ISC CISSP Training Course Training 課程
  Facebook: ISC CISSP Training Course Training 課程
 
ISC CISSP Training Course Training 課程
ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程  
ISC CISSP Training Course Training 課程 ISC CISSP Training Course Training 課程

想定期知道最新課程及優惠嗎?
免費訂閱本中心的課程通訊!

課堂錄影隨時睇 10 大優點之時間自由:無論您是夜班或輪班工作,在日間或晚間亦可隨時來上課!而視像會在您到達時才開始播放,亦可按您需要而隨時暫停,不會因遲到或人有三急而錯過課程任何重點!

ISC2 CISSP

  • 課程時間
  • 課程簡介
  • 課程特點
  • 考試須知
  • 課程內容
  • 報章訪問

課程內容覆蓋現有 Syllabus 和新 Syllabus (2021-05)。


傳統服務:課程上堂時間表 (地點:旺角)
學員使用電話或本網頁報名,待本中心確認已為學員留位後,即可使用 轉數快 繳付學費,過程簡便!
日期 (dd/mm) 星期 時間
 14/02 - 16/03
14/2/2022, 16/2, 21/2, 23/2, 28/2, 2/3, 7/3, 9/3, 14/3, 16/3/2022
 下載詳細上課日期
一、三 7:00pm - 10:00pm
 11/05 - 13/06
11/5, 16/5, 18/5, 23/5, 25/5, 30/5, 1/6, 6/6, 8/6, 13/6
 下載詳細上課日期
一、三 7:00pm - 10:00pm
* 各政府部門可使用 P Card 付款  
如使用 P Card 繳付考試費,考試費需另加 1.3% 附加費  

*** 質素保證: 免費於任何地點試睇首 3 小時課堂錄影,從而可預先了解導師及教材的質素,才報讀課程來上堂。***
請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560

免費補堂: 學員可於任何地點補看課堂錄影,從而可銜接往後的課堂!
免費重讀: 學員可於課程結束後三個月內於任何地點不限次數地重看課堂錄影,從而可反覆重溫整個課程!
課時: 30 小時
停課安排: 若因疫情以致教育局宣佈停課,本中心或會將部份課堂的課堂錄影發放給學員在家觀看,令學員可於停課期間得以繼續進修,而復課後會以已發放課堂錄影之後的一堂來繼續上課。

傳統服務的免費補堂或免費重讀,若選擇旺角或觀塘的閒日星期一至四,便需於 6:30p.m. 或之前完成觀看課堂錄影。


推介服務:課堂錄影隨時睇 (在家觀看 = 0%,在校觀看 = 100%)
學員使用電話或本網頁報名,待本中心確認已為學員留位後,即可使用 轉數快 繳付學費,過程簡便!
地點 可預約星期及時間
旺角 一至五:14:30 - 22:15   六:13:45 - 21:30   日:10:15 - 18:00 (公眾假期休息)
觀塘 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息)
北角 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息)
沙田 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息)
屯門 一至五:14:15 - 22:00   六及日:12:15 - 20:00   (星期三及公眾假期休息)

在校免費試睇: 首 3 小時,請致電與本中心職員預約。 查看各地點電話
旺角 2332-6544
觀塘 3563-8425
北角 3580-1893
沙田 2151-9360
屯門 3523-1560
在校免費重睇: 學員可於享用時期內於報讀地點不限次數地重看課堂錄影,從而可反覆重溫整個課程!
導師解答: 學員可於觀看某一課堂錄影後提出課堂直接相關的問題,課程導師會樂意為學員以單對單的形式解答!
課時: 30 小時
享用時期: 10 星期 (可於報讀日至 4 星期內觀看整個課程,另加 6 星期備用時期)。進度由您控制,可快可慢。
在校觀看: 詳情及示範片段


地區 地址 電話 教育局註冊編號
旺角 九龍旺角亞皆老街 109 號,皆旺商業大廈 18 樓 1802 - 1807 室 2332-6544 533459
觀塘 九龍觀塘成業街 7 號寧晉中心 12 樓 G2 室 3563-8425 588571
北角 香港北角馬寶道 41-47 號華寶商業大廈 3 樓 01-02 號舖 3580-1893 591262
沙田 新界沙田石門安群街 3 號京瑞廣場 1 期 10 樓 M 室 2151-9360 604488
屯門 新界屯門屯喜路 2 號屯門柏麗廣場 17 樓 1708 室 3523-1560 592552
注意! 客戶必須查問報讀學校的教育局註冊編號,以確認該校為註冊學校,以免蒙受不必要的損失!


全港獨家:除傳統上課模式外,本中心還附有視像 (video) 服務給學員享用,令課程彈性更高!


近年系統和網絡技術發展一日千里,大家開發解決方案 ( Solution ) 或處理電子資訊時除需要考慮功能外,更須注意資訊保安。一旦出現資訊安全事故 ( 例如客戶資料外洩 ),商譽或金錢上的損失均無法想像。故此資訊保安已成為I.T.界的”必修科”,僱主聘用I.T.同事時亦要求具備資訊保安知識及相關認證,例如CISSP (Certified Information Systems Security Professional) 。

CISSP證書制度是由International Information Systems Security Certification Consortium ( 簡稱 ISC2 ) 建立,CISSP是一張中立 ( Vendor Neutral) 的認證,當中所涉及的知識不限制於個別器材軟件生產商 (Vendor)。故此CISSP的知識應用層面十分廣泛。CISSP的考試內容主要圍繞下列 8 個 CBK (Common Body of Knowledge)

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security



CISSP

若要考取CISSP,同學須要

  1. 具備 5 年資訊保安相關的工作經驗
  2. 通過 CISSP 考試 (我們備有大量練習令學員更易通過考試)
  3. 通過認可 ( Endorsement ) 過程
    (本中心的 CISSP 學員可向本中心免費申請認可的協助,而本中心會按照 ISC2 指引來免費提供認可服務。)
  4. 通過 ISC2 的審核

備註:申請者如未具有足夠的工作經驗,依然可以參加 CISSP,考試後成為 Associate of ISC2,當累積足夠的工作經驗時,便可以申請成為 CISSP。



