CISSP  Training Course Training 課程
Facebook: CISSP  Training Course Training 課程  
CISSP  Training Course Training 課程 CISSP  Training Course Training 課程
CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程 CISSP  Training Course Training 課程  
CISSP  Training Course Training 課程 CISSP  Training Course Training 課程

這個頁面上的內容需要較新版本的 Adobe Flash Player。

取得 Adobe Flash Player


想定期知道最新課程及優惠嗎?
免費訂閱本中心的課程通訊!

課堂錄影隨時睇 10 大優點之地點方便:本中心位於旺角、觀塘、北角、沙田及 屯門,就近港鐵站!

CISSP 國際認可證書課程 (Premier Cybersecurity Certification)
課程簡稱:CISSP Training Course

  • 課程時間
  • 課程簡介
  • 課程特點
  • 考試須知
  • 課程內容
  • 報章訪問

在 12 月 13 日開課的 CISSP 課程內容同時覆蓋現有 Syllabus 和新 Syllabus (2021-05)。


課程優惠!現凡同時報讀以下兩個課程:
即減 $530!

傳統服務:課程上堂時間表 (地點:旺角   總費用:$3,980)
學員使用電話或本網頁報名,待本中心確認已為學員留位後,即可使用 轉數快 繳付學費,過程簡便!

注意:
由於教育局要求停課,本課程將延至教育局宣佈的復課日期後開課,屆時會盡快通知受影響的學員,敬請留意。

編號 日期 (dd/mm) 星期 時間 費用 導師  
PS1171DM  13/12 - 10/01
13/12, 20/12, 27/12, 3/1/2021, 10/1/2021
 下載詳細上課日期
10:30am - 5:30pm (lunch: 1:30pm-2:30pm) $3,980 Franco 按此報名:CISSP  Training Course Training 課程
* 各政府部門可使用 P Card 付款  

*** 質素保證: 免費於任何地點試睇首 3 小時課堂錄影,從而可預先了解導師及教材的質素,才報讀課程來上堂。***
請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560

免費補堂: 學員可於任何地點補看課堂錄影,從而可銜接往後的課堂!
免費重讀: 學員可於課程結束後三個月內於任何地點不限次數地重看課堂錄影,從而可反覆重溫整個課程!
課時: 30 小時
課堂導師: Franco (任教課程清單)
停課安排: 若因疫情以致教育局宣佈停課,本中心或會將部份課堂的課堂錄影發放給學員在家觀看,令學員可於停課期間得以繼續進修,而復課後會以已發放課堂錄影之後的一堂來繼續上課。

傳統服務的免費補堂或免費重讀,若選擇旺角或觀塘的閒日星期一至四,便需於 6:30p.m. 或之前完成觀看課堂錄影。


推介服務:課堂錄影隨時睇 (在家觀看 = 0%,在校觀看 = 100%)
學員使用電話或本網頁報名,待本中心確認已為學員留位後,即可使用 轉數快 繳付學費,過程簡便!
編號 地點 可預約星期及時間 學費低至 85 折  
PS2012MV 旺角 一至五:14:30 - 22:15   六:13:45 - 21:30   日:10:15 - 18:00  (公眾假期休息) 95 折後只需 $3,781 按此報名:CISSP  Training Course Training 課程
PS2012OV 觀塘 一至五:13:30 - 22:00   六及日:12:30 - 21:00   (星期三及公眾假期休息) 9 折後只需 $3,582 按此報名:CISSP  Training Course Training 課程
PS2012PV 北角 一至五:13:30 - 22:00   六及日:12:30 - 21:00   (星期三及公眾假期休息) 9 折後只需 $3,582 按此報名:CISSP  Training Course Training 課程
PS2012SV 沙田 一至五:13:30 - 22:00   六及日:12:30 - 21:00   (星期三及公眾假期休息) 85 折後只需 $3,383 按此報名:CISSP  Training Course Training 課程
PS2012YV 屯門 一至五:13:30 - 22:00   六及日:12:30 - 21:00   (星期三及公眾假期休息) 85 折後只需 $3,383 按此報名:CISSP  Training Course Training 課程
* 各政府部門可使用 P Card 付款  
在校免費試睇: 首 3 小時,請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560
在校免費重睇: 學員可於享用時期內於報讀地點不限次數地重看課堂錄影,從而可反覆重溫整個課程!
導師解答: 學員可於觀看某一課堂錄影後提出課堂直接相關的問題,課程導師會樂意為學員以單對單的形式解答!
課時: 30 小時
享用時期: 10 星期 (可於報讀日至 4 星期內觀看整個課程,另加 6 星期備用時期)。進度由您控制,可快可慢。
課堂錄影導師: Franco (任教課程清單)
在校觀看: 詳情及示範片段


地區 地址 電話 教育局註冊編號
旺角 九龍旺角亞皆老街 109 號,皆旺商業大廈 18 樓 1802 - 1807 室 2332-6544 533459
觀塘 九龍觀塘成業街 7 號寧晉中心 12 樓 G2 室 3563-8425 588571
北角 香港北角馬寶道 41-47 號華寶商業大廈 3 樓 01-02 號舖 3580-1893 591262
沙田 新界沙田石門安群街 3 號京瑞廣場 1 期 10 樓 M 室 2151-9360 604488
屯門 新界屯門屯喜路 2 號屯門柏麗廣場 17 樓 1708 室 3523-1560 592552
注意! 客戶必須查問報讀學校的教育局註冊編號,以確認該校為註冊學校,以免蒙受不必要的損失!



近年系統和網絡技術發展一日千里,大家開發解決方案 ( Solution ) 或處理電子資訊時除需要考慮功能外,更須注意資訊保安。一旦出現資訊安全事故 ( 例如客戶資料外洩 ),商譽或金錢上的損失均無法想像。故此資訊保安已成為 I.T. 界的 "必修科",僱主聘用 I.T. 同事時亦要求具備資訊保安知識及相關認證,例如 CISSP (Certified Information Systems Security Professional) 。

CISSP 證書制度是由 International Information Systems Security Certification Consortium ( 簡稱 ISC2 ) 建立,CISSP 是一張中立 ( Vendor Neutral) 的認證,當中所涉及的知識不限制於個別器材軟件生產商 (Vendor)。故此 CISSP 的知識應用層面十分廣泛。CISSP 的考試內容主要圍繞下列 8 個 CBK (Common Body of Knowledge)

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security



CISSP

若要考取 CISSP,同學須要

  1. 具備 5 年資訊保安相關的工作經驗
  2. 通過 CISSP 考試 (我們備有大量練習令學員更易通過考試)
  3. 通過 Endorsement 過程
    (本中心的 CISSP 學員可向本中心免費申請 Endorsement 的協助,而本中心會按照 ISC2 指引來免費提供 Endorsement 服務。)
  4. 通過 ISC2 的審核

備註:申請者如未具有足夠的工作經驗,依然可以參加 CISSP,考試後成為 Associate of ISC2,當累積足夠的工作經驗時,便可以申請成為 CISSP。



課程名稱: CISSP 國際認可證書課程 (Premier Cybersecurity Certification)
- 簡稱:CISSP Training Course
課程時數: 合共 30 小時 (共 10 堂)
適合人士: 對資訊保安有興趣的人士
授課語言: 以廣東話為主,輔以英語
課程筆記: 本中心導師親自編寫英文為主筆記,而部份英文字附有中文對照。

1. Franco Tsang 親自教授: 本課程由擁有 CISSP, CCIE, RHCE, MCITP 實力經驗俱備的 Franco Tsang 親自教授。
2. Franco 親自編寫筆記: Franco 親自編寫筆記,令你無須「死鋤」如字典般厚及不適合香港讀書格調的書本。
3. 理論與實習並重: Franco 會在課堂上作出大量示範,務求令同學理解抽象的資訊保安概念,以及如何將 CISSP 的知識應用在日常工作上。我們亦有大量練習令學員更易通過考試。
4. 免費重讀: 傳統課堂學員可於課程結束後三個月內免費重看課堂錄影。

