CISSP For Dummies

CISSP For Dummies

by Lawrence C. Miller, Peter H. Gregory

Paperback(6th ed.)

$44.99
View All Available Formats & Editions
Choose Expedited Shipping at checkout for delivery by Thursday, December 2

Overview

Secure your CISSP certification!

If you’re a security professional seeking your CISSP certification, this book is a perfect way to prepare for the exam. Covering in detail all eight domains, the expert advice inside gives you the key information you'll need to pass the exam. Plus, you'll get tips on setting up a 60-day study plan, tips for exam day, and access to an online test bank of questions.

CISSP For Dummies is fully updated and reorganized to reflect upcoming changes (ISC)2 has made to the Common Body of Knowledge. Complete with access to an online test bank this book is the secret weapon you need to pass the exam and gain certification.

  • Get key information for all eight exam domains
  • Find test-taking and exam-day tips and tricks
  • Benefit from access to free online practice questions and flash cards
  • Prepare for the CISSP certification in 2018 and beyond

You’ve put in the time as a security professional—and now you can reach your long-term goal of CISSP certification.



Related collections and offers

Product Details

ISBN-13: 9781119505815
Publisher: Wiley
Publication date: 06/19/2018
Series: For Dummies Books
Edition description: 6th ed.
Pages: 560
Sales rank: 207,896
Product dimensions: 7.30(w) x 9.10(h) x 1.40(d)

About the Author

Lawrence Miller, CISSP, is a security consultant with experience in consulting, defense, legal, nonprofit, retail, and telecommunications. Peter Gregory, CISSP, is a CISO and an executive security advisor with experience in SaaS, retail, telecommunications, nonprofit, legalized gaming, manufacturing, consulting, healthcare, and local government.

Read an Excerpt

CISSP For Dummies


By Lawrence C. Miller, Peter Gregory

John Wiley & Sons

Copyright © 2012 John Wiley & Sons, Ltd
All rights reserved.
ISBN: 978-1-118-36239-6


CHAPTER 1

(ISC)2 and the CISSP Certification


In This Chapter

* Finding out about (ISC)2 and the CISSP certification

* Understanding CISSP certification requirements

* Registering for the exam

* Developing a study plan

* Taking the CISSP exam and waiting for results


Some say that the Certified Information Systems Security Professional (CISSP) candidate requires a breadth of knowledge 50 miles across and 2 inches deep. To embellish on this statement, we believe that the CISSP candidate is more like the Great Wall of China, with a knowledge base extending over 3,500 miles — maybe a few holes here and there, stronger in some areas than others, but nonetheless one of the Seven Wonders of the Modern World.

The problem with many currently available CISSP preparation materials is in defining how high the Great Wall actually is: Some material overwhelms and intimidates CISSP candidates, leading them to believe that the wall is as high as it is long. Other study materials are perilously brief and shallow, giving the unsuspecting candidate a false sense of confidence while he or she merely attempts to step over the Great Wall, careful not to stub a toe. To help you avoid either misstep, CISSP For Dummies answers the question, "What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?"


About (ISC)2 and the CISSP Certification

The International Information Systems Security Certification Consortium (ISC)2 (www.isc2.org) was established in 1989 as a nonprofit, tax-exempt corporation chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.

The CISSP was the first information security credential to be accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024:2003 standard. This international standard helps to ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate's competence for the certification. This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread criticism that has caused many vendor certifications to lose relevance over the years).


TECHNICAL STUFF

The ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) are two organizations that work together to prepare and publish international standards for businesses, governments, and societies worldwide.

The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)2 and defined through ten distinct domains:

[check] Access Control

[check] Telecommunications and Network Security

[check] Information Security Governance and Risk Management

[check] Software Development Security

[check] Cryptography

[check] Security Architecture and Design

[check] Security Operations

[check] Business Continuity and Disaster Recovery Planning

[check] Legal, Regulations, Investigations and Compliance

[check] Physical (Environmental) Security


You Must Be This Tall to Ride (and Other Requirements)

The CISSP candidate must have a minimum of five cumulative years of professional, full-time, direct work experience in two or more of the domains listed in the preceding section. The work experience requirement is a hands-on one — you can't satisfy the requirement by just having "information security" listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly.

However, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:

[check] A four-year college degree

[check] An advanced degree in information security from a U.S. National Center of Academic Excellence in Information Assurance Education (CAEIAE) or a regional equivalent

[check] A credential that appears on the (ISC)2 approved list, which includes more than 30 technical and professional certifications, such as various SANS GIAC certifications, Microsoft certifications, and CompTIA Security+ (For the complete list, go to www.isc2.org/credential_waiver/default.aspx.)


TIP

In the U.S., CAEIAE programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml.


Registering for the Exam

As of June 1, 2012, the CISSP exam is now being administered via computer-based testing (CBT) at local Pearson VUE testing centers worldwide. To register for the exam, go to the (ISC)2 website (www.isc2.org), click the Certifications tab, click Computer Based Testing (CBT), and then click the Register Now – Pearson VUE button; alternatively, go directly to the Pearson VUE website (http://pearsonvue.com/isc2/).

On the Pearson VUE website, you have to create a web account first; then you can register for the CISSP exam, schedule your test, and pay your testing fee. You can also locate a nearby test center, take a Pearson VUE testing tutorial, practice taking the exam (which definitely you should do if you've never taken a CBT), and then download the (ISC)2 non-disclosure agreement (NDA).


TIP

Download and read the (ISC)2 NDA when you register for the exam. You're given five minutes to read and accept the agreement at the start of your exam. If you don't accept the NDA in the allotted five minutes, your exam will end and you forfeit your exam fees!

When you register, you're required to quantify your work experience in information security, answer a few questions regarding criminal history and related background, and agree to abide by the (ISC)2 Code of Ethics.

The current exam fee in the U.S. is $599. You can cancel or re-schedule your exam by contacting VUE by telephone at least 24 hours in advance of your scheduled exam or online at least 48 hours in advance. The fee to re-schedule is $20.


WARNING!

If you fail to show up for your exam, you'll forfeit your entire exam fee!


TIP

Great news! If you're a U.S. military veteran and are eligible for Montgomery GI Bill benefits, the Veteran's Administration (VA) will reimburse you for the full cost of the exam, regardless of whether you pass or fail.


Preparing for the Exam

Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or training environment, (ISC)2 offers CISSP review seminars.

We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of two hours a day for 60 days. If you're a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this study out over a six-month period for 2 hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you'll find yourself studying only as much as you would have in a 60-day period anyway.


Studying on your own

Self-study can include books and study references, a study group, and practice exams.

Begin by downloading the free official CISSP Candidate Information Bulletin (CIB) from the (ISC)2 website. This booklet provides a good outline of the subjects on which you'll be tested.

Next, read this book, take the practice exam, and review the materials on the Dummies website (www.dummies.com). CISSP For Dummies is written to provide the CISSP candidate an excellent overview of all the broad topics covered on the CISSP exam.

You can also find several study guides at www.cissp.com, www.cccure.org, and www.cramsession.com.

Joining or creating your own study group can help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals.


REMEMBER

No practice exams exactly duplicate the CISSP exam (and forget about brain dumps — using or contributing to brain dumps is unethical and is a violation of your NDA which could result in losing your CISSP certification permanently). However, many resources are available for practice questions. Some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don't despair! The repetition of practice questions helps reinforce important information that you need to know in order to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Use the Practice Exam on the Dummies website (www.dummies.com), and try the practice questions at Clement Dupuis and Nathalie Lambert's CCCure website (www.cccure.org).


Getting hands-on experience

Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam.

For example, if you're weak in networking or applications development, talk to the networking group or programmers in your company. They may be able to show you a few things that can help make sense of the volumes of information that you're trying to digest.


TIP

Your company or organization should have a security policy that's readily available to its employees. Get a copy and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn't have a security policy, perhaps now is a good time for you to educate management about issues of due care, due diligence, and other concepts from the Legal, Regulations, Investigations, and Compliance security domain.