課程名稱: ISC CISSP
- 簡稱:ISC CISSP Training Course
課程時數: 合共 30 小時 (共 10 堂)
適合人士: 對資訊保安有興趣的人士
授課語言: 以廣東話為主,輔以英語
課程筆記: 本中心導師親自編寫英文為主筆記,而部份英文字附有中文對照。

1. Franco 親自編寫筆記: Franco 親自編寫筆記,令你無須「死鋤」如字典般厚及不適合香港讀書格調的書本。
2. 理論與實習並重: 導師會在課堂上作出大量示範,務求令同學理解抽象的資訊保安概念,以及如何將CISSP的知識應用在日常工作上。我們亦有大量練習令學員更易通過考試。
3. 免費重讀: 傳統課堂學員可於課程結束後三個月內免費重看課堂錄影。

導師會在課堂內講解考試程序。

考試合格後,下一步便是通過認可 ( Endorsement )。考生須得到另一名 ISC2 Certified 的人士推薦,並為考生簽署 Endorsement Form。

本中心的 CISSP 學員可向本中心免費申請認可的協助,而本中心會按照 ISC2 指引來免費提供認可服務。

最後,ISC2 會隨機抽樣為考生所提供的文件進行 Audit. 通過 Audit 後便可成為 CISSP。

Recently, the following Systematic CISSP course students applied for our help and we endorsed them successfully (including 2012-2022 examinations):

  • A. Chan
  • A. Chung
  • A. Yao
  • A. Yiu
  • A.Wong
  • Alan Cheung
  • Alan Choi
  • Alan Kwong
  • Alan Lee
  • Albert To
  • Alfred S.Y. Chan
  • Alfred Y.H. Chan
  • Andy Lau
  • Anthony Wu
  • Antony Chan
  • B. Ho
  • B. Kwok
  • B. Lau
  • B. Ng
  • B. Yiu
  • Ben Chan
  • Ben Wong
  • Billy Chan
  • C. Chan
  • C. Choi
  • C. Chung
  • C. Lee
  • C. Li
  • C. Ma
  • C. Tang
  • C. Tse
  • C.F. Cho
  • C.F. Ko
  • C.I. Choi
  • C.M. Yip
  • C.N. Yue
  • Chan C. C
  • Charlaes Ho
  • Charles Wong
  • Chris Ng
  • Chris Ngai
  • Cody Wong
  • Colin Yeung
  • David Lau
  • David Leung
  • Derek Au
  • Derek Yeung
  • E. Mok
  • Eddie Ho
  • Edmond Chan
  • Edward Tam
  • Edwin Tang
  • Eric Wong
  • Eric Wu
  • Ernest Chan
  • F. Mok
  • F. Tong
  • F. Tse
  • Frankie Ng
  • G. Cheung
  • G. Kan
  • G. Tang
  • Gavin Lo
  • H. S. Lam
  • H. Seto
  • H. Y. Lin
  • Henry Pang
  • Howard Lee
  • I. Lai
  • Ivan Chow
  • Ivan Mong
  • J. Chan
  • J. Chow
  • J. K. Kwok
  • J. Kwok
  • J. Lai
  • J. Lau
  • J. Li
  • J. Mak
  • J. Ng
  • J. Ting
  • J. Yue
  • Jason Li
  • Jason Luk
  • Jeff Ho
  • Joe Chan
  • Joey Ho
  • Johnny Lam
  • Joseph Kwong
  • Joseph Lau
  • Justin Mok
  • K. Chan
  • K. F. Lau
  • K. Fung
  • K. Kwan
  • K. Li
  • K. S. Li
  • K. Tsui
  • K.F. Fung
  • K.F. Tang
  • K.F. Wong
  • K.W. Chung
  • K.W. Tse
  • Kelvin Tang
  • Kelvin Tse
  • Kene Lai
  • Kenneth Cheung
  • Kenneth Keung
  • Kenneth Shum
  • L. Chung
  • L. Hui
  • L. Ng
  • L. T. Kwok
  • Lawrence Chan
  • Lawrence Tang
  • M. Chan
  • M. Hui
  • M. Leung
  • M. Ng
  • M.C. Chan
  • M.H. Yip
  • Matthew Chan
  • Maverick Wong
  • N. C
  • O. Yun
  • P. Lam
  • P. Yau
  • Paul Wong
  • R. Chan
  • R. Yu
  • Ray Lam
  • Ray Tsang
  • Raymond Cheung
  • Raymond Law
  • Raymond Lo
  • Rex Lee
  • Richard Mon
  • Roy Fong
  • Roy Lam
  • Roy Yiu
  • S. F. Choy
  • S. H. Wang
  • S. Lam
  • S. Leung
  • S. Mak
  • S. Sin
  • S. Wu
  • S. Y. Chu
  • S. Yip
  • S.H. So
  • S.M. Ho
  • S.W. Lu
  • Sam Lo
  • Sammy Leung
  • Samson Tai
  • Simon Leung
  • Simon Yu
  • Stanley Lam
  • Stephanie Chan
  • Steve Wong
  • Steven Tsoi
  • T. Kwong
  • T. Leung
  • T. W. Cheng
  • T.S. Chan
  • T.Y. Li
  • Terence Mak
  • Terry Ng
  • Terry Yau
  • Tony Lo
  • Tony Wong
  • Tony Yeung
  • U. Cheung
  • V. Tang
  • Vincent Chan
  • W. C. Fung
  • W. H. Ma
  • W. Hon
  • W. Hung
  • W. L. Lee
  • W. Lau
  • W. T. Tai
  • W. Yeung
  • W.C.D. Fung
  • W.S Lai
  • W.S. Chu
  • W.T. Chiu
  • Willy Poon
  • X. Yao
  • Y. C. Choi
  • Y. Chang
  • Y. K. Kong
  • Y.C. Chow
  • Y.L. Cheng
  • Y.T. Tang
  • Zero Ho
  • 更多...未能盡錄

Congratulations to them!!