導師會在課堂內講解考試程序。

考試合格後,下一步便是通過 Endorsement。考生須得到另一名 ISC2 Certified 的人士推薦,並為考生簽署 Endorsement Form。

本中心的 CISSP 學員可向本中心免費申請 Endorsement 的協助,而本中心會按照 ISC2 指引來免費提供 Endorsement 服務。

最後,ISC2 會隨機抽樣為考生所提供的文件進行 Audit. 通過 Audit 後便可成為 CISSP。

Recently, the following Systematic CISSP course students applied for our help and we endorsed them successfully (including 2012-2020 examinations):

  • A. Chung
  • A.Wong
  • Alan Cheung
  • Alan Choi
  • Alan Kwong
  • Alan Lee
  • Albert To
  • Alfred S.Y. Chan
  • Alfred Y.H. Chan
  • Andy Lau
  • Anthony Wu
  • Antony Chan
  • B. Ho
  • B. Kwok
  • B. Lau
  • B. Yiu
  • Ben Chan
  • Ben Wong
  • Billy Chan
  • C. Choi
  • C. Lee
  • C. Ma
  • C. Tse
  • C.F. Cho
  • C.F. Ko
  • C.I. Choi
  • C.M. Yip
  • C.N. Yue
  • Charlaes Ho
  • Charles Wong
  • Chris Ng
  • Chris Ngai
  • Cody Wong
  • Colin Yeung
  • David Lau
  • David Leung
  • Derek Au
  • Derek Yeung
  • Eddie Ho
  • Edmond Chan
  • Edward Tam
  • Edwin Tang
  • Eric Wong
  • Eric Wu
  • Ernest Chan
  • F. Mok
  • F. Tong
  • F. Tse
  • Frankie Ng
  • G. Cheung
  • G. Kan
  • G. Tang
  • Gavin Lo
  • H. S. Lam
  • H. Seto
  • H. Y. Lin
  • Henry Pang
  • Howard Lee
  • Ivan Chow
  • Ivan Mong
  • J. Chan
  • J. Lai
  • J. Lau
  • J. Mak
  • J. Ng
  • J. Ting
  • Jason Li
  • Jason Luk
  • Jeff Ho
  • Joe Chan
  • Joey Ho
  • Johnny Lam
  • Joseph Kwong
  • Joseph Lau
  • Justin Mok
  • K. Chan
  • K. F. Lau
  • K. Fung
  • K. Kwan
  • K. S. Li
  • K. Tsui
  • K.F. Fung
  • K.F. Tang
  • K.F. Wong
  • K.W. Chung
  • K.W. Tse
  • Kelvin Tang
  • Kelvin Tse
  • Kene Lai
  • Kenneth Cheung
  • Kenneth Keung
  • Kenneth Shum
  • L. Chung
  • L. Ng
  • L. T. Kwok
  • Lawrence Chan
  • Lawrence Tang
  • M. Hui
  • M. Leung
  • M. Ng
  • M.C. Chan
  • M.H. Yip
  • Matthew Chan
  • Maverick Wong
  • N. C
  • O. Yun
  • P. Lam
  • P. Yau
  • Paul Wong
  • Ray Lam
  • Ray Tsang
  • Raymond Cheung
  • Raymond Law
  • Raymond Lo
  • Rex Lee
  • Richard Mon
  • Roy Fong
  • Roy Lam
  • Roy Yiu
  • S. F. Choy
  • S. H. Wang
  • S. Lam
  • S. Leung
  • S. Mak
  • S. Sin
  • S. Y. Chu
  • S.H. So
  • S.M. Ho
  • S.W. Lu
  • Sam Lo
  • Sammy Leung
  • Samson Tai
  • Simon Leung
  • Simon Yu
  • Stanley Lam
  • Stephanie Chan
  • Steve Wong
  • Steven Tsoi
  • T. Leung
  • T. W. Cheng
  • T.S. Chan
  • T.Y. Li
  • Terence Mak
  • Terry Ng
  • Terry Yau
  • Tony Lo
  • Tony Wong
  • Tony Yeung
  • U. Cheung
  • V. Tang
  • Vincent Chan
  • W. C. Fung
  • W. H. Ma
  • W. Hung
  • W. L. Lee
  • W. T. Tai
  • W.C.D. Fung
  • W.S Lai
  • W.S. Chu
  • W.T. Chiu
  • Willy Poon
  • X. Yao
  • Y. C. Choi
  • Y. Chang
  • Y. K. Kong
  • Y.C. Chow
  • Y.L. Cheng
  • Y.T. Tang
  • Zero Ho
  • 更多...未能盡錄

Congratulations to them!!






課程名稱:CISSP 國際認可證書課程 (Premier Cybersecurity Certification)
- 簡稱:CISSP Training Course

在 12 月 13 日開課的 CISSP 課程內容 (Syllabus 2021-05 and current syllabus):

