eBook
Available on Compatible NOOK devices, the free NOOK App and in My Digital Library.
Related collections and offers
Overview
The CISSP certification, held by more than 150,000 security professionals worldwide, is the gold standard of cybersecurity certifications. The CISSP Exam certifies cybersecurity professionals and opens doors for career advancement. Fully updated and revised to reflect the 2024 ISC2 CISSP Exam Outline, CISSP For Dummies is packed with helpful content for all eight security domains. This book includes access to online study tools such as practice questions and digital flashcards, boosting your likelihood of success on the exam. Plus, you'll feel prepared and ready for test day thanks to a 60-day study plan. Boost your security career with this Dummies study guide.
- Review all the content covered in the latest CISSP Exam
- Test with confidence and achieve your certification as a cybersecurity professional
- Study smarter, thanks to online practice resources and a 60-day study plan
- Enhance your career with the in-demand CISSP certification
- Continue advancing your career and the profession through speaking and mentoring opportunities
With up-to-date content and valuable test prep features, this book is a one-and-done resource for any cybersecurity professional studying for the CISSP exam.
Product Details
ISBN-13: | 9781394261789 |
---|---|
Publisher: | Wiley |
Publication date: | 06/21/2024 |
Sold by: | JOHN WILEY & SONS |
Format: | eBook |
Pages: | 608 |
Sales rank: | 321,119 |
File size: | 3 MB |
About the Author
Read an Excerpt
CISSP For Dummies
By Lawrence C. Miller, Peter Gregory
John Wiley & Sons
Copyright © 2012 John Wiley & Sons, LtdAll rights reserved.
ISBN: 978-1-118-36239-6
CHAPTER 1
(ISC)2 and the CISSP Certification
In This Chapter
* Finding out about (ISC)2 and the CISSP certification
* Understanding CISSP certification requirements
* Registering for the exam
* Developing a study plan
* Taking the CISSP exam and waiting for results
Some say that the Certified Information Systems Security Professional (CISSP) candidate requires a breadth of knowledge 50 miles across and 2 inches deep. To embellish on this statement, we believe that the CISSP candidate is more like the Great Wall of China, with a knowledge base extending over 3,500 miles — maybe a few holes here and there, stronger in some areas than others, but nonetheless one of the Seven Wonders of the Modern World.
The problem with many currently available CISSP preparation materials is in defining how high the Great Wall actually is: Some material overwhelms and intimidates CISSP candidates, leading them to believe that the wall is as high as it is long. Other study materials are perilously brief and shallow, giving the unsuspecting candidate a false sense of confidence while he or she merely attempts to step over the Great Wall, careful not to stub a toe. To help you avoid either misstep, CISSP For Dummies answers the question, "What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?"
About (ISC)2 and the CISSP Certification
The International Information Systems Security Certification Consortium (ISC)2 (www.isc2.org) was established in 1989 as a nonprofit, tax-exempt corporation chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.
The CISSP was the first information security credential to be accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024:2003 standard. This international standard helps to ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate's competence for the certification. This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread criticism that has caused many vendor certifications to lose relevance over the years).
TECHNICAL STUFF
The ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) are two organizations that work together to prepare and publish international standards for businesses, governments, and societies worldwide.
The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)2 and defined through ten distinct domains:
[check] Access Control
[check] Telecommunications and Network Security
[check] Information Security Governance and Risk Management
[check] Software Development Security
[check] Cryptography
[check] Security Architecture and Design
[check] Security Operations
[check] Business Continuity and Disaster Recovery Planning
[check] Legal, Regulations, Investigations and Compliance
[check] Physical (Environmental) Security
You Must Be This Tall to Ride (and Other Requirements)
The CISSP candidate must have a minimum of five cumulative years of professional, full-time, direct work experience in two or more of the domains listed in the preceding section. The work experience requirement is a hands-on one — you can't satisfy the requirement by just having "information security" listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly.
However, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:
[check] A four-year college degree
[check] An advanced degree in information security from a U.S. National Center of Academic Excellence in Information Assurance Education (CAEIAE) or a regional equivalent
[check] A credential that appears on the (ISC)2 approved list, which includes more than 30 technical and professional certifications, such as various SANS GIAC certifications, Microsoft certifications, and CompTIA Security+ (For the complete list, go to www.isc2.org/credential_waiver/default.aspx.)
TIP
In the U.S., CAEIAE programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml.
Registering for the Exam
As of June 1, 2012, the CISSP exam is now being administered via computer-based testing (CBT) at local Pearson VUE testing centers worldwide. To register for the exam, go to the (ISC)2 website (www.isc2.org), click the Certifications tab, click Computer Based Testing (CBT), and then click the Register Now – Pearson VUE button; alternatively, go directly to the Pearson VUE website (http://pearsonvue.com/isc2/).
On the Pearson VUE website, you have to create a web account first; then you can register for the CISSP exam, schedule your test, and pay your testing fee. You can also locate a nearby test center, take a Pearson VUE testing tutorial, practice taking the exam (which definitely you should do if you've never taken a CBT), and then download the (ISC)2 non-disclosure agreement (NDA).
TIP
Download and read the (ISC)2 NDA when you register for the exam. You're given five minutes to read and accept the agreement at the start of your exam. If you don't accept the NDA in the allotted five minutes, your exam will end and you forfeit your exam fees!
When you register, you're required to quantify your work experience in information security, answer a few questions regarding criminal history and related background, and agree to abide by the (ISC)2 Code of Ethics.
The current exam fee in the U.S. is $599. You can cancel or re-schedule your exam by contacting VUE by telephone at least 24 hours in advance of your scheduled exam or online at least 48 hours in advance. The fee to re-schedule is $20.
WARNING!
If you fail to show up for your exam, you'll forfeit your entire exam fee!
TIP
Great news! If you're a U.S. military veteran and are eligible for Montgomery GI Bill benefits, the Veteran's Administration (VA) will reimburse you for the full cost of the exam, regardless of whether you pass or fail.
Preparing for the Exam
Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or training environment, (ISC)2 offers CISSP review seminars.
We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of two hours a day for 60 days. If you're a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this study out over a six-month period for 2 hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you'll find yourself studying only as much as you would have in a 60-day period anyway.
Studying on your own
Self-study can include books and study references, a study group, and practice exams.
Begin by downloading the free official CISSP Candidate Information Bulletin (CIB) from the (ISC)2 website. This booklet provides a good outline of the subjects on which you'll be tested.
Next, read this book, take the practice exam, and review the materials on the Dummies website (www.dummies.com). CISSP For Dummies is written to provide the CISSP candidate an excellent overview of all the broad topics covered on the CISSP exam.
You can also find several study guides at www.cissp.com, www.cccure.org, and www.cramsession.com.
Joining or creating your own study group can help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals.
REMEMBER
No practice exams exactly duplicate the CISSP exam (and forget about brain dumps — using or contributing to brain dumps is unethical and is a violation of your NDA which could result in losing your CISSP certification permanently). However, many resources are available for practice questions. Some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don't despair! The repetition of practice questions helps reinforce important information that you need to know in order to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Use the Practice Exam on the Dummies website (www.dummies.com), and try the practice questions at Clement Dupuis and Nathalie Lambert's CCCure website (www.cccure.org).
Getting hands-on experience
Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam.
For example, if you're weak in networking or applications development, talk to the networking group or programmers in your company. They may be able to show you a few things that can help make sense of the volumes of information that you're trying to digest.
TIP
Your company or organization should have a security policy that's readily available to its employees. Get a copy and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn't have a security policy, perhaps now is a good time for you to educate management about issues of due care, due diligence, and other concepts from the Legal, Regulations, Investigations, and Compliance security domain.
Review your company's plans for business continuity and disaster recovery. They don't exist? Perhaps you can lead this initiative to help both you and your company.
Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar
The (ISC)2 also administers five-day CISSP CBK Review Seminars and Live OnLine seminars to help the CISSP candidate prepare. You can find schedules and registration forms for the CBK Review Seminar and Live OnLine on the (ISC)2 website at www.isc2.org.
The early rate for the CISSP CBK Review or Live OnLine seminar in the U.S. is $2,495 if you register 16 days or more in advance (the standard rate is $2,695).
If you generally learn better in a classroom environment or find that you have knowledge or actual experience in only two or three of the domains, you might seriously consider attending a review seminar.
If it's not convenient or practical for you to travel to a seminar, Live Online provides the benefit of learning from an (ISC)2 Authorized Instructor on your computer. Live OnLine provides all the features of classroom based seminars, real-time delivery, access to archived modules, and all official courseware.
Attending other training courses or study groups
Other reputable organizations, such as SANS (www.sans.org), offer high-quality training in both classroom and self-study formats. Before signing up and spending your money, we suggest that you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends on the instructor; for this reason, try to find out from others whether the proposed instructor is as helpful as he or she is reported to be.
Many cities have self-study groups, usually run by CISSP volunteers. You may find a study group where you live; or, if you know some CISSPs in your area, you might ask them to help you organize a self-study group.
TIP
Always confirm the quality of a study course or training seminar before committing your money and time.
CROSS-REFERENCE
See Chapter 3 for more information on starting a CISSP study group.
Take the testing tutorial and practice exam
If you are not familiar with the operations of computer-based testing, you may want to take a practice exam. Go to the Pearson VUE website and look for the Pearson VUE Tutorial and Practice Exam (at www.pearsonvue.com/ athena).
The tutorial and practice exam are available for Windows computers only. To use them, you must have at least 512 MB of RAM, 60 MB of available disk space, Windows 2000 or newer (XP, Vista, 7, or 8), and Microsoft Internet Explorer 5 or a newer browser.
Are you ready for the exam?
Are you ready for the big day? We can't answer this question for you. You must decide, on the basis of your individual learning factors, study habits, and professional experience, when you're ready for the exam. We don't know of any magic formula for determining your chances of success or failure on the CISSP examination. If you find one, please write to us so we can include it in the next edition of this book!
In general, we recommend a minimum of two months of focused study. Read this book and continue taking the practice exams — in this book and on the Dummies website — until you can consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information you need to know if you want to pass the CISSP examination. Read this book (and reread it) until you're comfortable with the information presented and can successfully recall and apply it in each of the ten domains.
Continue by reviewing other materials (particularly in your weak areas) and actively participating in an online or local study group. Take as many practice exams from as many different sources as possible. You can't find any brain dumps for the CISSP examination, and no practice test can exactly duplicate the actual exam (some practice tests are simply too easy, and others are too difficult), but repetition can help you retain the important knowledge required to succeed on the CISSP exam.
About the CISSP Examination
The CISSP examination itself is a grueling six-hour, 250-question marathon. To put that into perspective, in six hours, you could walk about 20 miles, watch a Kevin Costner movie 1½ times, or sing "My Way" 540 times on a karaoke machine. Each of these feats, respectively, closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.
As described by the (ISC)2, you need a scaled score of 700 or better to pass the examination. Not all the questions are weighted equally, so we can't absolutely state the number of correct questions required for a passing score.
You won't find any multiple-answer, fill-in-the-blank, scenario-based, or simulation questions on the CISSP exam. However, all 250 multiple-choice questions require you to select the best answer from four possible choices. So the correct answer isn't always a straightforward, clear choice. In fact, you can count on many questions to appear initially as if they have more than one correct answer. (ISC)2 goes to great pains to ensure that you really, really know the material. For instance, a sample question might resemble the following:
Which of the following is the FTP control channel?
A TCP port 21
B UDP port 21
C TCP port 25
D IP port 21
Many readers almost instinctively know that FTP's control channel is port 21, but is it TCP, UDP, or IP?
Increasingly, CISSP exam questions are based more on situations than on simple knowledge of facts. For instance, here's a question you might get:
A system administrator has found that a former employee has successfully logged in to the system. The system administrator should:
A Shut down the system.