1 General Information
1.1 Steps to get the CISSP certification
1.2 Examination (Computerized Adaptive Testing)
1.3 Registration process
1.4 Exam outline

2 Security and Risk Management (Domain 1)
2.1 Understand and apply concepts of confidentiality, integrity, and availability
2.1.1 Confidentiality
2.1.2 Integrity
2.1.3 Availability
2.2 Evaluate and apply security governance principles
2.2.1 Security governance
2.2.2 Align security functions to organization goals, missions and objectives
2.2.2.1 Business case
2.2.2.2 Budget
2.2.2.3 Resources
2.2.3 Organizational processes
2.2.3.1 Acquisitions and Mergers
2.2.3.2 Divestitures and Spinoffs
2.2.3.3 Governance Committees
2.2.4 Organizational roles and responsibilities
2.2.4.1 Information security officer
2.2.4.2 Oversight committee representation / Security Council
2.2.4.3 End-users
2.2.4.4 Executive Management
2.2.4.5 Information systems security professionals
2.2.4.6 Data owners, information owners, business owners
2.2.4.7 Data custodians, information custodians, stewards
2.2.4.8 Information security auditors
2.2.4.9 Business continuity planers
2.2.4.10 Information technologies professionals
2.2.4.11 Security administrators
2.2.4.12 System administrators
2.2.4.13 Network administrators
2.2.4.14 Physical security administrators
2.2.4.15 Administrative assistants / Receptionists
2.2.4.16 Service desk
2.2.5 Security control frameworks
2.2.5.1 NIST SP 800-53
2.2.5.2 ISO 27001:2013
2.2.6 Due Care
2.2.7 Due Diligence
2.3 Compliance (Determine compliance requirements)
2.3.1 Contractual, Legislative and regulatory requirements
2.3.2 Industry standards
2.3.3 Privacy requirements
2.3.4 GRC
2.4 Understand legal and regulatory issues that pertain to information security in a global context
2.4.1 Cybercrimes
2.4.1.1 Crypto Locker
2.4.1.2 Child Porn
2.4.1.3 Reveton / Citadel
2.4.1.4 Rogue Anti-Virus software
2.4.1.5 Effects of computer crimes
2.4.2 Licensing and intellectual property
2.4.2.1 Patent
2.4.2.2 Trademark
2.4.2.3 Copyright
2.4.2.4 Trade Secret
2.4.2.5 Licensing
2.4.3 Import / export controls
2.4.3.1 International Traffic in Arms Regulations (ITAR)
2.4.3.2 Export Administration Regulations (EAR)
2.4.3.3 Wassenaar Arrangement
2.4.4 Trans-border data flow
2.4.5 Privacy
2.4.6 Data Breaches
2.5 Professional ethics (Understand, adhere to, and promote professional ethics)
2.5.1 The relationship between ethics and regulatory requirements
2.5.2 (ISC)2 Code of Professional Ethics
2.5.2.1 Another version for your reference
2.5.2.2 Support organization’s code of ethics (Organizational code of ethics)
2.6 Develop, document, and implement security policy, standards, procedures, and guidelines
2.6.1 Security Policy
2.6.1.1 Best Practices of Security Policy
2.6.2 Standards
2.6.3 Procedures
2.6.4 Guidelines
2.6.5 Baselines
2.6.6 An integrated example
2.7 Understand and apply risk management concepts
2.7.1 Risk and Risk Management overview
2.7.2 Identify threats and vulnerabilities
2.7.2.1 Threats
2.7.2.2 Vulnerabilities
2.7.3 Risk assessment / analysis
2.7.4 Qualitative risk assessment / analysis
2.7.5 Quantitative risk assessment / analysis
2.7.5.1 Asset identification and valuation
2.7.5.2 EF and SLE
2.7.5.3 ARO, LAFE, SAFE and ALE
2.7.6 Concerns when performing qualitative risk assessment / analysis
2.7.7 Concerns when performing quantitative risk assessment / analysis
2.7.8 Hybrid
2.7.9 Risk assignment / acceptance
2.7.10 Countermeasure selection and implementation
2.7.10.1 Countermeasure selection
2.7.10.2 Countermeasure implementation
2.7.11 Types of controls / Applicable types of controls
2.7.11.1 Compensating controls
2.7.11.2 Corrective controls
2.7.11.3 Deterrent controls
2.7.11.4 Directive controls
2.7.11.5 Detective controls
2.7.11.6 Preventive controls
2.7.11.7 Recovery controls
2.7.11.8 Control implementations
2.7.11.9 Administrative controls
2.7.11.10 Physical controls
2.7.11.11 Logical controls / Technical controls
2.7.12 An integrated example of controls
2.7.13 Security Control assessment (SCA) / monitoring and measurement / reporting
2.7.13.1 Vulnerability assessments
2.7.13.2 Penetration testing
2.7.14 Continuous improvement
2.7.14.1 PDCA cycle / Deming Cycle / Shewhart Cycle
2.7.14.2 Continuous Vs Continual
2.7.15 Risk frameworks / risk management frameworks
2.8 Identify, analyze, and prioritize Disaster recovery (DR) / Business Continuity (BC) requirements
2.8.1 Project initiation
2.8.2 Develop and document project scope and plan
2.8.3 Business impact analysis (BIA)
2.8.3.1 Maximum tolerable downtime (MTD)
2.8.3.2 Recovery point objective (RPO)
2.9 Personnel security (Contribute to and enforce personnel security policies and procedures)
2.9.1 Before the employment, Candidate screening and hiring, employment agreement and policy
2.9.2 During the employment, onboarding processes
2.9.2.1 Separation of Duties (SOD)
2.9.2.2 Least Privilege (Need to Know)
2.9.2.3 Job Rotation
2.9.2.4 Mandatory Vacations
2.9.3 Termination processes
2.9.4 Vendor, consultant, and contractor agreements and controls
2.9.5 Compliance and privacy policy requirements
2.10 Understand and apply threat modelling concepts and methodologies
2.10.1 Threat modelling concepts
2.10.2 Example of threat modelling
2.11 Apply risk-based management concepts to the supply chain
2.11.1 Risks associated with hardware, software, and services
2.11.2 Third-party assessment and monitoring
2.11.2.1 Minimum security and service level requirements (SLR)
2.12 Establish and maintain a security awareness, education, and training program
2.12.1 Methods and techniques to present awareness and training
2.12.2 Security training
2.12.3 Program effectiveness evaluation and periodic content reviews