1 Introduction
1.1 Steps to get the CISSP certification

2 Domain 1: Security and Risk Management
2.1 Understand, adhere to, and promote professional ethics
2.1.1 (ISC)2 Code of Professional Ethics
2.2 Understand and apply security concepts
2.2.1 Confidentiality
2.2.2 Integrity
2.2.3 Availability
2.2.4 Authenticity
2.2.5 Nonrepudiation
2.3 Evaluate and apply security governance principles
2.3.1 Security governance
2.3.2 Align security functions to organization goals, missions and objectives
2.3.2.1 Business case
2.3.2.2 Budget
2.3.2.3 Resources
2.3.3 Organizational processes (e.g., acquisitions, divestitures, governance committees)
2.3.3.1 Acquisitions and Mergers
2.3.3.2 Divestitures and Spinoffs
2.3.3.3 Governance Committees
2.3.4 Organizational roles and responsibilities
2.3.4.1 Information security officer / Chief information security officer (CISO)
2.3.4.2 Oversight committee representation / Security Council
2.3.4.3 End-users
2.3.4.4 Executive Management
2.3.4.5 Information systems security professionals
2.3.4.6 Data owners, information owners, business owners
2.3.4.7 Data custodians, information custodians, stewards
2.3.4.8 Auditors
2.3.4.9 Business continuity planers
2.3.4.10 Information technologies professionals
2.3.4.11 Security administrators
2.3.4.12 System administrators
2.3.4.13 Network administrators
2.3.4.14 Physical security administrators
2.3.4.15 Administrative assistants / Receptionists
2.3.4.16 Service desk
2.3.5 Security control frameworks
2.3.6 Due care/due diligence
2.3.6.1 Due Care
2.3.6.2 Due Diligence
2.4 Determine compliance and other requirements
2.4.1 Contractual, legal, industry standards, and regulatory requirements (GLBA, SOX, HIPAA, PCI-DSS, DMCA, FISMA, GISRA, FERPA, SOC, HITECH, etc.)
2.4.2 Privacy requirements
2.5 Understand legal and regulatory issues that pertain to information security in a holistic context
2.5.1 Cybercrimes and data breaches
2.5.1.1 Crypto Locker / Reveton / Citadel
2.5.1.2 Rogue Anti-Virus software
2.5.1.3 Data breaches
2.5.2 Licensing
2.5.3 Intellectual Property (IP) requirements
2.5.3.1 Patent
2.5.3.2 Trademark
2.5.3.3 Copyright
2.5.3.4 Trade Secret
2.5.4 Import / export controls
2.5.4.1 International Traffic in Arms Regulations (ITAR)
2.5.4.2 Export Administration Regulations (EAR)
2.5.5 Transborder data flow
2.5.6 Privacy
2.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
2.6.1 Civil law
2.6.2 Common law
2.6.2.1 Criminal law
2.6.2.2 Administrative / regulatory law
2.6.3 eDiscovery
2.6.4 Industry standards
2.7 Develop, document, and implement security policy, standards, procedures, and guidelines
2.7.1 Security Policy
2.7.2 Standards
2.7.3 Procedures
2.7.4 Guidelines
2.7.5 Baselines
2.7.6 An integrated example of security policy, standards, procedures, and guidelines
2.7.6.1 Security policy
2.7.6.2 Standard
2.7.6.3 Procedure
2.7.6.4 Guideline
2.7.6.5 Baseline
2.8 Identify, analyze, and prioritize Business Continuity (BC) requirements
2.8.1 Project initiation
2.8.2 Develop and document project scope and plan
2.8.3 Business impact analysis (BIA)
2.8.3.1 Maximum tolerable downtime (MTD)
2.8.3.2 Recovery point objective (RPO)
2.8.3.3 Recovery time objective (RTO)
2.9 Contribute to and enforce personnel security policies and procedures
2.9.1 Before the employment, Candidate screening and hiring, employment agreement and policy
2.9.2 During the employment, onboarding / transfer processes
2.9.2.1 Separation of Duties / Segregation of Duties (SoD)
2.9.2.2 Need-to-know / Least privilege
2.9.2.3 Job rotation
2.9.2.4 Mandatory vacations
2.9.3 Termination processes
2.9.4 Vendor, consultant, and contractor agreements and controls
2.9.5 Compliance and privacy policy requirements
2.10 Understand and apply risk management concepts
2.10.1 Identify threats and vulnerabilities
2.10.1.1 Threats
2.10.1.2 Vulnerabilities
2.10.2 Risk assessment / analysis
2.10.2.1 Qualitative risk assessment / analysis
2.10.2.2 Quantitative risk assessment / analysis
2.10.2.2.1 Asset identification and valuation
2.10.2.2.2 Calculate Exposure factor (EF) and Single-loss expectancy (SLE)
2.10.2.2.3 Assess Annualized Rate of Occurrence (ARO), LAFE and SAFE
2.10.2.2.4 Calculate Annualized loss expectancy (ALE) and countermeasure selection
2.10.2.3 Considerations of qualitative risk assessment / analysis
2.10.2.4 Considerations of quantitative risk assessment / analysis
2.10.2.5 Hybrid
2.10.3 Risk respond / assignment / acceptance
2.10.4 Countermeasure selection and implementation
2.10.4.1 Countermeasure selection
2.10.4.2 Countermeasure implementation
2.10.5 Applicable types of controls (e.g., preventive, detective, corrective)
2.10.5.1 Types of controls
2.10.5.1.1 Compensating controls
2.10.5.1.2 Corrective controls
2.10.5.1.3 Deterrent controls
2.10.5.1.4 Detective controls
2.10.5.1.5 Preventive controls
2.10.5.1.6 Recovery controls
2.10.5.2 Control implementations
2.10.5.2.1 Administrative controls
2.10.5.2.2 Physical controls
2.10.5.2.3 Logical controls / Technical controls
2.10.5.2.4 An integrated example of controls
2.10.6 Security Control assessment (SCA) / monitoring and measurement / reporting
2.10.7 Continuous improvement
2.10.7.1 Risk maturity modeling
2.10.8 Risk frameworks / Risk management framework (RMF)
2.11 Understand and apply threat modeling concepts and methodologies (with reduction analysis)
2.11.1 Threat modeling tool
2.11.2 STRIDE
2.11.3 PASTA
2.11.4 Other threat models
2.11.5 Reduction analysis
2.12 Apply Supply Chain Risk Management (SCRM) concepts
2.12.1 Risks associated with hardware, software, and services
2.12.2 Third-party assessment and monitoring
2.12.3 Minimum security standard and service level requirements (SLR)
2.13 Establish and maintain a security awareness, education, and training program
2.13.1 Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
2.13.2 Security training
2.13.3 Program effectiveness evaluation and periodic content reviews

3 Domain 2: Asset Security
3.1 Identify and classify information and assets
3.1.1 Data classification
3.1.2 Asset Classification
3.2 Establish information, asset handling requirements and relevant laws and regulations
3.2.1 General Data Protection Regulation (GDPR)
3.2.2 Other regulations
3.3 Provision resources securely
3.3.1 Information and asset ownership
3.3.2 Asset inventory (e.g., tangible, intangible) and asset management
3.4 Manage data lifecycle
3.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
3.4.1.1 Owners
3.4.1.2 Data controllers / Controllers
3.4.1.3 Data processors / processors
3.4.1.4 Data Stewards
3.4.1.5 Data Custodians, users / subjects
3.4.2 Data collection
3.4.3 Data Location, data sovereignty, data localization or residency, data maintenance
3.4.4 Data remanence and destruction
3.4.4.1 Clearing
3.4.4.2 Purging
3.4.4.3 Overwriting
3.4.4.4 Degaussing
3.4.4.5 Destruction
3.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
3.6 Determine data security controls and compliance requirements
3.6.1 Data states (e.g., in use, in transit, at rest)
3.6.1.1 At rest
3.6.1.2 In transit / in motion / in flight
3.6.1.3 In use
3.6.2 Scoping and tailoring
3.6.3 Standards selection
3.6.4 Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
3.6.4.1 Traditional backup (Full, differential and incremental backup, journaling)
3.6.4.2 Other Backup Approaches (Database mirroring, disk mirroring / storage replication, snapshots, multi regions / availability zones, vaulting)
3.6.4.3 Data Deduplication
3.6.4.4 Digital Rights Management (DRM)
3.6.4.5 Data Loss Prevention (DLP)
3.6.4.6 Cloud Access Security Broker (CASB)