Review your company's plans for business continuity and disaster recovery. They don't exist? Perhaps you can lead this initiative to help both you and your company.


Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar

The (ISC)2 also administers five-day CISSP CBK Review Seminars and Live OnLine seminars to help the CISSP candidate prepare. You can find schedules and registration forms for the CBK Review Seminar and Live OnLine on the (ISC)2 website at www.isc2.org.

The early rate for the CISSP CBK Review or Live OnLine seminar in the U.S. is $2,495 if you register 16 days or more in advance (the standard rate is $2,695).

If you generally learn better in a classroom environment or find that you have knowledge or actual experience in only two or three of the domains, you might seriously consider attending a review seminar.

If it's not convenient or practical for you to travel to a seminar, Live Online provides the benefit of learning from an (ISC)2 Authorized Instructor on your computer. Live OnLine provides all the features of classroom based seminars, real-time delivery, access to archived modules, and all official courseware.


Attending other training courses or study groups

Other reputable organizations, such as SANS (www.sans.org), offer high-quality training in both classroom and self-study formats. Before signing up and spending your money, we suggest that you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends on the instructor; for this reason, try to find out from others whether the proposed instructor is as helpful as he or she is reported to be.

Many cities have self-study groups, usually run by CISSP volunteers. You may find a study group where you live; or, if you know some CISSPs in your area, you might ask them to help you organize a self-study group.


TIP

Always confirm the quality of a study course or training seminar before committing your money and time.


CROSS-REFERENCE

See Chapter 3 for more information on starting a CISSP study group.


Take the testing tutorial and practice exam

If you are not familiar with the operations of computer-based testing, you may want to take a practice exam. Go to the Pearson VUE website and look for the Pearson VUE Tutorial and Practice Exam (at www.pearsonvue.com/ athena).

The tutorial and practice exam are available for Windows computers only. To use them, you must have at least 512 MB of RAM, 60 MB of available disk space, Windows 2000 or newer (XP, Vista, 7, or 8), and Microsoft Internet Explorer 5 or a newer browser.


Are you ready for the exam?

Are you ready for the big day? We can't answer this question for you. You must decide, on the basis of your individual learning factors, study habits, and professional experience, when you're ready for the exam. We don't know of any magic formula for determining your chances of success or failure on the CISSP examination. If you find one, please write to us so we can include it in the next edition of this book!

In general, we recommend a minimum of two months of focused study. Read this book and continue taking the practice exams — in this book and on the Dummies website — until you can consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information you need to know if you want to pass the CISSP examination. Read this book (and reread it) until you're comfortable with the information presented and can successfully recall and apply it in each of the ten domains.

Continue by reviewing other materials (particularly in your weak areas) and actively participating in an online or local study group. Take as many practice exams from as many different sources as possible. You can't find any brain dumps for the CISSP examination, and no practice test can exactly duplicate the actual exam (some practice tests are simply too easy, and others are too difficult), but repetition can help you retain the important knowledge required to succeed on the CISSP exam.


About the CISSP Examination

The CISSP examination itself is a grueling six-hour, 250-question marathon. To put that into perspective, in six hours, you could walk about 20 miles, watch a Kevin Costner movie 1½ times, or sing "My Way" 540 times on a karaoke machine. Each of these feats, respectively, closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.

As described by the (ISC)2, you need a scaled score of 700 or better to pass the examination. Not all the questions are weighted equally, so we can't absolutely state the number of correct questions required for a passing score.

You won't find any multiple-answer, fill-in-the-blank, scenario-based, or simulation questions on the CISSP exam. However, all 250 multiple-choice questions require you to select the best answer from four possible choices. So the correct answer isn't always a straightforward, clear choice. In fact, you can count on many questions to appear initially as if they have more than one correct answer. (ISC)2 goes to great pains to ensure that you really, really know the material. For instance, a sample question might resemble the following:

Which of the following is the FTP control channel?

A TCP port 21

B UDP port 21

C TCP port 25

D IP port 21


Many readers almost instinctively know that FTP's control channel is port 21, but is it TCP, UDP, or IP?

