 Credential management systems (e.g., Password vault)
6.2.7 Single sign-on (SSO)
6.2.8 Just-In-Time
6.2.9 Federated identity with a third-party service
6.2.9.1 Compare On-premise, Cloud and Hybrid
6.3 Implement and manage authorization mechanisms
6.3.1 Role-based access control (RBAC)
6.3.2 Rule based access control
6.3.3 Mandatory access control (MAC)
6.3.4 Discretionary access control (DAC)
6.3.5 Attribute-based access control (ABAC)
6.3.6 Risk based access control
6.3.7 Access policy enforcement (e.g., policy decision point, policy enforcement point)
6.4 Manage the identity and access provisioning lifecycle
6.4.1 Account access review (e.g., user, system, service)
6.4.2 Provisioning and deprovisioning (e.g., on/off boarding and transfers)
6.4.3 Role definition and transition (e.g., people assigned to new roles)
6.4.4 Privilege escalation (e.g., use of sudo, auditing its use)
6.4.5 Service accounts management
6.5 Implement authentication systems

7 Domain 6: Security Assessment and Testing
7.1 Design and validate assessment, test, and audit strategies
7.1.1 Internal (within organization control)
7.1.2 External and Third-party (outside organization / enterprise control)
7.1.3 Location (on-premise, cloud, hybrid)
7.1.3.1 On-premise
7.1.3.2 Cloud
7.1.3.3 Hybrid
7.1.3.4 Geographical Consideration
7.2 Conduct security controls testing
7.2.1 Vulnerability assessment
7.2.2 Penetration testing (e.g., red, blue, and/or purple team exercises)
7.2.2.1 Red Team Exercises
7.2.2.2 Blue Team Exercises
7.2.2.3 Purple Team Exercises
7.2.3 Log reviews
7.2.4 RUM / EUM
7.2.5 Synthetic transactions/benchmarks
7.2.6 Code review and testing
7.2.6.1 Black-Box-Testing vs. White-Box-Testing
7.2.6.2 Dynamic Testing and Static Testing
7.2.6.3 Manual Testing and Automatic Testing
7.2.6.4 Code review processes (Pair programming, Over-the-shoulder, Pass-around, Tool-assisted, etc.)
7.2.6.5 Types of testing
7.2.7 Misuse case testing
7.2.8 Coverage analysis
7.2.9 Interface testing (e.g., user interface, network interface, application programming interface (API))
7.2.10 Breach attack simulations
7.2.11 Compliance checks
7.3 Collect security process data (e.g., technical, and administrative)
7.3.1 Account management
7.3.2 Management review and approval
7.3.3 Key performance and risk indicators
7.3.4 Backup verification data
7.3.5 Training and awareness
7.3.6 Disaster recovery (DR) and Business Continuity (BC)
7.3.6.1 Read-through/tabletop
7.3.6.2 Walkthrough
7.3.6.3 Simulation
7.3.6.4 Parallel
7.3.6.5 Full interruption
7.3.6.6 Communications (e.g., stakeholders, test status, regulators)
7.4 Analyze test output and generate report
7.4.1 Remediation
7.4.2 Exception handling
7.4.3 Ethical disclosure
7.5 Conduct or facilitate security audits
7.5.1 Internal (e.g., within organization control)
7.5.2 External (e.g., outside organization control) and Third-party (e.g., outside of enterprise control)
7.5.3 Location (e.g., on-premise, cloud, hybrid)