4 Domain 3: Security Architecture and Engineering
4.1 Research, implement and manage engineering processes using secure design principles
4.1.1 Threat modeling
4.1.2 Least privilege
4.1.3 Defense in depth
4.1.4 Secure defaults
4.1.5 Fail securely
4.1.6 Separation of Duties / Segregation of Duties (SoD)
4.1.7 Keep it simple
4.1.8 Zero Trust
4.1.9 Privacy by design
4.1.10 Trust but verify
4.1.11 Shared responsibility
4.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
4.2.1 State Machine
4.2.2 Lattice
4.2.3 Bell-LaPadula Confidentiality Model / Bell-LaPadula Model / BLP with star property
4.2.4 Biba Integrity Model / Biba Model with star property
4.2.5 Clark-Wilson Model
4.3 Select controls based upon systems security requirements
4.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
4.4.1 Memory protection
4.4.1.1 Supervisor state and user state
4.4.1.2 Buffer-overflow and Address space layout randomization (ASLR)
4.4.1.3 Concerns
4.4.2 Virtualization
4.4.3 Secure cryptoprocessor, Trusted Platform Module (TPM), encryption/decryption
4.4.3.1 Trusted Platform Module (TPM)
4.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
4.5.1 Client-based systems
4.5.2 Server-based systems
4.5.3 Database Systems
4.5.3.1 Inference
4.5.3.2 Aggregation
4.5.3.3 Data mining / Knowledge Discovery in Databases (KDD)
4.5.4 Cryptographic Systems
4.5.5 Industrial Control Systems (ICS)
4.5.6 Cloud-Based Systems
4.5.7 Distributed systems
4.5.8 Internet of Things (IoT)
4.5.9 Microservices (including SQL injection, XXE, XSS, CSRF / XSRF)
4.5.10 Containerization
4.5.11 Serverless
4.5.12 Embedded systems
4.5.13 High-Performance Computing (HPC) systems
4.5.14 Edge computing systems
4.5.15 Virtualized systems
4.6 Select and determine cryptographic solutions
4.6.1 Cryptographic life cycle (e.g., keys, algorithm selection)
4.6.2 Integrity (e.g., hashing)
4.6.2.1 Cryptographic hash function
4.6.2.2 Common cryptographic hash functions
4.6.2.3 HMAC
4.6.2.4 Salt
4.6.3 Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
4.6.3.1 Stream-based Ciphers
4.6.3.2 Block Ciphers
4.6.3.3 Block Cipher Modes of Operation
4.6.3.3.1 Electronic Code Book (ECB) mode
4.6.3.3.2 Cipher Block Chaining (CBC) mode
4.6.3.3.3 Cipher Feedback (CFB) mode
4.6.3.3.4 Counter (CTR) mode
4.6.3.3.5 Some points about various modes
4.6.3.3.6 Some other modes
4.6.3.3.6.1 Galois/counter (GCM) / AES-GCM-SIV
4.6.3.4 Symmetric
4.6.3.5 Common symmetric encryption algorithms
4.6.3.6 AES
4.6.3.7 Advantages and disadvantages of symmetric encryption algorithms
4.6.4 Asymmetric
4.6.4.1 General concepts
4.6.4.2 Digital signatures and Non-repudiation
4.6.4.3 RSA
4.6.4.3.1 RSA encryption and decryption
4.6.4.3.2 RSA digital signature
4.6.4.4 Diffie–Hellman key exchange
4.6.4.5 ElGamal
4.6.4.5.1 ElGamal encryption and decryption
4.6.4.5.2 ElGamal digital signature and DSA (Digital Signature Algorithm)
4.6.4.6 Elliptic curves (ECC)
4.6.4.6.1 Elliptic Diffie-Hellman Key Exchange (ECDH)
4.6.4.6.2 Elliptic ElGamal Public Key Cryptosystem
4.6.4.6.3 Elliptic Curve Digital Signature Algorithm (ECDSA)
4.6.4.7 Advantages and disadvantages of asymmetric algorithms
4.6.5 Quantum cryptography
4.6.6 Key Management Practices
4.6.7 Public Key Infrastructure (PKI) and digital certificates
4.6.7.1 Certification Authority (CA) and Digital certificates
4.6.7.2 Registration Authority (RA)
4.6.7.3 Validation Authority (VA)
4.6.7.4 Subordinate or intermediate certificates
4.7 Understand methods of cryptanalytic attacks
4.7.1 Brute force
4.7.2 Ciphertext only
4.7.3 Known plaintext
4.7.4 Frequency analysis
4.7.5 Chosen ciphertext
4.7.6 Implementation attacks
4.7.7 Side-channel and timing
4.7.8 Fault injection
4.7.9 Man-in-the-Middle (MITM)
4.7.10 Pass the hash
4.7.11 Kerberos exploitation
4.7.12 Ransomware
4.8 Apply security principles to site and facility design
4.9 Design site and facility security controls
4.9.1 Wiring closets/intermediate distribution facilities
4.9.2 Server rooms/data centers
4.9.2.1 Mantrap
4.9.2.2 Others
4.9.3 Media storage, evidence storage and work (restricted) area security
4.9.4 Power (e.g., redundant, backup)
4.9.4.1 Uninterruptible Power Supply (UPS)
4.9.4.2 Power Conditioner
4.9.4.3 Backup Power Source
4.9.5 Environmental issues
4.9.6 Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
4.9.7 Fire prevention, detection, and suppression
4.9.7.1 Fire detection
4.9.7.2 Fire prevention and suppression

5 Domain 4: Communication and Network Security
5.1 Assess and implement secure design principles in network architectures
5.1.1 OSI reference model VS TCP / IP model
5.1.2 Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
5.1.2.1 OSI reference model
5.1.2.1.1 Layer 7: Application Layer
5.1.2.1.2 Layer 6: Presentation Layer
5.1.2.1.3 Layer 5: Session Layer
5.1.2.1.4 Layer 4: Transport Layer
5.1.2.1.5 Layer 3: Network Layer
5.1.2.1.6 Layer 2: Data Link Layer
5.1.2.1.7 Layer 1: Physical Layer
5.1.2.2 TCP / IP model
5.1.2.2.1 Application Layer
5.1.2.2.2 Transport Layer
5.1.2.2.3 Internet Layer
5.1.2.2.4 Network Interface Layer
5.1.3 Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6)
5.1.3.1 IPv4 addressing
5.1.3.2 IPv6 addressing
5.1.3.3 “Addresses” of a host
5.1.3.4 TCP and UDP (Layer 4)
5.1.3.4.1 TCP
5.1.3.4.2 UDP
5.1.3.5 Ports (Layer 4)
5.1.3.5.1 Well-known ports / System ports
5.1.3.5.2 Registered ports / User Ports
5.1.3.5.3 Dynamic ports / Private ports / Ephemeral ports
5.1.3.6 Routing protocols
5.1.3.6.1 RIPv1, RIPv2 and RIPng
5.1.3.6.2 OSPFv2 and OSPFv3
5.1.3.6.3 Border Gateway Protocol (BGP)
5.1.3.7 Dynamic Host Configuration Protocol (DHCP)
5.1.3.8 Internet Control Message Protocol (ICMP)
5.1.3.8.1 Smurf attack
5.1.3.9 Domain Name Service (DNS)
5.1.4 Secure Protocols
5.1.4.1 IPSec and IPSec VPN
5.1.4.1.1 IPsec VPN: Authentication Header (AH)
5.1.4.1.2 IPsec VPN: Encapsulating Secure Payload (ESP)
5.1.4.1.3 IPSec operation modes
5.1.4.2 Transport Layer Security (TLS) / Secure Sockets Layer (SSL)
5.1.4.3 SSH (Secure Shell)
5.1.5 Implications of multilayer protocols, Encapsulation, VLAN and VLAN Hopping
5.1.6 Converged Protocols
5.1.6.1 Fibre Channel (FC) and Fibre Channel over Ethernet (FCoE)
5.1.6.2 Internet Small Computer System Interface (iSCSI)
5.1.6.3 Multiprotocol Label Switching (MPLS)
5.1.6.4 Voice over IP (VoIP)
5.1.6.4.1 Session Initiation Protocol (SIP)
5.1.7 Micro-segmentation
5.1.7.1 Software Defined Networks (SDN)
5.1.7.2 Network overlay and Virtual eXtensible Local Area Network (VXLAN)
5.1.7.3 Software-Defined Wide Area Network (SD-WAN)
5.1.8 Wireless networks
5.1.8.1 Wireless standards
5.1.8.2 MAC filtering
5.1.8.3 Shared key authentication
5.1.8.4 Wired equivalent privacy (WEP)
5.1.8.5 Wi-Fi protected access (WPA) / WPA2 / WPA3
5.1.8.5.1 IEEE 802.1X and Extensible Authentication Protocol (EAP)
5.1.8.6 “Parking lot” attack
5.1.8.7 SSID flaw
5.1.8.8 Signal jamming
5.1.8.9 Li-Fi
5.1.8.10 Zigbee
5.1.9 Cellular networks (e.g., 4G, 5G)
5.1.10 Content Distribution Networks (CDN)
5.2 Secure network components
5.2.1 Operation of hardware (e.g., redundant power, warranty, support)
5.2.2 Transmission media
5.2.2.1 Copper
5.2.2.1.1 Shielded Twisted Pair (STP)
5.2.2.1.2 Unshielded Twisted Pair (UTP)
5.2.2.1.3 Comparison (Just for reference)
5.2.2.2 Coaxial Cable (Coax)
5.2.2.3 Fiber Optic / Optical Fiber
5.2.3 Network access control (NAC) devices
5.2.3.1 Firewall
5.2.3.2 Proxies
5.2.3.3 Intrusion Detection System (IDS)
5.2.3.4 Intrusion Prevention System (IPS)
5.2.3.5 Bastion Host / Screened Host
5.2.3.6 Network Address Translation (NAT) / Port Address Translation (PAT)
5.2.3.7 Security information and event management (SIEM)
5.2.4 Endpoint security
5.2.4.1.1 Network access control (NAC)
5.3 Implement secure communication channels according to design
5.3.1 Voice, Private Branch Exchange (PBX) and Plain Old Telephone Service (POTS)
5.3.2 Multimedia collaboration
5.3.2.1 Internet Relay Chat (IRC)
5.3.3 Remote access
5.3.3.1 Screen scraping
5.3.3.2 Tunneling, PPTP and L2TP
5.3.4 Data communications
5.3.4.1 Email Security, S/MIME, PEM, DKIM
5.3.5 Virtualized networks
5.3.5.1 Virtual Machine Jumping or Hyperjumping
5.3.6 Third-party connectivity