B Confirm the breach in the security logs.
C Lock or remove the user account.
D Contact law enforcement.
(Continues...)
Excerpted from CISSP For Dummies by Lawrence C. Miller, Peter Gregory. Copyright © 2012 John Wiley & Sons, Ltd. Excerpted by permission of John Wiley & Sons.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
Introduction 1
About This Book 1
How This Book Is Organized 2
Certification Basics 2
Domains 2
The Part of Tens 2
Appendixes and Bonus Chapters 2
How the Chapters Are Organized 3
Chapter introductions 3
Study subjects 3
Tables and illustrations 3
Prep Tests 4
Icons Used in This Book 4
Let's Get Started! 5
Certification Basics 7
(ISC)[subscript 2] and the CISSP Certification 9
About (ISC)[superscript 2] and the CISSP Certification 9
You Must Be This Tall to Ride (And Other Minimum Requirements) 10
Registering for the Exam 11
Developing a Study Plan 12
Self-study 13
Getting hands-on experience 14
Attending an (ISC)[superscript 2] CISSP review seminar 14
Attending other training courses or study groups 15
Are you ready for the exam? 15
About the CISSP Examination 16
Waiting for Your Results 17
The Common Body of Knowledge (CBK) 19
Access Control 19
Telecommunications and Network Security 20
Information Security and Risk Management 21
Application Security 21
Cryptography 22
Security Architecture and Design 22
Operations Security 23
Business Continuity and Disaster Recovery Planning 23
Legal, Regulations, Compliance, and Investigations 24
Physical (Environmental) Security 24
Putting Your Certification to Good Use 25
Following the (ISC) [superscript 2] Code of Ethics 26
Keeping Your Certification Current 27
Remaining an Active (ISC)[superscript 2] Member 27
Considering (ISC)[superscript 2] Volunteer Opportunities 28
Writing certification exam questions 28
Speaking at events 29
Supervising examinations 29
Writing articles for the (ISC)[superscript 2] Journal or (ISC)[superscript 2] Newsletter 29
Participating in (ISC[superscript 2] focus groups 30
Getting involved with a study group 30
Becoming an Active Member of Your Local Security Chapter 30
Spreading the Good Word about CISSP Certification 31
Promoting other certifications 32
Wearing the colors proudly 32
Using Your CISSP Certification to Be an Agent of Change 33
Earning Other Certifications 33
Other (ISC)[superscript 2] certifications 34
Non-(ISC)[superscript 2] certifications 34
Choosing the right certifications 36
Domains 37
Access Control 39
Uncovering Concepts of Access Control 40
Control types 40
Access control services 42
Categories of Access Control 43
System access controls 43
Data access controls 63
Evaluating and Testing Access Controls 67
Why test? 67
When and how to test 68
Additional References 69
Telecommunications and Network Security 73
Data Network Types 73
Local area network (LAN) 74
Wide area network (WAN) 74
The OSI Reference Model 75
Physical Layer (Layer 1) 76
Data Link Layer (Layer 2) 81
Network Layer (Layer 3) 92
Transport Layer (Layer 4) 94
Session Layer (Layer 5) 97
Presentation Layer (Layer 6) 98
Application Layer (Layer 7) 98
The TCP/IP Model 100
Network Security 100
Firewalls 101
Virtual Private Networks (VPNs) 105
Intrusion detection and prevention systems (IDS and IPS) 108
Remote access 109
E-mail, Web, Facsimile, and Telephone Security 112
E-mail security 112
Web security 115
Facsimile security 115
PBX fraud and abuse 116
Caller ID fraud and abuse 116
Network Attacks and Countermeasures 117
SYN flood 117
ICMP flood 117
UDP flood 118
Smurf 118
Fraggle 118
Teardrop 118
Session hijacking (Spoofing) 118
Additional References 119
Information Security and Risk Management 123
Information Security Management Concepts and Principles 123
Confidentiality 124
Integrity 125
Availability 125
Defense-in-depth 125
Avoiding single points of failure 126
Data Classification 127
Commercial data classification 127
Government data classification 128