Increasingly, CISSP exam questions are based more on situations than on simple knowledge of facts. For instance, here's a question you might get:

A system administrator has found that a former employee has successfully logged in to the system. The system administrator should:

A Shut down the system.

B Confirm the breach in the security logs.

C Lock or remove the user account.

D Contact law enforcement.


(Continues...)

Excerpted from CISSP For Dummies by Lawrence C. Miller, Peter Gregory. Copyright © 2012 John Wiley & Sons, Ltd. Excerpted by permission of John Wiley & Sons.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Table of Contents

Introduction 1

About This Book 2

Foolish Assumptions 3

Icons Used in This Book 4

Beyond the Book 4

Where to Go from Here 5

Part 1: Getting Started with Cissp Certification 7

Chapter 1: (ISC)2 and the CISSP Certification 9

About (ISC)2 and the CISSP Certification 9

You Must Be This Tall to Ride This Ride (and Other Requirements) 10

Preparing for the Exam 12

Studying on your own 12

Getting hands-on experience 13

Getting official (ISC)2 CISSP training 14

Attending other training courses or study groups 14

Take the practice exam 15

Are you ready for the exam? 15

Registering for the Exam 16

About the CISSP Examination 17

After the Examination 20

Chapter 2: Putting Your Certification to Good Use 23

Networking with Other Security Professionals 24

Being an Active (ISC)2 Member 25

Considering (ISC)2 Volunteer Opportunities 26

Writing certification exam questions 26

Speaking at events 26

Helping at (ISC)2 conferences 27

Read and contribute to (ISC)2 publications 27

Support the (ISC)2 Center for Cyber Safety and Education 27

Participating in (ISC)2 focus groups 28

Join the (ISC)2 Community 28

Get involved with a CISSP study group 28

Help others learn more about data security 28

Becoming an Active Member of Your Local Security Chapter 29

Spreading the Good Word about CISSP Certification 30

Wear the colors proudly 31

Lead by example 31

Using Your CISSP Certification to Be an Agent of Change 32

Earning Other Certifications 32

Other (ISC)2 certifications 33

CISSP concentrations 33

Non-(ISC)2 certifications 34

Choosing the right certifications 37

Find a mentor, be a mentor 38

Pursue Security Excellence 38

Part 2: Certification Domains 41

Chapter 3: Security and Risk Management 43

Apply Security Governance Principles 44

Alignment of security function to business strategy, goals, mission, and objectives 44

Organizational processes (security executive oversight) 45

Security roles and responsibilities 46

Control frameworks 48

Due care 50

Due diligence 50

Understand and Apply Concepts of Confidentiality, Integrity, and Availability 51

Confidentiality 51

Integrity 52

Availability 52

Compliance 53

Legislative and regulatory compliance 53

Privacy requirements compliance 57

Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 58

Computer crimes 58

Licensing and intellectual property 72

Import/export controls 74

Trans-border data flow 75

Privacy 75

Data breaches 80

Understand Professional Ethics 82

Exercise the (ISC)2 Code of Professional Ethics 83

Support your organization’s code of ethics 83

Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines 85

Policies 86

Standards (and baselines) 87

Procedures 87

Guidelines 87

Understand Business Continuity Requirements 87

Develop and document project scope and plan 90

Conduct Business Impact Analysis 98

Developing the Business Continuity Plan 106

Implementing the BCP 110

Contribute to Personnel Security Policies 111

Employment candidate screening 112

Employment agreements and policies 114

Employment termination processes 115

Vendor, consultant, and contractor controls 115

Compliance 115

Privacy 116

Understand and Apply Risk Management Concepts 116

Identify threats and vulnerabilities 116

Risk assessment/analysis (treatment) 117

Risk treatment 122

Countermeasure selection 123

Implementation 124

Types of controls 125

Control assessment 127

Monitoring and measurement 129

Asset valuation 129

Reporting 130

Continuous improvement 130

Risk frameworks 131

Understand and Apply Threat Modeling 132

Identifying threats 133

Determining and diagramming potential attacks 134

Performing reduction analysis 135

Technologies and processes to remediate threats 135

Integrate Security Risk Considerations into Supply Chain Management, Mergers, and Acquisitions 136