6 Domain 5: Identity and Access Management (IAM)
6.1 Control physical and logical access to assets
6.1.1 Information and Systems
6.1.2 Devices and MDM
6.1.3 Facilities and PACS
6.1.4 Applications
6.2 Manage identification and authentication of people, devices, and services
6.2.1 Identity Management (IdM) implementation
6.2.2 Single/Multi-Factor Authentication (MFA)
6.2.2.1 Biometric
6.2.3 Accountability
6.2.4 Session management
6.2.5 Registration, proofing, and establishment of identity (with ISL concept)
6.2.6 Single Sign On (SSO), Federated Identity Management (FIM) and Security Assertion Markup Language (SAML)
6.2.6.1 Security Assertion Markup Language (SAML)
6.2.6.2 OpenID Connect (OIDC)/Open Authorization (Oauth)
6.2.7 Credential management systems
6.2.8 Just-In-Time (JIT)
6.3 Federated identity with a third-party service
6.3.1 On-premise
6.3.2 Cloud
6.3.3 Hybrid
6.4 Implement and manage authorization mechanisms
6.4.1 Role Based Access Control (RBAC)
6.4.2 Rule based access control
6.4.3 Mandatory Access Control (MAC)
6.4.4 Discretionary Access Control (DAC)
6.4.5 Attribute Based Access Control (ABAC)
6.4.6 Risk based access control
6.5 Manage the identity and access provisioning lifecycle
6.5.1 Account access review (e.g., user, system, service)
6.5.2 Provisioning and deprovisioning (e.g., on /off boarding and transfers)
6.5.3 Role definition (e.g., people assigned to new roles)
6.5.4 Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)
6.6 Implement authentication systems
6.6.1 OpenID Connect (OIDC)/Open Authorization (Oauth)
6.6.2 Security Assertion Markup Language (SAML)
6.6.3 Kerberos
6.6.4 Remote Authentication Dial-In User Service (RADIUS) / Terminal Access Controller Access Control System Plus (TACACS+)

7 Domain 6: Security Assessment and Testing
7.1 Design and validate assessment, test, and audit strategies
7.2 Conduct security control testing
7.2.1 Vulnerability assessment
7.2.2 Penetration testing
7.2.3 Log reviews
7.2.4 RUM / EUM and Synthetic transactions
7.2.4.1 RUM / EUM
7.2.4.2 Synthetic transactions
7.2.5 Code review and testing
7.2.5.1 Black-Box-Testing vs. White-Box-Testing
7.2.5.2 Dynamic Testing vs. Static Testing
7.2.5.3 Manual Testing vs. Automatic Testing
7.2.5.4 Code review processes (Pair programming, Over-the-shoulder, Pass-around, Tool-assisted, etc.)
7.2.5.5 Types of testing
7.2.6 Misuse case testing / Abuse Case Testing
7.2.7 Test coverage analysis
7.2.8 Interface testing
7.2.9 Breach attack simulations
7.2.10 Compliance checks
7.3 Collect security process data (e.g., technical and administrative)
7.3.1 Account management
7.3.2 Management review and approval
7.3.3 Key performance and risk indicators
7.3.4 Backup verification data
7.3.5 Training and awareness
7.3.6 Disaster Recovery (DR) and Business Continuity (BC)
7.3.6.1 Read-through/tabletop
7.3.6.2 Walkthrough
7.3.6.3 Simulation
7.3.6.4 Parallel
7.3.6.5 Full interruption
7.4 Analyze test output and generate report
7.4.1 Remediation and exception handling
7.4.2 Ethical disclosure
7.4.3 Conduct or facilitate security audits
7.4.3.1 Internal
7.4.3.2 External
7.4.3.3 Third-party

8 Domain 7: Security Operations
8.1 Understand and comply with investigations
8.1.1 Evidence collection and handling
8.1.2 Reporting and documentation
8.1.3 Investigative techniques
8.1.4 Digital forensics tools, tactics, procedures and artifacts (e.g., computer, network, mobile device)
8.2 Conduct logging and monitoring activities
8.2.1 Intrusion detection and prevention
8.2.2 Security Information and Event Management (SIEM)
8.2.3 Continuous monitoring
8.2.4 Egress monitoring
8.2.5 Log management
8.2.6 Threat intelligence (e.g., threat feeds, threat hunting)
8.2.7 User and Entity Behavior Analytics (UEBA)
8.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
8.4 Apply foundational security operations concepts
8.4.1 Need-to-know/least privilege
8.4.2 Separation of Duties (SoD) and responsibilities
8.4.3 Privileged account management
8.4.4 Job rotation
8.4.5 Service Level Agreements (SLAs)
8.5 Apply resource protection
8.5.1 Media management
8.5.2 Media protection techniques
8.6 Conduct incident management
8.6.1 Detection
8.6.2 Response
8.6.3 Mitigation
8.6.4 Reporting
8.6.5 Recovery
8.6.6 Remediation
8.6.7 Lessons learned
8.7 Operate and maintain detective and preventative measures
8.7.1 Firewalls (e.g., next generation, web application, network)
8.7.2 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
8.7.3 Whitelisting/blacklisting
8.7.4 Third-party provided security services
8.7.5 Sandboxing
8.7.6 Honeypots/honeynets
8.7.7 Anti-malware
8.7.8 Machine learning and Artificial Intelligence (AI) based tools
8.8 Implement and support patch and vulnerability management
8.9 Understand and participate in change management processes
8.10 Implement recovery strategies
8.10.1 Backup storage strategies
8.10.2 Recovery site strategies
8.10.3 Multiple processing sites
8.10.4 System resilience, High Availability (HA), Quality of Service (QoS), and fault tolerance
8.10.4.1 System resilience
8.10.4.2 High availability and fault tolerance
8.10.4.3 Quality of service
8.11 Implement Disaster Recovery (DR) processes
8.11.1 Response
8.11.2 Personnel and Communications
8.11.3 Assessment and Restoration
8.11.4 Training and awareness
8.11.5 Lessons learned
8.12 Test Disaster Recovery Plans (DRP)
8.12.1 Read-through/tabletop
8.12.2 Walkthrough
8.12.3 Simulation
8.12.4 Parallel
8.12.5 Full interruption
8.13 Participate in Business Continuity (BC) planning and exercises
8.14 Implement and manage physical security
8.14.1 Perimeter security controls
8.14.2 Internal security controls
8.15 Address personnel safety and security concerns
8.15.1 Travel
8.15.2 Duress, emergency management and security training and awareness