3 Asset Security (Domain 2)
3.1 Information classification and supporting assets
3.1.1 Classification (concern with access)
3.1.2 Categorization (concern with impact)
3.1.3 Asset and data classification
3.1.3.1 Data owners and data processers
3.1.3.2 Concerns when performing classification
3.2 Determine and maintain information and asset ownership
3.3 Protect privacy and collection limitations
3.4 Data retention
3.4.1 Data retention and destruction policy
3.4.2 Hardware and software considerations
3.4.3 Personnel
3.5 Data security controls
3.5.1 Data states
3.5.1.1 Data at Rest with cryptography
3.5.1.2 Data in Transit with cryptography
3.5.2 Baselines
3.5.3 Scoping and tailoring
3.6 Standards selection
3.6.1 United States
3.6.1.1 Department of Defense
3.6.1.2 National Security Agency (NSA)
3.6.1.3 National Institute of Standards and Technology (NIST)
3.6.2 United Kingdom
3.6.2.1 Communications-Electronics Security Group (CESG)
3.6.3 European Union
3.6.4 International Organization for Standardization (ISO)
3.6.5 International Telecommunications Union (ITU)
3.6.6 NATO Cooperative Cyber Defence Centre of Excellence
3.7 Establish information and asset handling requirements and data protection methods
3.7.1 Marking
3.7.2 Handling
3.7.3 Storing
3.7.4 Data remanence
3.7.4.1 Clearing
3.7.4.2 Purging
3.7.4.3 Overwriting
3.7.4.4 Degaussing
3.7.4.5 Encryption
3.7.4.6 Destruction
3.8 Quality control (QC) and quality assurance (QA)

4 Security Architecture and Engineering (Domain 3)
4.1 Engineering processes using secure design principles
4.1.1 Security engineering
4.1.2 Implement and manage security engineering using secure design principles
4.1.2.1 Principles
4.1.2.2 Relationships between principles and System life-cycles
4.2 Understand the fundamental concepts of security models
4.2.1 Common system components
4.2.1.1 Processors
4.2.1.2 Memory and storage (primary storage)
4.2.1.3 Memory and storage (secondary storage)
4.2.1.4 Memory and storage (virtual storage)
4.2.1.5 Memory and storage (memory protection)
4.2.2 Types of security Models
4.2.2.1 State Machine Model
4.2.2.2 Multilevel Lattice Models
4.2.2.3 Noninterference Models
4.2.2.4 Matrix-Based Model
4.2.2.5 Information Flow Model
4.2.3 Examples of security models
4.2.3.1 Bell-LaPadula Confidentiality Model / Bell-LaPadula Model / BLP
4.2.3.2 Biba Integrity Model / Biba Model
4.2.3.3 Clark-Wilson Integrity Model / Clark-Wilson Model
4.2.3.4 Lipner Model
4.2.3.5 Brewer-Nash (The Chinese Wall) Model
4.2.3.6 Graham-Denning Model
4.2.3.7 Harrison-Ruzzo-Ulman Model
4.3 Select controls and countermeasures based upon systems security evaluation models
4.3.1 Certification and accreditation
4.3.1.1 Certification
4.3.1.2 Accreditation
4.3.2 Product evaluation models
4.3.2.1 Trusted Computer System Evaluation Criteria (TCSEC)
4.3.2.2 Information Technology Security Evaluation Criteria (ITSEC)
4.3.2.3 Common Criteria
4.4 Understand security capabilities of information systems
4.4.1 Access control mechanisms
4.4.2 Secure memory management
4.4.2.1 Address space layout randomization (ASLR)
4.4.3 Processor states
4.4.3.1 Supervisor state
4.4.3.2 Problem state
4.4.4 Layering
4.4.5 Data hiding
4.4.6 Abstraction
4.4.7 Trusted Platform Module (TPM) [Cryptographic protections]
4.4.8 Host firewalls and intrusion prevention
4.4.9 Virtualization
4.4.10 Audit and monitoring controls
4.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
4.5.1 Client-based systems
4.5.1.1 Desktops and Laptops
4.5.1.2 Mobile devices
4.5.2 Server-based systems
4.5.2.1 Data Flow Diagram (DFD)
4.5.3 Database systems
4.5.3.1 Warehousing and data mart
4.5.3.2 Inference
4.5.3.3 Aggregation
4.5.3.4 Data mining / KDD
4.5.4 Large-scale parallel data systems
4.5.5 Distributed systems and Cloud-based systems
4.5.5.1 Cloud computing
4.5.5.2 Grid computing
4.5.5.3 Peer to peer (P2P)
4.5.6 Industrial control systems (ICS)
4.6 Assess and mitigate vulnerabilities in web-based systems
4.6.1 XML
4.6.2 SAML
4.6.3 OWASP / OWASP Secure Coding Practices
4.7 Assess and mitigate vulnerabilities in mobile systems
4.7.1 Remote computing
4.7.2 Mobile workers
4.8 Assess and mitigate vulnerabilities in embedded devices, cyber-physical systems and Internet of Things (IoT)
4.9 Cryptographic systems and Apply cryptography (Cryptographic life cycle and Cryptographic methods)
4.9.1 Key terms and definitions
4.9.1.1 Ciphertext
4.9.1.2 Plaintext
4.9.1.3 Cryptosystem
4.9.1.4 Encryption
4.9.1.5 Decryption
4.9.1.6 Key / Cryptovariable
4.9.1.7 Nonrepudiation
4.9.1.8 Algorithm
4.9.1.9 Cryptanalysis
4.9.1.10 Cryptology
4.9.1.11 Collision
4.9.1.12 Key space
4.9.1.13 Work factor
4.9.1.14 Initialization vector (IV)
4.9.1.15 Encoding
4.9.1.16 Decoding
4.9.1.17 Transposition / Permutation
4.9.1.18 Substitution
4.9.1.19 SP-Network
4.9.1.20 Confusion
4.9.1.21 Diffusion
4.9.2 Methods of cryptography
4.9.2.1 Stream-based Ciphers
4.9.2.2 Block Ciphers
4.9.3 Running Key Cipher with modular mathematics
4.9.4 One-time Pads
4.9.5 Symmetric encryption algorithms
4.9.5.1 DES (Data Encryption Standard)
4.9.5.2 DES: ECB (Block Cipher Modes of DES)
4.9.5.3 DES: CBC (Block Cipher Modes of DES)
4.9.5.4 DES: CFB (Stream Cipher Modes of DES)
4.9.5.5 DES: OFB (Stream Cipher Modes of DES)
4.9.5.6 DES: CTR (Stream Cipher Modes of DES)
4.9.5.7 Advantages and disadvantages of DES
4.9.5.8 Triple DES
4.9.5.9 Rijndael / Advanced Encryption Standard (AES)
4.9.5.10 International Data Encryption Algorithm (IDEA)
4.9.5.11 CAST
4.9.5.12 Blowfish
4.9.5.13 Twofish
4.9.5.14 RC4
4.9.5.15 RC5
4.9.5.16 Advantages and disadvantages of symmetric encryption algorithms
4.9.6 Asymmetric encryption algorithms
4.9.6.1 Asymmetric algorithms
4.9.6.2 Message confidentiality
4.9.6.3 Proof of origin (nonrepudiation)
4.9.6.4 Message confidentiality + proof of origin (nonrepudiation)
4.9.6.5 RSA
4.9.6.6 Diffie-Hellmann Algorithm
4.9.6.7 El Gamal
4.9.6.8 Elliptic Curve Cryptography (ECC)
4.9.6.9 Advantages and disadvantages of asymmetric algorithms
4.9.7 Hybrid Cryptography
4.9.8 Hashing and salting
4.9.8.1 MD5 Message Digest Algorithm
4.9.8.2 Secure Hash Algorithm (SHA-1, SHA-2)
4.9.8.3 SHA-3
4.9.8.4 HAVAL
4.9.8.5 RIPEMD-160
4.9.9 Message Authentication Code (MAC)
4.9.9.1 HMAC (Keyed-Hash Message Authentication Code)
4.9.10 Public Key Infrastructure (PKI)
4.9.10.1 Digital signatures and digital signature standard (DSS)
4.9.10.2 Certification Authority (CA) and digital certificates
4.9.10.3 Registration Authority (RA)
4.9.10.4 Validation Authority (VA)
4.9.10.5 Key management: XML Key Management Specification (XKMS)
4.9.10.6 Key management: Key Escrow
4.9.10.7 Digital Rights Management (DRM)
4.9.11 Cryptanalysis and attacks
4.9.11.1 Ciphertext-Only Attack
4.9.11.2 Known-Plaintext Attack
4.9.11.3 Chosen-Plaintext Attack
4.9.11.4 Chosen-Ciphertext Attack
4.9.11.5 Brute Force
4.9.11.6 Dictionary Attack
4.9.11.7 Frequency Analysis
4.9.11.8 Rainbow Table
4.9.11.9 Birthday Attack
4.9.11.10 Side-channel Attack / Implementation Attack
4.9.11.11 Linear cryptanalysis
4.10 Implement site and facility security controls
4.10.1 Roadway Design
4.10.2 Crime Prevention Through Environment Design (CPTED)
4.10.3 Entry points: Doors
4.10.3.1 Mantrap / Portal
4.10.4 Entry points: Windows
4.10.4.1 Types of glasses
4.10.5 Wiring closets and Ground Potential Rise (GPR)
4.10.6 Server rooms and rack security
4.10.7 Media storage, evidence storage and work (restricted) area security
4.10.8 Server room / data center security
4.10.9 Utilities and HVAC
4.10.9.1 Uninterruptible Power Supply (UPS)
4.10.9.2 Power Conditioner
4.10.9.3 Backup Power Source
4.10.9.4 HVAC
4.10.10 Fire prevention detection, suppression
4.10.10.1 Fire detection
4.10.10.2 Fire suppression