Hardware, software, and services 137

Third-party assessment and monitoring 137

Minimum security requirements 137

Service-level requirements 137

Establish and Manage Information Security Education, Training, and Awareness 138

Appropriate levels of awareness, training and education required within organization 138

Measuring the effectiveness of security training 140

Periodic reviews for content relevancy 141

Chapter 4: Asset Security 143

Classify Information and Supporting Assets 143

Commercial data classification 144

Government data classification 145

Determine and Maintain Ownership 146

Protect Privacy 148

Ensure Appropriate Retention 150

Determine Data Security Controls 151

Baselines 152

Scoping and tailoring 152

Standards selection 153

Cryptography 153

Establish Handling Requirements 154

Chapter 5: Security Architecture and Engineering 155

Implement and Manage Engineering Processes Using Secure Design Principles 155

Understand the Fundamental Concepts of Security Models 157

Confidentiality 158

Integrity 158

Availability 159

Access control models 160

Select Controls Based upon Systems Security Requirements 162

Evaluation criteria 163

System certification and accreditation 167

Security controls and countermeasures 169

Understand Security Capabilities of Information Systems 173

Computer architecture 173

Trusted Computing Base (TCB) 180

Trusted Platform Module (TPM) 181

Secure modes of operation 181

Open and closed systems 182

Protection rings 183

Security modes 183

Recovery procedures 184

Vulnerabilities in security architectures 184

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 185

Client-based systems 185

Server-based systems 186

Database systems 187

Large-scale parallel data systems 187

Distributed systems 188

Cryptographic systems 189

Industrial control systems 189

Cloud-based systems 190

Internet of Things 192

Assess and Mitigate Vulnerabilities in Web-Based Systems 193

Assess and Mitigate Vulnerabilities in Mobile Systems 194

Assess and Mitigate Vulnerabilities in Embedded Devices 195

Apply Cryptography 196

Cryptographic lifecycle 198

Plaintext and ciphertext 199

Encryption and decryption 199

Cryptography alternatives 205

Not quite the metric system: Symmetric and asymmetric key systems 206

Message authentication 216

Public Key Infrastructure (PKI) 219

Key management functions 220

Key escrow and key recovery 221

Methods of attack 221

Apply Security Principles to Site and Facility Design 224

Choosing a secure location 226

Designing a secure facility 226

Implement Site and Facility Security Controls 229

Wiring closets, server rooms, media storage facilities, and evidence storage 229

Restricted and work area security 230

Utilities and HVAC considerations 231

Water issues 234

Fire prevention, detection, and suppression 234

Chapter 6: Communication and Network Security 239

Implement Secure Design Principles in Network Architectures 239

OSI and TCP/IP models 241

Cryptography used to maintain communication security 279

Secure Network Components 280

Operation of hardware 280

Transmission media 280

Network access control devices 282

Endpoint security 292

Content distribution networks 294

Physical devices 294

Design and Establish Secure Communication Channels 295

Voice 295

Email 296

Web 300

Facsimile 302

Multimedia collaboration 302

Remote access 303

Data communications 308

Virtualized networks 309

Virtualization 309

Prevent or Mitigate Network Attacks 310

Bluejacking and bluesnarfing 310

ICMP flood 311

Smurf 311

Fraggle 311

DNS Server Attacks 311

Man-in-the-Middle 311

Session hijacking (spoofing) 312

Session hijacking (session token interception) 312

SYN flood 312

Teardrop 312

UDP flood 313

Eavesdropping 313

Chapter 7: Identity and Access Management 315

Control Physical and Logical Access to Assets 316

Information 316

Systems and devices 316

Facilities 317

Life safety 318

Manage Identification and Authentication of People, Devices, and Services 319

Identity management implementation 319

Single/multi-factor authentication 328

Accountability 343

Session management 344

Registration and proofing of identity 344

Federated identity management 346

Credential management systems 346