9 Domain 8: Software Development Security
9.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
9.1.1 Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)
9.1.1.1 Waterfall
9.1.1.2 Agile
9.1.1.3 DevOps
9.1.1.4 DevSecOps
9.1.2 Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
9.1.2.1 Capability Maturity Model (CMM)
9.1.2.2 Software Assurance Maturity Model (SAMM)
9.1.3 Operation and maintenance
9.1.3.1 Regression testing
9.1.3.2 Acceptance testing
9.1.4 Change management
9.1.5 Integrated Product Team (IPT)
9.2 Identify and apply security controls in software development ecosystems
9.2.1 Programming languages
9.2.2 Libraries
9.2.3 Tool sets and integrated development environment (IDE)
9.2.4 Runtime
9.2.5 Continuous Integration and Continuous Delivery (CI/CD)
9.2.6 Security Orchestration, Automation, and Response (SOAR)
9.2.7 Software Configuration Management (SCM)
9.2.8 Code repositories
9.2.9 Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST))
9.2.9.1 Static Application Security Testing (SAST)
9.2.9.2 Dynamic Application Security Testing (DAST)
9.3 Assess the effectiveness of software security
9.3.1 Auditing and logging of changes
9.3.2 Risk analysis and mitigation
9.4 Assess security impact of acquired software
9.4.1 Commercial-off-the-shelf (COTS)
9.4.2 Open source / OSS
9.4.3 Third-party
9.4.4 Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
9.4.4.1 Software as a Service (SaaS)
9.4.4.2 Platform as a Service (PaaS)
9.4.4.3 Infrastructure as a Service (IaaS)
9.5 Define and apply secure coding guidelines and standards
9.5.1 Security weaknesses and vulnerabilities at the source-code level
9.5.2 Security of Application Programming Interfaces (APIs) (including fuzzing and Monkey testing
9.5.3 Secure coding practices
9.5.4 Software-defined security

10 Further reading
10.1 Domain 1 topics
10.1.1 Other examples and topics of ethics
10.1.1.1 The Code of Fair Information Practices
10.1.1.2 Internet Architecture Board
10.1.1.3 Computer Ethics Institute (CEI)
10.1.1.4 Common ethics fallacies
10.1.2 More about export controls: Wassenaar Arrangement
10.1.3 Best Practices of Security Policy
10.1.4 Security Planning
10.1.4.1 Strategic Planning
10.1.4.2 Tactical Planning
10.1.4.3 Operational Planning
10.1.4.4 An example of security planning
10.1.5 Other risk assessment methodologies
10.1.5.1 NIST 800-30, NIST 800-39 and NIST 800-66
10.1.5.2 CCTA Risk Analysis and Management Method (CRAMM)
10.1.5.3 Failure mode and effects analysis (FMEA)
10.1.5.4 Facilitated risk analysis process (FRAP)
10.1.5.5 OCTAVE
10.1.5.6 Security Officers Management and Analysis Project (SOMAP)
10.1.5.7 Value at Risk (VaR)
10.1.6 Payment Card Industry Data Security Standard (PCI-DSS)
10.1.7 Industry and international security implementation guidelines
10.1.8 Control Objectives for Information and Related Technology (COBIT)
10.2 Domain 2 topics
10.2.1 General privacy concepts
10.2.2 Hardware and software considerations
10.2.3 Link encryption and end-to-end encryption
10.2.4 More about standard selection
10.2.4.1 United States
10.2.4.1.1 Department of Defense
10.2.4.1.2 National Security Agency (NSA)
10.2.4.1.3 National Institute of Standards and Technology (NIST)
10.2.4.2 United Kingdom
10.2.4.2.1 Communications-Electronics Security Group (CESG)
10.2.4.3 European Union
10.2.4.4 International Organization for Standardization (ISO)
10.2.4.5 International Telecommunications Union (ITU)
10.2.4.6 NATO
10.3 Domain 3 topics
10.3.1 System Life Cycle
10.3.2 Security principles based on NIST SP 800-27
10.3.3 Relationships between principles and System life-cycles
10.3.4 Common system components
10.3.4.1 Processors
10.3.4.2 Memory and storage (primary storage)
10.3.4.3 Memory and storage (secondary storage)
10.3.4.4 Memory and storage (virtual storage)
10.3.4.5 Memory and storage (memory protection)
10.3.5 Layering / Protection ring
10.3.6 More security models
10.3.6.1 Lipner Model
10.3.6.2 Brewer-Nash (The Chinese Wall) Model
10.3.6.3 Graham-Denning Model
10.3.6.4 Harrison-Ruzzo-Ulman Model
10.3.7 Select controls and countermeasures based upon systems security evaluation models
10.3.7.1 Certification and accreditation
10.3.7.1.1 Certification
10.3.7.1.2 Accreditation
10.3.7.2 Product evaluation models
10.3.7.2.1 Trusted Computer System Evaluation Criteria (TCSEC)
10.3.7.2.2 Information Technology Security Evaluation Criteria (ITSEC)
10.3.7.2.3 Common Criteria
10.3.7.3 Data Flow Diagram (DFD)
10.3.7.4 Warehousing and data mart
10.3.8 Large-scale parallel data systems
10.3.9 Distributed systems
10.3.9.1 Grid computing
10.3.9.2 Peer to peer (P2P)
10.3.10 Classic encryption systems
10.3.10.1 Null Cipher
10.3.10.2 The Rail Fence
10.3.10.3 Caesar Cipher / Monoalphabetic Cipher
10.3.10.4 Blais de Vigenere / Polyalphabetic Cipher
10.3.10.5 Playfair Cipher
10.3.11 Running Key Cipher with modular mathematics
10.3.12 One-time Pads
10.3.13 Double DES
10.3.14 Key escrow / “fair” cryptosystem
10.3.15 Key management: XML Key Management Specification (XKMS)
10.3.16 More about fire suppression
10.3.16.1 Other fire suppression agents (except those mentioned in chapter 4.9.7.2)
10.3.17 Terms used in electrical voltage fluctuations
10.3.18 Trusted Computing Base (TCB)
10.3.19 Security Kernels and Reference Monitors