8 Domain 7: Security Operations
8.1 Understand and comply with investigations
8.1.1 Evidence collection and handling
8.1.2 Reporting and documentation
8.1.3 Investigative techniques
8.1.4 Digital forensics tools, tactics, procedures and artifacts
8.2 Conduct logging and monitoring activities
8.2.1 Intrusion detection and prevention
8.2.1.1 IDS (Intrusion Detection System)
8.2.1.2 IPS (Intrusion Prevention System)
8.2.1.3 True Positive (TP), False Positive (FP), True Negative (TN), False Negative (FN)
8.2.2 Security Information and Event Management (SIEM)
8.2.3 Continuous monitoring and tuning
8.2.4 Egress monitoring
8.2.5 Log management
8.2.6 Threat intelligence (e.g., threat feeds, threat hunting)
8.2.7 User and Entity Behavior Analytics (UEBA)
8.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
8.4 Apply foundational security operations concepts
8.4.1 Need-to-know/least privilege
8.4.2 Separation of Duties (SoD) and responsibilities
8.4.3 Privileged account management
8.4.4 Job rotation
8.4.5 Service Level Agreements (SLAs)
8.5 Apply resource protection
8.5.1 Media management
8.5.2 Media protection techniques
8.5.3 Data at rest/data in transit
8.6 Conduct incident management
8.6.1 Detection
8.6.2 Response
8.6.3 Mitigation
8.6.4 Reporting
8.6.5 Recovery
8.6.6 Remediation
8.6.7 Lessons learned
8.7 Operate and maintain detection and preventative measures
8.7.1 Firewalls (e.g., next generation, web application, network)
8.7.1.1 Firewall
8.7.1.2 Proxies
8.7.2 Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
8.7.3 Whitelisting/blacklisting
8.7.4 Third-party provided security services
8.7.5 Sandboxing
8.7.6 Honeypots/honeynets
8.7.7 Anti-malware
8.7.8 Machine learning and Artificial Intelligence (AI) based tools
8.8 Implement and support patch and vulnerability management
8.9 Understand and participate in change management processes
8.10 Implement recovery strategies
8.10.1 Backup storage strategies (e.g., cloud storage, onsite, offsite)
8.10.1.1 RAID
8.10.1.2 Cloud Storage
8.10.1.3 Onsite Storage
8.10.1.4 Offsite Storage
8.10.2 Recovery site strategies (e.g., cold vs. hot, resource capacity agreements)
8.10.2.1 Cold vs. Hot
8.10.2.2 Resource Capacity Agreements
8.10.3 Multiple processing sites
8.10.4 System resilience, high availability (HA), Quality of Service (QoS), and fault tolerance
8.10.4.1 System resilience
8.10.4.2 High availability and fault tolerance
8.10.4.3 Software Escrow
8.10.4.4 Quality of service
8.11 Implement disaster recovery (DR) processes
8.11.1 Response
8.11.2 Personnel and Communications (e.g., methods)
8.11.3 Assessment and Restoration
8.11.4 Training and awareness
8.11.5 Lessons learned
8.12 Test disaster recovery plan (DRP)
8.12.1 Read-through/tabletop
8.12.2 Walkthrough
8.12.3 Simulation
8.12.4 Parallel
8.12.5 Full interruption
8.13 Participate in Business Continuity (BC) planning and exercises
8.14 Implement and manage physical security
8.14.1 Perimeter security controls
8.14.2 Internal security controls
8.15 Address personnel safety and security concerns
8.15.1 Travel
8.15.2 Security training and awareness (e.g., insider threat, social media impacts, two-factor authentication (2FA) fatigue)
8.15.2.1 Insider threat
8.15.2.2 Social media impacts
8.15.2.3 Two-Factor Authentication (2FA) Fatigue
8.15.3 Emergency management and Duress

9 Domain 8: Software Development Security
9.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
9.1.1 Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps, Scaled Agile Framework)
9.1.1.1 Waterfall
9.1.1.2 Agile
9.1.1.3 DevOps
9.1.1.4 DevSecOps
9.1.1.5 Scaled Agile Framework (SAFe)
9.1.2 Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
9.1.2.1 Capability Maturity Model (CMM)
9.1.2.2 Software Assurance Maturity Model (SAMM)
9.1.3 Operation and maintenance
9.1.3.1 Regression testing
9.1.3.2 Acceptance testing
9.1.4 Change management
9.1.5 Integrated Product Team
9.2 Identify and apply security controls in software development ecosystems
9.2.1 Programming languages
9.2.2 Libraries
9.2.3 Tool sets and Integrated Development Environment
9.2.4 Runtime
9.2.5 Continuous Integration and Continuous Delivery (CI/CD)
9.2.6 Security Orchestration, Automation, and Response (SOAR)
9.2.7 Software Configuration Management
9.2.8 Code repositories
9.2.9 Application security testing (e.g., static application security testing (SAST), dynamic application security testing (DAST), software composition analysis, Interactive Application Security Test (IAST))
9.2.9.1 Static Application Security Testing (SAST)
9.2.9.2 Dynamic Application Security Testing (DAST)
9.2.9.3 Interactive Application Security Test (IAST)
9.3 Assess the effectiveness of software security
9.3.1 Auditing and logging of changes
9.3.2 Risk analysis and mitigation
9.4 Assess security impact of acquired software
9.4.1 Commercial off-the-shelf (COTS)
9.4.2 Open source
9.4.3 Third-party
9.4.4 Managed services (e.g., enterprise applications)
9.4.5 Cloud services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
9.4.5.1 Software as a Service (SaaS)
9.4.5.2 Platform as a Service (PaaS)
9.4.5.3 Infrastructure as a Service (IaaS)
9.5 Define and apply secure coding guidelines and standards
9.5.1 Security weaknesses and vulnerabilities at the source-code level
9.5.2 Security of application programming interfaces (API)
9.5.3 Secure coding practices
9.5.4 Software-defined security