Mission Statements, Goals, and Objectives 129
Mission (not so impossible) 129
Goals and objectives 129
Policies, Standards, Guidelines, and Procedures 130
Policies 131
Standards (and baselines) 131
Guidelines 131
Procedures 132
Information Security Management Practices 132
Outsourcing 132
Internal Service Level Agreements (SLAs) 132
Identity management 132
Certification and accreditation 133
Personnel Security Policies and Practices 133
Background checks and security clearances 133
Employment agreements 134
Hiring and termination practices 134
Job descriptions 135
Security roles and responsibilities 135
Separation of duties and responsibilities 138
Job rotations 138
Risk Management Concepts 138
Risk identification 139
Risk analysis 141
Risk control 144
Security Education, Training, and Awareness Programs 146
Awareness 146
Training 147
Education 147
Additional References 148
Application Security 153
Distributed Applications 154
Security in distributed systems 154
Agents 155
Applets 155
Object-Oriented Environments 157
Databases 158
Database security 159
Data dictionaries 160
Data warehouses 160
Knowledge-Based Systems 161
Expert systems 161
Neural networks 162
Systems Development Life Cycle 162
Conceptual definition 164
Functional requirements 164
Functional specifications 164
Design 165
Coding 165
Code review 166
Unit test 166
System test 166
Certification 167
Accreditation 167
Maintenance 167
Notes about the life cycle 168
Change Management 168
Configuration Management 169
Application Security Controls 169
Process isolation 169
Hardware segmentation 169
Separation of privilege 170
Accountability 170
Defense in depth 170
Abstraction 171
Data hiding 171
System high mode 171
Security kernel 171
Reference monitor 171
Supervisor and user modes 172
Service Level Agreements 172
System Attack Methods 173
Malicious code 173
Denial of Service 177
Dictionary attacks 177
Spoofing 178
Social engineering 178
Pseudo flaw 178
Remote maintenance 179
Maintenance hooks 179
Sniffing and eavesdropping 179
Traffic analysis and inference 180
Brute force 180
Antivirus software 180
Perpetrators 182
Hackers 182
Script kiddies 182
Virus writers 182
Bot herders 183
Phreakers 183
Black hats and white hats 183
Additional References 184
Cryptography 189
The Role of Cryptography in Information Security 190
Cryptography Basics 191
Classes of ciphers 191
Types of ciphers 191
Key clustering 193
Putting it all together: The cryptosystem 194
Encryption and decryption 195
He said, she said: The concept of non-repudiation 196
A disposable cipher: The one-time pad 196
Plaintext and ciphertext 196
Work factor: Force x effort = work! 197
Cryptography Alternatives 197
Steganography: A picture is worth a thousand (hidden) words 197
Digital watermarking: The (ouch) low watermark 198
Not Quite the Metric System: Symmetric and Asymmetric Key Systems 198
Symmetric key cryptography 198
Asymmetric key cryptography 203
Message Authentication 207
Digital signatures 208
Message digests 208
Public Key Infrastructure (PKI) 210
Key Management Functions 210
Key generation 211
Key distribution 211
Key installation 211
Key storage 211
Key change 211
Key control 211
Key disposal 212
Key Escrow and Key Recovery 212
E-Mail Security Applications 212
Secure Multipurpose Internet Mail Extensions (S/MIME) 212
MIME Object Security Services (MOSS) 213
Privacy Enhanced Mail (PEM) 213
Pretty Good Privacy (PGP) 213
Internet Security Applications 213
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 214
Secure Hypertext Transfer Protocol (S-HTTP) 214
IPSec 215
Multi-Protocol Label Switching (MPLS) 216
Secure Shell (SSH-2) 216
Wireless Transport Layer Security (WTLS) 216
Methods of Attack 217
The Birthday Attack 217
Ciphertext Only Attack (COA) 218
Chosen Text Attack (CTA) 218
Known Plaintext Attack (KPA) 218
Man-in-the-Middle 218
Meet-in-the-Middle 219
Replay Attack 219
Additional References 219