10.3.20 Common architecture frameworks
10.3.20.1 Zachman Framework
10.3.20.2 Sherwood Applied Business Security Architecture Framework
10.3.20.3 The Open Group Architecture Framework (TOGAF)
10.3.20.4 IT Infrastructure Library (ITIL v3 / ITIL 4)
10.3.21 Roadway Design
10.3.22 Crime Prevention Through Environment Design (CPTED)
10.3.23 Entry points: Doors
10.3.24 Entry points: Windows
10.3.24.1 Types of glasses
10.3.25 Ground Potential Rise (GPR)
10.4 Domain 4 topics
10.4.1 Simplex, half duplex and full duplex
10.4.2 Attacks related to Internet Control Message Protocol (ICMP)
10.4.2.1 Ping of death
10.4.2.2 ICMP redirect attack / Man-in-the-middle attack
10.4.3 More about Multilayer protocols / Implications of multilayer protocols
10.4.3.1 DNP3
10.4.3.2 Modbus
10.4.4 File Transfer Protocol (FTP)
10.4.4.1 FTP Transfer modes: Active mode (PORT mode)
10.4.4.2 FTP Transfer modes: Passive mode (PASV mode)
10.4.4.3 Secure FTP with TLS (FTPS)
10.4.4.4 FTP over SSH
10.4.5 Trivial File Transfer Protocol (TFTP)
10.4.6 Common Internet File System (CIFS) / Server Message Block (SMB)
10.4.7 Simple Mail Transfer Protocol (SMTP) / Extended Simple Mail Transfer Protocol (ESMTP)
10.4.8 Lightweight Directory Access Protocol (LDAP)
10.4.9 Network Basic Input Output System (NetBIOS)
10.4.10 Network Information Service (NIS / NIS+)
10.4.11 Fiber Channel over Internet Protocol (FCIP / FCoIP)
10.4.12 InfiniBand (IB)
10.4.13 MPLS Pseudowires / L2VPN
10.4.14 Circuit switched and packet switched networks
10.4.14.1 Circuit switched networks
10.4.14.2 Packet switched networks
10.4.15 Common hardware
10.4.15.1 Modems
10.4.15.2 Multiplexers
10.4.15.3 Switches and bridges
10.4.15.4 Hubs / Repeaters
10.4.15.5 Routers
10.4.15.6 Wireless access points (WAP / AP)
10.4.16 More about Multimedia collaboration
10.4.16.1 Remote meeting technology
10.4.16.2 Instant messaging (IM)
10.4.16.3 Extensible Messaging and Presence Protocol (XMPP) / Jabber
10.4.17 Network attacks
10.4.17.1 Domain litigation
10.4.17.2 Open mail relay and SPAM
10.4.17.3 Port scanning
10.4.17.4 Port scanning: FIN scanning / X-mas scanning / Null scanning
10.4.17.5 Teardrop
10.4.17.6 Overlapping fragment attack
10.4.17.7 Source Routing Exploitation
10.4.17.8 Denial of service and spoofing
10.4.17.9 Email spoofing
10.4.17.10 DNS spoofing
10.4.17.11 Eavesdropping
10.4.17.12 Emanations / Tempest
10.5 Domain 5 topics
10.5.1 Control physical and logical access to assets
10.5.1.1 Access control of information
10.5.1.2 Centralized access control system for devices access control
10.5.1.3 Decentralized access control
10.5.1.4 Hybrid access control
10.5.2 Manage identification and authentication of people and devices
10.5.2.1 Identification methods
10.5.2.2 Identification guidelines
10.5.2.3 Identification implementation
10.5.2.3.1 Password management
10.5.2.3.2 Account management
10.5.2.4 Profile management
10.5.2.5 Directory management and Lightweight Directory Access Protocol (LDAP)
10.5.2.6 X.500 and X.400
10.5.3 Biometric
10.5.4 Classic Role-Based Access Control (RBAC) concepts
10.5.4.1 Non-RBAC
10.5.4.2 Limited RBAC
10.5.4.3 Hybrid RBAC
10.5.4.4 Full RBAC
10.5.5 SDDL (Security Descriptor Definition Language)
10.5.6 Prevent and mitigate access control attacks and IAM
10.5.6.1 Identity and access provisioning lifecycle
10.6 Domain 7 topics
10.6.1 More about evidence
10.6.2 More about RAID / High availability and fault tolerance in hard disk
10.6.2.1 RAID 0
10.6.2.2 RAID 1
10.6.2.3 RAID 5
10.6.2.4 Nested RAID Levels / RAID 10
10.6.3 Shoulder Surfing
10.6.4 Firewall architectures
10.6.4.1 Dual-Homed Firewall
10.6.4.2 Screened Host
10.6.4.3 Screened Subnet
10.6.5 Classic recovery site strategies and multiple processing sites
10.7 Domain 8 topics
10.7.1 More about agile software methodology
10.7.1.1 Scrum
10.7.1.2 Extreme programming (XP)
10.7.1.3 Test-driven development (TDD)
10.7.1.4 Lean
10.7.1.5 Minimum viable product (MVP)
10.7.2 More about programming languages (compiled languages vs interpreters)
10.7.3 Type checking
10.7.4 Language generations
10.7.5 Model View Controller (MVC)
10.7.6 Common programming languages
10.7.7 ACID in database transactions
10.7.8 Database View
10.7.9 Von Neumann model
10.7.10 Relationship between acquisition processes and IEEE 1062, PMBOK, NIST SP 800-64, DoDI 5000.2, ISO / IEC 12207
10.7.11 Object-Oriented (OO) programming
10.7.11.1 Encapsulation
10.7.11.2 Inheritance
10.7.11.3 Polymorphism
10.7.12 Distributed object-oriented systems
10.7.12.1 CORBA (Common Object Request Broker Architecture)
10.7.12.2 EJB (Enterprise JavaBeans)
10.7.12.3 Microsoft COM / DCOM
10.7.12.4 More about Virus
10.7.12.5 More about Botnet
10.7.12.6 More about Worms
10.7.12.7 Hoax
10.7.13 Database Management System (DBMS)
10.7.13.1 Database Management System (DBMS) Elements
10.7.13.2 Relational Database Management System (DBMS)
10.7.14 Normalization, primary keys, foreign keys and referential integrity
10.7.14.1 Normalization
10.7.14.2 Primary keys
10.7.14.3 Foreign keys and referential integrity
10.7.14.4 OODBMS and ORDBMS
10.7.15 Database Interface Languages
10.7.16 Polyinstantiation
10.7.17 Secure Electronic Transaction (SET) Protocol
10.7.18 Cleanroom
10.8 More about the examination (Computerized Adaptive Testing)