10 NIST SP (Special Publication) related to CISSP exam

11 ISO/IEC 27000 series standards

12 Further reading
12.1 Some methods for exploiting vulnerabilities
12.2 Domain 1 topics,
12.2.1 Other examples and topics of ethics
12.2.1.1 The Code of Fair Information Practices
12.2.1.2 Internet Architecture Board
12.2.1.3 Computer Ethics Institute (CEI)
12.2.1.4 Common ethics fallacies
12.2.2 More about export controls: Wassenaar Arrangement
12.2.3 Best Practices of Security Policy
12.2.4 Security Planning
12.2.4.1 Strategic Planning
12.2.4.2 Tactical Planning
12.2.4.3 Operational Planning
12.2.4.4 An example of security planning
12.2.5 Other risk assessment methodologies
12.2.5.1 NIST 800-30, NIST 800-39 and NIST 800-66
12.2.5.2 CCTA Risk Analysis and Management Method (CRAMM)
12.2.5.3 Failure mode and effects analysis (FMEA)
12.2.5.4 Facilitated risk analysis process (FRAP)
12.2.5.5 OCTAVE
12.2.5.6 Security Officers Management and Analysis Project (SOMAP)
12.2.5.7 Value at Risk (VaR)
12.2.6 Payment Card Industry Data Security Standard (PCI-DSS)
12.2.7 Industry and international security implementation guidelines
12.2.8 Control Objectives for Information and Related Technology (COBIT)
12.3 Domain 2 topics
12.3.1 General privacy concepts
12.3.2 Hardware and software considerations
12.3.3 Link encryption and end-to-end encryption
12.3.4 More about standard selection
12.3.4.1 United States
12.3.4.1.1 Department of Defense
12.3.4.1.2 National Security Agency (NSA)
12.3.4.1.3 National Institute of Standards and Technology (NIST)
12.3.4.2 United Kingdom
12.3.4.2.1 Communications-Electronics Security Group (CESG)
12.3.4.3 European Union
12.3.4.4 International Organization for Standardization (ISO)
12.3.4.5 International Telecommunications Union (ITU)
12.3.4.6 NATO
12.4 Domain 3 topics
12.4.1 System Life Cycle
12.4.2 Security principles based on NIST SP 800-27
12.4.3 Relationships between principles and System life-cycles
12.4.4 Common system components
12.4.4.1 Processors
12.4.4.2 Memory and storage (primary storage)
12.4.4.3 Memory and storage (secondary storage)
12.4.4.4 Memory and storage (virtual storage)
12.4.4.5 Memory and storage (memory protection)
12.4.5 Layering / Protection ring
12.4.6 More security models
12.4.6.1 Lipner Model
12.4.6.2 Brewer-Nash (The Chinese Wall) Model
12.4.6.3 Graham-Denning Model
12.4.6.4 Harrison-Ruzzo-Ulman Model
12.4.7 Select controls and countermeasures based upon systems security evaluation models
12.4.7.1 Certification and accreditation
12.4.7.1.1 Certification
12.4.7.1.2 Accreditation
12.4.7.2 Product evaluation models
12.4.7.2.1 Trusted Computer System Evaluation Criteria (TCSEC)
12.4.7.2.2 Information Technology Security Evaluation Criteria (ITSEC)
12.4.7.2.3 Common Criteria
12.4.7.3 Data Flow Diagram (DFD)
12.4.7.4 Warehousing and data mart
12.4.8 Large-scale parallel data systems
12.4.9 Distributed systems
12.4.9.1 Grid computing
12.4.9.2 Peer to peer (P2P)
12.4.10 Classic encryption systems
12.4.10.1 Null Cipher
12.4.10.2 The Rail Fence
12.4.10.3 Caesar Cipher / Monoalphabetic Cipher
12.4.10.4 Blais de Vigenere / Polyalphabetic Cipher
12.4.10.5 Playfair Cipher
12.4.11 Running Key Cipher with modular mathematics
12.4.12 One-time Pads
12.4.13 Double DES
12.4.14 Key escrow / “fair” cryptosystem
12.4.15 Key management: XML Key Management Specification (XKMS)
12.4.16 Blockchain
12.4.16.1 Concepts
12.4.16.2 51% attack
12.4.17 More about fire suppression