5 Communication and Network Security (Domain 4)
5.1 Network architecture and its design principles
5.1.1 OSI reference model
5.1.1.1 Layer 7: Application Layer
5.1.1.2 Layer 6: Presentation Layer
5.1.1.3 Layer 5: Session Layer
5.1.1.4 Layer 4: Transport Layer
5.1.1.5 Layer 3: Network Layer
5.1.1.6 Layer 2: Data Link Layer
5.1.1.7 Layer 1: Physical Layer
5.1.2 TCP / IP model
5.1.2.1 Application Layer
5.1.2.2 Transport Layer
5.1.2.3 Internet Layer
5.1.2.4 Network Interface Layer
5.1.3 OSI reference model VS TCP / IP model
5.1.4 IP networking
5.1.4.1 IPv4 addressing
5.1.4.2 IPv6 addressing
5.1.4.3 Transmission Control Protocol (TCP)
5.1.4.4 User Datagram Protocol (UDP)
5.1.4.5 Ports
5.1.4.6 Routing protocols
5.1.4.7 RIPv1, RIPv2 and RIPng
5.1.4.8 OSPFv2 and OSPFv3
5.1.4.9 Border Gateway Protocol (BGP)
5.1.4.10 Dynamic Host Configuration Protocol (DHCP)
5.1.4.11 Internet Control Message Protocol (ICMP)
5.1.4.12 Domain Name Service (DNS)
5.1.5 Converged protocols
5.1.5.1 Fibre Channel (FC)
5.1.5.2 Internet Small Computer System Interface (iSCSI)
5.1.5.3 Fibre Channel over Ethernet (FCoE)
5.1.5.4 Multiprotocol Label Switching (MPLS)
5.1.5.5 Voice over IP (VoIP)
5.1.5.6 Session Initiation Protocol (SIP)
5.1.6 Multilayer protocols / Implications of multilayer protocols
5.1.6.1 DNP3
5.1.6.2 Modbus
5.1.7 Software-defined networks / Software-defined networking (SDN)
5.1.8 Wireless networks
5.1.8.1 Wi-Fi
5.1.8.2 Open system authentication
5.1.8.3 Shared key authentication
5.1.8.4 Wired equivalent privacy (WEP)
5.1.8.5 Wi-Fi protected access (WPA) / WPA2 / WPA3
5.1.8.6 “Parking lot” attack
5.1.8.7 SSID flaw
5.1.9 Cryptography used to maintain communication security
5.1.9.1 Certificate-based authentication
5.1.9.2 Client certificates
5.1.9.3 Server certificates
5.1.9.4 Secure / Multipurpose Internet Mail Extension (S/MIME)
5.2 Secure network components
5.2.1 Operation of hardware
5.2.1.1 Modems
5.2.1.2 Multiplexers
5.2.1.3 Switches and bridges
5.2.1.4 Hubs / Repeaters
5.2.1.5 Routers
5.2.1.6 Wireless access points (WAP / AP)
5.2.2 Transmission media
5.2.2.1 Shielded Twisted Pair (STP)
5.2.2.2 Unshielded Twisted Pair (UTP)
5.2.2.3 Coaxial Cable (Coax)
5.2.2.4 Fiber Optic / Optical Fiber
5.2.2.5 Plastic Optical Fiber
5.2.3 Network access control (NAC) devices
5.2.3.1 Firewalls
5.2.3.2 Network Address Translation (NAT) / Port Address Translation (PAT)
5.2.3.3 Proxies
5.2.4 Endpoint security / Physical devices
5.2.5 Content-distribution networks (CDN)
5.3 Secure communication channels
5.3.1 Voice
5.3.2 Multimedia collaboration
5.3.2.1 Remote meeting technology
5.3.2.2 Instant messaging (IM)
5.3.2.3 Extensible Messaging and Presence Protocol (XMPP) / Jabber
5.3.2.4 Internet Relay Chat (IRC)
5.3.3 IPsec VPN
5.3.3.1 IPsec VPN: Authentication Header (AH)
5.3.3.2 IPsec VPN: Encapsulating Secure Payload (ESP)
5.3.4 Screen scraping
5.3.5 Virtual desktop / application
5.3.6 Virtual LAN (VLAN)
5.3.7 Transport Layer Security (TLS) / Secure Sockets Layer (SSL)
5.3.7.1 TLS VPN / SSL VPN
5.3.8 Virtualized networks
5.3.8.1 vNetwork Standard Switch (vSwitch, vSS)
5.3.8.2 vNetwork Distributed Switch (dvSwitch, vDS)
5.3.8.3 Virtual Storage Area Network (VSAN)
5.4 Prevent network attacks
5.4.1 Intrusion Detection System (IDS)
5.4.2 Intrusion Prevention System (IPS)
5.5 Security event management (SEM) / security information and event management (SIEM)