現有的課程內容:

1 General Information
1.1 Steps to get the CISSP certification
1.2 Examination (Computerized Adaptive Testing)
1.3 Registration process
1.4 Exam outline

2 Security and Risk Management (Domain 1)
2.1 Understand and apply concepts of confidentiality, integrity, and availability
2.1.1 Confidentiality
2.1.2 Integrity
2.1.3 Availability
2.2 Evaluate and apply security governance principles
2.2.1 Security governance
2.2.2 Align security functions to organization goals, missions and objectives
2.2.2.1 Business case
2.2.2.2 Budget
2.2.2.3 Resources
2.2.3 Organizational processes
2.2.3.1 Acquisitions and Mergers
2.2.3.2 Divestitures and Spinoffs
2.2.3.3 Governance Committees
2.2.4 Organizational roles and responsibilities
2.2.4.1 Information security officer
2.2.4.2 Oversight committee representation / Security Council
2.2.4.3 End-users
2.2.4.4 Executive Management
2.2.4.5 Information systems security professionals
2.2.4.6 Data owners, information owners, business owners
2.2.4.7 Data custodians, information custodians, stewards
2.2.4.8 Information security auditors
2.2.4.9 Business continuity planers
2.2.4.10 Information technologies professionals
2.2.4.11 Security administrators
2.2.4.12 System administrators
2.2.4.13 Network administrators
2.2.4.14 Physical security administrators
2.2.4.15 Administrative assistants / Receptionists
2.2.4.16 Service desk
2.2.5 Security control frameworks
2.2.5.1 NIST SP 800-53
2.2.5.2 ISO 27001:2013
2.2.6 Due Care
2.2.7 Due Diligence
2.3 Compliance (Determine compliance requirements)
2.3.1 Contractual, Legislative and regulatory requirements
2.3.2 Industry standards
2.3.3 Privacy requirements
2.3.4 GRC
2.4 Understand legal and regulatory issues that pertain to information security in a global context
2.4.1 Cybercrimes
2.4.1.1 Crypto Locker
2.4.1.2 Child Porn
2.4.1.3 Reveton / Citadel
2.4.1.4 Rogue Anti-Virus software
2.4.1.5 Effects of computer crimes
2.4.2 Licensing and intellectual property
2.4.2.1 Patent
2.4.2.2 Trademark
2.4.2.3 Copyright
2.4.2.4 Trade Secret
2.4.2.5 Licensing
2.4.3 Import / export controls
2.4.3.1 International Traffic in Arms Regulations (ITAR)
2.4.3.2 Export Administration Regulations (EAR)
2.4.3.3 Wassenaar Arrangement
2.4.4 Trans-border data flow
2.4.5 Privacy
2.4.6 Data Breaches
2.5 Professional ethics (Understand, adhere to, and promote professional ethics)
2.5.1 The relationship between ethics and regulatory requirements
2.5.2 (ISC)2 Code of Professional Ethics
2.5.2.1 Another version for your reference
2.5.2.2 Support organization’s code of ethics (Organizational code of ethics)
2.6 Develop, document, and implement security policy, standards, procedures, and guidelines
2.6.1 Security Policy
2.6.1.1 Best Practices of Security Policy
2.6.2 Standards
2.6.3 Procedures
2.6.4 Guidelines
2.6.5 Baselines
2.6.6 An integrated example
2.7 Understand and apply risk management concepts
2.7.1 Risk and Risk Management overview
2.7.2 Identify threats and vulnerabilities
2.7.2.1 Threats
2.7.2.2 Vulnerabilities
2.7.3 Risk assessment / analysis
2.7.4 Qualitative risk assessment / analysis
2.7.5 Quantitative risk assessment / analysis
2.7.5.1 Asset identification and valuation
2.7.5.2 EF and SLE
2.7.5.3 ARO, LAFE, SAFE and ALE
2.7.6 Concerns when performing qualitative risk assessment / analysis
2.7.7 Concerns when performing quantitative risk assessment / analysis
2.7.8 Hybrid
2.7.9 Risk assignment / acceptance
2.7.10 Countermeasure selection and implementation
2.7.10.1 Countermeasure selection
2.7.10.2 Countermeasure implementation
2.7.11 Types of controls / Applicable types of controls
2.7.11.1 Compensating controls
2.7.11.2 Corrective controls
2.7.11.3 Deterrent controls
2.7.11.4 Directive controls
2.7.11.5 Detective controls
2.7.11.6 Preventive controls
2.7.11.7 Recovery controls
2.7.11.8 Control implementations
2.7.11.9 Administrative controls
2.7.11.10 Physical controls
2.7.11.11 Logical controls / Technical controls
2.7.12 An integrated example of controls
2.7.13 Security Control assessment (SCA) / monitoring and measurement / reporting
2.7.13.1 Vulnerability assessments
2.7.13.2 Penetration testing
2.7.14 Continuous improvement
2.7.14.1 PDCA cycle / Deming Cycle / Shewhart Cycle
2.7.14.2 Continuous Vs Continual
2.7.15 Risk frameworks / risk management frameworks
2.8 Identify, analyze, and prioritize Disaster recovery (DR) / Business Continuity (BC) requirements
2.8.1 Project initiation
2.8.2 Develop and document project scope and plan
2.8.3 Business impact analysis (BIA)
2.8.3.1 Maximum tolerable downtime (MTD)
2.8.3.2 Recovery point objective (RPO)
2.9 Personnel security (Contribute to and enforce personnel security policies and procedures)
2.9.1 Before the employment, Candidate screening and hiring, employment agreement and policy
2.9.2 During the employment, onboarding processes
2.9.2.1 Separation of Duties (SOD)
2.9.2.2 Least Privilege (Need to Know)
2.9.2.3 Job Rotation
2.9.2.4 Mandatory Vacations
2.9.3 Termination processes
2.9.4 Vendor, consultant, and contractor agreements and controls
2.9.5 Compliance and privacy policy requirements
2.10 Understand and apply threat modelling concepts and methodologies
2.10.1 Threat modelling concepts
2.10.2 Example of threat modelling
2.11 Apply risk-based management concepts to the supply chain
2.11.1 Risks associated with hardware, software, and services
2.11.2 Third-party assessment and monitoring
2.11.2.1 Minimum security and service level requirements (SLR)
2.12 Establish and maintain a security awareness, education, and training program
2.12.1 Methods and techniques to present awareness and training
2.12.2 Security training
2.12.3 Program effectiveness evaluation and periodic content reviews

3 Asset Security (Domain 2)
3.1 Information classification and supporting assets
3.1.1 Classification (concern with access)
3.1.2 Categorization (concern with impact)
3.1.3 Asset and data classification
3.1.3.1 Data owners and data processers
3.1.3.2 Concerns when performing classification
3.2 Determine and maintain information and asset ownership
3.3 Protect privacy and collection limitations
3.4 Data retention
3.4.1 Data retention and destruction policy
3.4.2 Hardware and software considerations
3.4.3 Personnel
3.5 Data security controls
3.5.1 Data states
3.5.1.1 Data at Rest with cryptography
3.5.1.2 Data in Transit with cryptography
3.5.2 Baselines
3.5.3 Scoping and tailoring
3.6 Standards selection
3.6.1 United States
3.6.1.1 Department of Defense
3.6.1.2 National Security Agency (NSA)
3.6.1.3 National Institute of Standards and Technology (NIST)
3.6.2 United Kingdom
3.6.2.1 Communications-Electronics Security Group (CESG)
3.6.3 European Union
3.6.4 International Organization for Standardization (ISO)
3.6.5 International Telecommunications Union (ITU)
3.6.6 NATO Cooperative Cyber Defence Centre of Excellence
3.7 Establish information and asset handling requirements and data protection methods
3.7.1 Marking
3.7.2 Handling
3.7.3 Storing
3.7.4 Data remanence
3.7.4.1 Clearing
3.7.4.2 Purging
3.7.4.3 Overwriting
3.7.4.4 Degaussing
3.7.4.5 Encryption
3.7.4.6 Destruction
3.8 Quality control (QC) and quality assurance (QA)

4 Security Architecture and Engineering (Domain 3)
4.1 Engineering processes using secure design principles
4.1.1 Security engineering
4.1.2 Implement and manage security engineering using secure design principles
4.1.2.1 Principles
4.1.2.2 Relationships between principles and System life-cycles
4.2 Understand the fundamental concepts of security models
4.2.1 Common system components
4.2.1.1 Processors
4.2.1.2 Memory and storage (primary storage)
4.2.1.3 Memory and storage (secondary storage)
4.2.1.4 Memory and storage (virtual storage)
4.2.1.5 Memory and storage (memory protection)
4.2.2 Types of security Models
4.2.2.1 State Machine Model
4.2.2.2 Multilevel Lattice Models
4.2.2.3 Noninterference Models
4.2.2.4 Matrix-Based Model
4.2.2.5 Information Flow Model
4.2.3 Examples of security models
4.2.3.1 Bell-LaPadula Confidentiality Model / Bell-LaPadula Model / BLP
4.2.3.2 Biba Integrity Model / Biba Model
4.2.3.3 Clark-Wilson Integrity Model / Clark-Wilson Model
4.2.3.4 Lipner Model
4.2.3.5 Brewer-Nash (The Chinese Wall) Model
4.2.3.6 Graham-Denning Model
4.2.3.7 Harrison-Ruzzo-Ulman Model
4.3 Select controls and countermeasures based upon systems security evaluation models
4.3.1 Certification and accreditation
4.3.1.1 Certification
4.3.1.2 Accreditation
4.3.2 Product evaluation models
4.3.2.1 Trusted Computer System Evaluation Criteria (TCSEC)
4.3.2.2 Information Technology Security Evaluation Criteria (ITSEC)
4.3.2.3 Common Criteria
4.4 Understand security capabilities of information systems
4.4.1 Access control mechanisms
4.4.2 Secure memory management
4.4.2.1 Address space layout randomization (ASLR)
4.4.3 Processor states
4.4.3.1 Supervisor state
4.4.3.2 Problem state
4.4.4 Layering
4.4.5 Data hiding
4.4.6 Abstraction
4.4.7 Trusted Platform Module (TPM) [Cryptographic protections]
4.4.8 Host firewalls and intrusion prevention
4.4.9 Virtualization
4.4.10 Audit and monitoring controls
4.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
4.5.1 Client-based systems
4.5.1.1 Desktops and Laptops
4.5.1.2 Mobile devices
4.5.2 Server-based systems
4.5.2.1 Data Flow Diagram (DFD)
4.5.3 Database systems
4.5.3.1 Warehousing and data mart
4.5.3.2 Inference
4.5.3.3 Aggregation
4.5.3.4 Data mining / KDD
4.5.4 Large-scale parallel data systems
4.5.5 Distributed systems and Cloud-based systems
4.5.5.1 Cloud computing