12.4.17.1 Other fire suppression agents (except those mentioned in chapter 4.8.6.2)
12.4.18 Terms used in electrical voltage fluctuations
12.4.19 Trusted Computing Base (TCB)
12.4.20 Security Kernels and Reference Monitors
12.4.21 Common architecture frameworks
12.4.21.1 Zachman Framework
12.4.21.2 Sherwood Applied Business Security Architecture Framework
12.4.21.3 The Open Group Architecture Framework (TOGAF)
12.4.21.4 IT Infrastructure Library (ITIL v3 / ITIL 4)
12.4.22 Roadway Design
12.4.23 Crime Prevention Through Environment Design (CPTED)
12.4.24 Entry points: Doors
12.4.25 Entry points: Windows
12.4.25.1 Types of glasses
12.4.26 Ground Potential Rise (GPR)
12.4.27 Sprinkler system
12.5 Domain 4 topics
12.5.1 Simplex, half duplex and full duplex
12.5.2 Attacks related to Internet Control Message Protocol (ICMP)
12.5.2.1 Ping of death
12.5.2.2 ICMP redirect attack / Man-in-the-middle attack
12.5.3 More about Multilayer protocols / Implications of multilayer protocols
12.5.3.1 DNP3
12.5.3.2 Modbus
12.5.4 File Transfer Protocol (FTP)
12.5.4.1 FTP Transfer modes: Active mode (PORT mode)
12.5.4.2 FTP Transfer modes: Passive mode (PASV mode)
12.5.4.3 Secure FTP with TLS (FTPS)
12.5.4.4 FTP over SSH
12.5.5 Trivial File Transfer Protocol (TFTP)
12.5.6 Common Internet File System (CIFS) / Server Message Block (SMB)
12.5.7 Simple Mail Transfer Protocol (SMTP) / Extended Simple Mail Transfer Protocol (ESMTP)
12.5.8 Lightweight Directory Access Protocol (LDAP)
12.5.9 Network Basic Input Output System (NetBIOS)
12.5.10 Network Information Service (NIS / NIS+)
12.5.11 Fiber Channel over Internet Protocol (FCIP / FCoIP)
12.5.12 InfiniBand (IB)
12.5.13 MPLS Pseudowires / L2VPN
12.5.14 Circuit switched and packet switched networks
12.5.14.1 Circuit switched networks
12.5.14.2 Packet switched networks
12.5.15 Common hardware
12.5.15.1 Modems
12.5.15.2 Multiplexers
12.5.15.3 Switches and bridges
12.5.15.4 Hubs / Repeaters
12.5.15.5 Routers
12.5.15.6 Wireless access points (WAP / AP)
12.5.16 More about Multimedia collaboration
12.5.16.1 Remote meeting technology
12.5.16.2 Instant messaging (IM)
12.5.16.3 Extensible Messaging and Presence Protocol (XMPP) / Jabber
12.5.17 Network attacks
12.5.17.1 Domain litigation
12.5.17.2 Open mail relay and SPAM
12.5.17.3 Port scanning
12.5.17.4 Port scanning: FIN scanning / X-mas scanning / Null scanning
12.5.17.5 Teardrop
12.5.17.6 Overlapping fragment attack
12.5.17.7 Source Routing Exploitation
12.5.17.8 Denial of service and spoofing
12.5.17.9 Email spoofing
12.5.17.10 DNS spoofing
12.5.17.11 Eavesdropping
12.5.17.12 Emanations / Tempest
12.5.18 TLS VPN / SSL VPN
12.5.19 PPP and CHAP
12.5.19.1 PPP
12.5.20 “Addresses” of a host
12.5.21 TCP and UDP (Layer 4)
12.5.21.1 TCP
12.5.21.2 UDP
12.5.22 Ports (Layer 4)
12.5.22.1 Well-known ports / System ports
12.5.22.2 Registered ports / User Ports
12.5.22.3 Dynamic ports / Private ports / Ephemeral ports
12.5.23 Routing protocols
12.5.23.1 RIPv1, RIPv2 and RIPng
12.5.23.2 OSPFv2 and OSPFv3
12.5.23.3 Border Gateway Protocol (BGP)
12.5.24 Dynamic Host Configuration Protocol (DHCP)
12.5.25 Internet Control Message Protocol (ICMP)
12.5.25.1 Smurf attack
12.5.26 Domain Name Service (DNS)
12.5.27 Network overlay and Virtual eXtensible Local Area Network (VXLAN)
12.5.28 Wireless networks
12.5.28.1 Wireless standards
12.5.28.2 MAC filtering
12.5.28.3 Shared key authentication
12.5.28.4 Wired equivalent privacy (WEP)