6 Identity and Access Management (IAM) (Domain 5)
6.1 Control physical and logical access to assets
6.1.1 Logical access control
6.1.1.1 Access control of information
6.1.1.2 Centralized access control system for devices access control
6.1.1.3 Decentralized access control
6.1.1.4 Hybrid access control
6.1.2 Physical access control
6.1.2.1 Physical Access Control System for facilities
6.2 Manage identification and authentication of people and devices
6.2.1 Identification methods
6.2.2 Identification guidelines
6.2.3 Identification implementation
6.2.3.1 Password management
6.2.3.2 Account management
6.2.3.3 Profile management
6.2.3.4 Directory management and Lightweight Directory Access Protocol (LDAP)
6.2.3.5 Single Sign-On (SSO)
6.2.3.6 Kerberos
6.2.4 Single / Multi-factor authentication
6.2.4.1 Biometric
6.2.5 Federated identity management (FIM)
6.2.6 Session management
6.2.7 Registration and proof of identity
6.2.8 Credential management systems
6.2.9 Accountability
6.3 Identity as a service (IDaaS) and Third-Party identity service integration
6.3.1 On-premise and cloud implementations
6.4 Implement and manage authorization mechanisms
6.4.1 Role-Based Access Control (RBAC)
6.4.1.1 Non-RBAC
6.4.1.2 Limited RBAC
6.4.1.3 Hybrid RBAC
6.4.1.4 Full RBAC
6.4.2 Rule-Based Access Control
6.4.3 Discretionary Access Control (DAC)
6.4.4 Mandatory Access Control (MAC)
6.4.5 Attribute Based Access Control (ABAC)
6.5 Prevent and mitigate access control attacks and IAM
6.5.1 Identity and access provisioning lifecycle

7 Security Assessment and Testing (Domain 6)
7.1 Design and validate assessment, test and audit strategies
7.2 Security control testing
7.2.1 Vulnerability assessment
7.2.2 Penetration testing
7.2.3 Log reviews
7.2.4 RUM / EUM and Synthetic transactions
7.2.4.1 RUM / EUM
7.2.4.2 Synthetic transactions
7.2.5 Code Review and testing
7.2.5.1 Black-Box-Testing vs. White-Box-Testing
7.2.5.2 Dynamic Testing vs. Static Testing
7.2.5.3 Manual Testing vs. Automatic Testing
7.2.5.4 Lifecycle
7.2.6 Misuse Case Testing / Negative Testing
7.2.7 Code Coverage Analysis / Test Coverage Analysis
7.2.8 Interface Testing
7.3 Security process data collection and analysis
7.4 Report generation
7.5 Conduct or facilitate internal and third-party security audits