Integrate Identity-as-a-Service 347

Integrate Third-Party Identity Services 348

Implement and Manage Authorization Mechanisms 348

Access control techniques 349

Prevent or Mitigate Access Control Attacks 353

Manage the Identity and Access Provisioning Lifecycle 355

Chapter 8: Security Assessment and Testing 357

Design and Validate Assessment and Test Strategies 357

Conduct Security Control Testing 359

Vulnerability assessments 359

Penetration testing 361

Log reviews 365

Synthetic transactions 367

Code review and testing 368

Misuse case testing 368

Test coverage analysis 370

Interface testing 370

Collect Security Process Data 371

Account management 371

Management review 372

Key performance and risk indicators 373

Backup verification data 374

Training and awareness 375

Disaster recovery and business continuity 375

Analyze Test Output and Generate Reports 376

Conduct or Facilitate Security Audits 376

Chapter 9: Security Operations 379

Understand and Support Investigations 379

Evidence collection and handling 379

Reporting and documentation 386

Investigative techniques 387

Digital forensics tools, tactics, and procedures 389

Understand Requirements for Investigation Types 390

Conduct Logging and Monitoring Activities 391

Intrusion detection and prevention 391

Security information and event management 393

Continuous monitoring 393

Egress monitoring 394

Securely Provisioning Resources 394

Understand and Apply Foundational Security Operations Concepts 396

Need-to-know and least privilege 396

Separation of duties and responsibilities 397

Privileged account management 398

Job rotation 400

Information lifecycle 402

Service-level agreements 402

Apply Resource Protection Techniques 405

Media management 406

Hardware and software asset management 407

Conduct Incident Management 407

Operate and Maintain Detective and Preventive Measures 409

Implement and Support Patch and Vulnerability Management 411

Understand and Participate in Change Management Processes 412

Implement Recovery Strategies 412

Backup storage strategies 413

Recovery site strategies 413

Multiple processing sites 413

System resilience, high availability, quality of service, and fault tolerance 414

Implement Disaster Recovery (DR) Processes 415

Response 419

Personnel 421

Communications 421

Assessment 422

Restoration 423

Training and awareness 423

Test Disaster Recovery Plans 423

Read-through 424

Walkthrough or tabletop 424

Simulation 424

Parallel 425

Full interruption (or cutover) 426

Participate in Business Continuity (BC) Planning and Exercises 427

Implement and Manage Physical Security 427

Address Personnel Safety and Security Concerns 428

Chapter 10: Software Development Security 429

Understand and Integrate Security in the Software Development Lifecycle 429

Development methodologies 430

Maturity models 437

Operation and maintenance 438

Change management 439

Integrated product team 439

Identify and Apply Security Controls in Development Environments 440

Security of the software environments 440

Configuration management as an aspect of secure coding 442

Security of code repositories 443

Assess the Effectiveness of Software Security 444

Auditing and logging of changes 444

Risk analysis and mitigation 445

Acceptance testing 446

Assess Security Impact of Acquired Software 447

Define and Apply Secure Coding Guidelines and Standards 448

Security weaknesses and vulnerabilities at the source-code level 448

Security of application programming interfaces 450

Secure coding practices 451

Part 3: The Part of Tens 453

Chapter 11: Ten Test-Planning Tips 455

Know Your Learning Style 455

Get a Networking Certification First 456

Register Now! 456

Make a 60-Day Study Plan 456

Get Organized and Read! 457

Join a Study Group 458

Take Practice Exams 458

Take a CISSP Training Seminar 458

Adopt an Exam-Taking Strategy 459

Take a Breather 459

Chapter 12: Ten Test-Day Tips 461

Get a Good Night’s Rest 461

Dress Comfortably 461

Eat a Good Meal 462

Arrive Early 462

Bring a Photo ID 462

Bring Snacks and Drinks 462

Bring Prescription and Over-the-Counter Medications 463

Leave Your Mobile Devices Behind 463

Take Frequent Breaks 463

Guess — as a Last Resort 464

Glossary 465

Index 509

Customer Reviews