12.5.28.5 Wi-Fi protected access (WPA) / WPA2 / WPA3
12.5.28.6 “Parking lot” attack
12.5.28.7 SSID flaw
12.5.28.8 Signal jamming
12.5.29 Li-Fi
12.5.30 Screen scraping
12.6 Domain 5 topics
12.6.1 Control physical and logical access to assets
12.6.1.1 Access control of information
12.6.1.2 Centralized access control system for devices access control
12.6.1.3 Decentralized access control
12.6.1.4 Hybrid access control
12.6.2 Manage identification and authentication of people and devices
12.6.2.1 Identification methods
12.6.2.2 Identification guidelines
12.6.2.3 Identification implementation
12.6.2.3.1 Password management
12.6.2.3.2 Account management
12.6.2.4 Profile management
12.6.2.5 Directory management and Lightweight Directory Access Protocol (LDAP)
12.6.2.6 X.500 and X.400
12.6.3 Biometric
12.6.4 Classic Role-Based Access Control (RBAC) concepts
12.6.4.1 Non-RBAC
12.6.4.2 Limited RBAC
12.6.4.3 Hybrid RBAC
12.6.4.4 Full RBAC
12.6.5 SDDL (Security Descriptor Definition Language)
12.6.6 Prevent and mitigate access control attacks and IAM
12.6.6.1 Identity and access provisioning lifecycle
12.7 Domain 7 topics
12.7.1 More about evidence
12.7.2 Shoulder Surfing
12.7.3 Firewall architectures
12.7.3.1 Dual-Homed Firewall
12.7.3.2 Screened Host
12.7.3.3 Screened Subnet
12.7.4 Classic recovery site strategies and multiple processing sites
12.7.5 More about SOC1, SOC2 and SOC3
12.8 Domain 8 topics
12.8.1 More about agile software methodology
12.8.1.1 Scrum
12.8.1.2 Extreme programming (XP)
12.8.1.3 Test-driven development (TDD)
12.8.1.4 Lean
12.8.1.5 Minimum viable product (MVP)
12.8.2 More about programming languages (compiled languages vs interpreters)
12.8.3 Type checking
12.8.4 Language generations
12.8.5 Model View Controller (MVC)
12.8.6 Common programming languages
12.8.7 ACID in database transactions
12.8.8 Database View
12.8.9 Von Neumann models
12.8.10 Relationship between acquisition processes and IEEE 1062, PMBOK, NIST SP 800-64, DoDI 5000.2, ISO / IEC 12207
12.8.11 Object-Oriented (OO) programming
12.8.11.1 Encapsulation
12.8.11.2 Inheritance
12.8.11.3 Polymorphism
12.8.12 Distributed object-oriented systems
12.8.12.1 CORBA (Common Object Request Broker Architecture)
12.8.12.2 EJB (Enterprise JavaBeans)
12.8.12.3 Microsoft COM / DCOM
12.8.12.4 More about Virus
12.8.12.5 More about Botnet
12.8.12.6 More about Worms
12.8.12.7 Hoax
12.8.13 Database Management System (DBMS)
12.8.13.1 Database Management System (DBMS) Elements
12.8.13.2 Relational Database Management System (DBMS)
12.8.14 Normalization, primary keys, foreign keys and referential integrity
12.8.14.1 Normalization
12.8.14.2 Primary keys
12.8.14.3 Foreign keys and referential integrity
12.8.14.4 OODBMS and ORDBMS
12.8.15 Database Interface Languages
12.8.16 Polyinstantiation
12.8.17 Secure Electronic Transaction (SET) Protocol
12.8.18 Cleanroom
12.9 More about the examination (Computerized Adaptive Testing)

The course content above may change at any time without notice in order to better reflect the content of the examination.


本中心開辦的 CISSP 國際認可證書課程成績卓越,本地媒體都爭相為本課程進行專訪,以下是《東方日報》的教育專題訪問內容。

【點擊觀看《東方日報》詳細報導】

 

 


更多綜合課程
  攝影課程
  • 攝影初級
  • 攝影中級 (風景專題)
  英文課程
  • IPA 拼音:級別 1 2 3 4
  普通話課程
  • 基礎普通話拼音 (免費)
  • 進階普通話拼音
  • 普通話會話:級別 1 2 3
  西班牙語文課程
  • 級別 1 2 3
  中醫課程
  • 濕疹與皮膚敏感病
  • 暗瘡與色斑 | 鼻敏感與感冒
  • 脫髮與白髮 | 從五官看健康
  風水命理課程
  • 紫微斗數:級別 1 2 3
  • 子平八字:級別 1 2 3
  • 八字風水:級別 1 2 3
  • 奇門遁甲:級別 1 2 3