8 Security Operations (Domain 7)
8.1 Understand requirements for investigation types
8.1.1 Civil law
8.1.2 Common law
8.1.2.1 Criminal law
8.1.2.2 Regulatory law
8.1.3 eDiscovery
8.1.4 Industry standards
8.2 Understand and support investigations
8.2.1 Evidence collection and handling
8.2.1.1 Chain of Custody
8.2.1.2 Interviewing
8.2.2 Reporting and documenting
8.2.3 Investigation techniques
8.2.3.1 Root Cause Analysis (RCA)
8.2.4 Digital forensics, tactics, and procedures
8.3 Conducting logging and monitoring activities
8.3.1 Intrusion detection and intrusion prevention
8.3.1.1 Intrusion Detection System (IDS)
8.3.1.2 Intrusion Prevention System (IPS)
8.3.2 Security information and event management (SIEM)
8.3.3 Continuous monitoring
8.3.4 Egress monitoring
8.3.4.1 Data Leak / Loss Prevention (DLP)
8.3.4.2 Steganography
8.3.5 Watermarking
8.4 Configuration management (secure resource provisioning)
8.5 Understand and apply foundational security operations concepts
8.5.1 Need-to-know / least privilege
8.5.2 Separation of duties and responsibilities
8.5.3 Monitor special privileges
8.5.3.1 Administrators / System administrators
8.5.3.2 Operators
8.5.3.3 Security administrators, help desk, ordinary users
8.5.4 Job rotation
8.5.5 Information lifecycle
8.5.6 Service level agreement (SLA)
8.6 Apply resource protection techniques
8.6.1 Media management
8.6.1.1 Archival and offline storage
8.6.1.2 Cloud and virtual storage
8.6.2 Hardware and software asset management
8.7 Conduct Incident management
8.7.1 Detection
8.7.1.1 Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
8.7.1.2 Anti-malware systems
8.7.1.3 SIEM
8.7.2 Response
8.7.3 Mitigation
8.7.4 Reporting
8.7.5 Recovery
8.7.6 Remediation and Lessons learned
8.8 Operate and maintain detective and preventive measures
8.8.1 Firewalls
8.8.1.1 Bastion Host
8.8.1.2 Dual-Homed Firewall
8.8.1.3 Screened Host
8.8.1.4 Screened Subnet
8.8.2 Intrusion detection and prevention systems
8.8.3 Whitelisting, blacklisting and greylisting
8.8.4 Sandboxing, third-party security services, and honeypots / honeynets, anti-malware
8.8.4.1 Sandboxing and anti-malware
8.8.4.2 Third-party security services
8.8.4.3 Honeypots / Honeynets and anti-malware
8.9 Change management processes and patch / vulnerability management
8.10 Implement recovery strategies
8.10.1 Backup storage strategies
8.10.1.1 Electronic vaulting and offsite storage
8.10.1.2 Remote journaling and offsite storage
8.10.1.3 Database shadowing
8.10.1.4 Tape rotation
8.10.2 Recovery site strategies and multiple processing sites
8.10.3 System resilience, high availability, quality of service and fault tolerance
8.10.3.1 System resilience
8.10.3.2 High availability and fault tolerance
8.10.3.3 Quality of service
8.11 Implement disaster recovery (DR) process
8.11.1 Response and assessment
8.11.2 Personnel and communications
8.11.3 Restoration and assessment
8.11.4 Training and awareness
8.12 Participate in business continuity plan and disaster recovery plan testing and exercises
8.12.1 Read-through
8.12.2 Walkthrough
8.12.3 Simulation
8.12.4 Parallel
8.12.5 Full interruption
8.13 Implement and manage physical security
8.13.1 Perimeter
8.13.1.1 Gates and fences
8.13.1.2 Perimeter Intrusion Detection
8.13.1.3 Lighting
8.13.2 Internal security controls
8.13.2.1 CCTV
8.13.2.2 Visitor controls / escort requirements
8.13.2.3 Keys and locks
8.14 Participate in addressing personnel safety concerns
8.14.1 Duress
8.14.2 Travel monitoring

9 Software Development Security (Domain 8)
9.1 Understand and integrate security in software development lifecycle (SDLC)
9.1.1 Development methodologies
9.1.1.1 Waterfall
9.1.1.2 Agile
9.1.2 Maturity models
9.1.3 Operation and maintenance
9.1.4 Change management
9.1.5 Integrated Product Team (DevOps)
9.2 Security controls in development environments
9.2.1 Security of the software environments
9.2.1.1 Open source and “security by obscurity”
9.2.1.2 Security issues of programming languages
9.2.1.3 ACID in database transactions
9.2.2 Security weaknesses and vulnerabilities at the source-code level
9.2.2.1 Buffer Overflow and escalation of privilege
9.2.2.2 Input / output validation
9.2.2.3 Covert Channels
9.2.2.4 TOC (Time of Check) / TOU (Time of Use)
9.2.2.5 Cross-site scripting (XSS)
9.2.3 Configuration management as an aspect of secure coding
9.2.4 Security of code repositories
9.2.4.1 Physical security
9.2.4.2 System security
9.2.4.3 Operational security
9.2.4.4 Software security
9.2.4.5 Communications
9.2.4.6 Information / data backup
9.2.5 Security of application programming interfaces and REST / RESTful API
9.2.5.1 OAuth
9.3 Assess the effectiveness of software security
9.3.1 Certification and accreditation
9.3.2 Auditing and logging of changes
9.3.3 Risk analysis and mitigation
9.3.4 Code signing and code signing certificate
9.3.5 Regression and acceptance testing
9.3.5.1 Regression testing
9.3.5.2 Acceptance testing
9.4 Assess security impact of acquired software and SwA (Software Assurance)
9.4.1 Generic acquisition process
9.4.1.1 Planning Phase
9.4.1.2 Contracting Phase
9.4.1.3 Monitoring and Acceptance Phase
9.4.1.4 Follow-on

10 Appendix
10.1 Domain 1 topics
10.1.1 Other examples and topics of ethics
10.1.1.1 The Code of Fair Information Practices
10.1.1.2 Internet Architecture Board
10.1.1.3 Computer Ethics Institute (CEI)
10.1.1.4 Common ethics fallacies
10.1.2 Security Planning
10.1.2.1 Strategic Planning
10.1.2.2 Tactical Planning
10.1.2.3 Operational Planning
10.1.2.4 An example of security planning
10.1.3 Other risk assessment methodologies
10.1.3.1 NIST 800-30, NIST 800-39 and NIST 800-66
10.1.3.2 CCTA Risk Analysis and Management Method (CRAMM)
10.1.3.3 Failure mode and effects analysis (FMEA)
10.1.3.4 Facilitated risk analysis process (FRAP)
10.1.3.5 OCTAVE
10.1.3.6 Security Officers Management and Analysis Project (SOMAP)
10.1.3.7 Value at Risk (VaR)
10.1.4 Payment Card Industry Data Security Standard (PCI-DSS)
10.1.5 Industry and international security implementation guidelines
10.1.6 Control Objectives for Information and Related Technology (COBIT)
10.2 Domain 3 topics
10.2.1 System Life Cycle
10.2.2 Classic encryption systems
10.2.2.1 Null Cipher
10.2.2.2 The Rail Fence
10.2.2.3 Caesar Cipher / Monoalphabetic Cipher
10.2.2.4 Blais de Vigenere / Polyalphabetic Cipher
10.2.2.5 Playfair Cipher
10.2.3 Double DES
10.2.4 More about fire suppression
10.2.4.1 Different classes of fire
10.2.4.2 Other fire suppression agents (except those mentioned in chapter 4.10.10.2)
10.2.5 Terms used in electrical voltage fluctuations
10.2.6 Trusted Computing Base (TCB)
10.2.7 Security Kernels and Reference Monitors
10.2.8 Common architecture frameworks
10.2.8.1 Zachman Framework
10.2.8.2 Sherwood Applied Business Security Architecture Framework
10.2.8.3 The Open Group Architecture Framework (TOGAF)
10.2.8.4 IT Infrastructure Library (ITIL v3 / ITIL 4)
10.3 Domain 4 topics
10.3.1 Simplex, half duplex and full duplex
10.3.2 File Transfer Protocol (FTP)
10.3.2.1 FTP Transfer modes: Active mode (PORT mode)
10.3.2.2 FTP Transfer modes: Passive mode (PASV mode)
10.3.2.3 Secure FTP with TLS (FTPS)
10.3.2.4 SSH File Transfer Protocol (SFTP)
10.3.2.5 FTP over SSH
10.3.3 Trivial File Transfer Protocol (TFTP)
10.3.4 Common Internet File System (CIFS) / Server Message Block (SMB)
10.3.5 Simple Mail Transfer Protocol (SMTP) / Extended Simple Mail Transfer Protocol (ESMTP)
10.3.6 Lightweight Directory Access Protocol (LDAP)
10.3.7 Network Basic Input Output System (NetBIOS)
10.3.8 Network Information Service (NIS / NIS+)
10.3.9 Fiber Channel over Internet Protocol (FCIP / FCoIP)
10.3.10 InfiniBand (IB)
10.3.11 MPLS Pseudowires / L2VPN
10.3.12 Circuit switched and packet switched networks
10.3.12.1 Circuit switched networks
10.3.12.2 Packet switched networks
10.3.13 Network attacks
10.3.13.1 Layered Defense Model
10.3.13.2 Domain litigation (訴訟)
10.3.13.3 Open mail relay and SPAM
10.3.13.4 Port scanning
10.3.13.5 Port scanning: FIN scanning / X-mas scanning / Null scanning
10.3.13.6 Teardrop
10.3.13.7 Overlapping fragment attack
10.3.13.8 Source Routing Exploitation
10.3.13.9 Denial of service and spoofing
10.3.13.10 SYN Flood
10.3.13.11 DDoS
10.3.13.12 Smurf attack
10.3.13.13 Email spoofing
10.3.13.14 DNS spoofing
10.3.13.15 Eavesdropping
10.3.13.16 Emanations
10.4 Domain 5 topics
10.4.1 X.500 and X.400
10.4.2 Biometric accuracy measurement
10.4.2.1 False Reject / False Reject Rate (Type I error)
10.4.2.2 False Accept / False Accept Rate (Type II error)
10.4.2.3 Crossover Error Rate (CER)
10.5 Domain 7 topics
10.5.1 High availability and fault tolerance in hard disk
10.5.1.1 RAID 0
10.5.1.2 RAID 1
10.5.1.3 RAID 5
10.5.1.4 Nested RAID Levels / RAID 10
10.5.2 Shoulder Surfing
10.6 Domain 8 topics
10.6.1 Database View
10.6.2 Von Neumann model
10.6.3 Relationship between acquisition processes and IEEE 1062, PMBOK, NIST SP 800-64, DoDI 5000.2, ISO / IEC 12207
10.6.4 Object-Oriented (OO) programming
10.6.4.1 Encapsulation
10.6.4.2 Inheritance
10.6.4.3 Polymorphism
10.6.5 Distributed object-oriented systems
10.6.5.1 CORBA (Common Object Request Broker Architecture)
10.6.5.2 EJB (Enterprise JavaBeans)
10.6.5.3 Microsoft COM / DCOM
10.6.6 Malicious Software (Malware)
10.6.6.1 Virus
10.6.6.2 Botnet
10.6.6.3 Worms
10.6.6.4 Logic Bombs
10.6.6.5 Trojan Horses
10.6.6.6 Hoax
10.6.7 Database Management System (DBMS)
10.6.7.1 Database Management System (DBMS) Elements
10.6.7.2 Relational Database Management System (DBMS)
10.6.8 Normalization, primary keys, foreign keys and referential integrity
10.6.8.1 Normalization
10.6.8.2 Primary keys
10.6.8.3 Foreign keys and referential integrity
10.6.8.4 OODBMS and ORDBMS
10.6.9 Database Interface Languages
10.6.10 Secure Electronic Transaction (SET) Protocol
10.6.11 Cleanroom


本中心開辦的 CISSP 國際認可證書課程成績卓越,本地媒體都爭相為本課程進行專訪,以下是《東方日報》的教育專題訪問內容。

【點擊觀看《東方日報》詳細報導】

 

 


更多綜合課程
  攝影課程
  • 攝影初級
  • 攝影中級 (風景專題)
  英文課程
  • IPA 拼音:級別 1 2 3 4
  普通話課程
  • 基礎普通話拼音 (免費)
  • 進階普通話拼音
  • 普通話會話:級別 1 2 3
  西班牙語文課程
  • 級別 1 2 3
  中醫課程
  • 濕疹與皮膚敏感病
  • 暗瘡與色斑 | 鼻敏感與感冒
  • 脫髮與白髮 | 從五官看健康
  風水命理課程
  • 紫微斗數:級別 1 2 3
  • 子平八字:級別 1 2 3
  • 八字風水:級別 1 2 3
  • 奇門遁甲:級別 1 2 3