Security Architecture and Design 223
Computer Architecture 223
Hardware 224
Firmware 228
Software 228
Security Architecture 229
Trusted Computing Base (TCB) 229
Open and closed systems 230
Protection rings 230
Security modes 230
Recovery procedures 231
Issues in security architectures 231
Access Control Models 232
Bell-LaPadula 233
Access Matrix 233
Take-Grant 234
Biba 234
Clark-Wilson 234
Information Flow 235
Non-interference 235
Evaluation Criteria 235
Trusted Computer System Evaluation Criteria (TCSEC) 235
Trusted Network Interpretation (TNI) 239
European Information Technology Security Evaluation Criteria (ITSEC) 239
Common Criteria 240
System Certification and Accreditation 241
DITSCAP 242
NIACAP 242
Additional References 243
Operations Security 247
Security Operations Concepts 247
Antivirus and malware management 248
Making backups of critical information 248
Need-to-know 249
Least privilege 249
Privileged functions 250
Privacy 250
Legal requirements 251
Illegal activities 251
Record retention 252
Handling sensitive information 252
Remote access 253
Threats and Countermeasures 253
Errors and Omissions 253
Fraud 253
Theft 254
Employee sabotage 254
Industrial espionage 254
Loss of physical and infrastructure support 254
Hackers and crackers 255
Malicious code 255
Inappropriate employee activities 255
Security Operations Management 256
Security Controls 259
Resource protection 260
Privileged entity controls 260
Change controls 260
Media controls 261
Administrative controls 261
Trusted recovery 261
Security Auditing and Due Care 262
Audit Trails 262
Anatomy of an audit record 263
Types of audit trails 263
Finding trouble in them thar logs 264
Problem management and audit trails 265
Retaining audit logs 265
Protection of audit logs 266
Monitoring 267
Penetration testing 267
Intrusion detection and prevention 269
Violation analysis 270
Keystroke monitoring 270
Traffic and trend analysis 271
Facilities monitoring 271
Responding to events 271
Additional References 273
Business Continuity and Disaster Recovery Planning 277
Defining Disastrous Events 278
Natural disasters 278
Man-made disasters 279
The Differences between BCP and DRP 279
Understanding BCP Project Elements 280
Determining BCP Scope 281
Defining the Business Impact Assessment 282
Vulnerability Assessment 282
Criticality Assessment 283
Identifying key players 283
Establishing Maximum Tolerable Downtime 284
Defining Resource Requirements 284
BCP Recovery Plan Development 285
Emergency response 285
Damage assessment 285
Personnel safety 285
Personnel notification 286
Backups and off-site storage 286
Software escrow agreements 287
External communications 287
Utilities 288
Logistics and supplies 288
Fire and water protection 289
Documentation 289
Data processing continuity planning 290
Developing the BCP Plan 291
Identifying success factors 292
Simplifying large or complex critical functions 293
Documenting the strategy 293
Implementing the Business Continuity Plan 294
Securing senior management approval 294
Promoting organizational awareness 295
Maintaining the plan 295
Disaster Recovery Planning 295
Developing a Disaster Recovery Plan 296
Preparing for emergency response 296
Notifying personnel 297
Facilitating external communications 297
Maintaining physical security 298
Personnel safety 298
Testing the Disaster Recovery Plan 298
Additional References 299
Legal, Regulations, Compliance, and Investigations 303
Major Categories and Types of Laws 303
U.S. common law 304
International law 307
Major Categories of Computer Crime 307
Terrorist attacks 309
Military and intelligence attacks 310
Financial attacks 310
Business attacks 310
Grudge attacks 310
"Fun" attacks 311
Types of Laws Relevant to Computer Crimes 312
Intellectual property 312
Privacy laws 314
Computer crime and information security laws 316
Investigations 323
Evidence 324
Conducting investigations 330
Incident handling (Or response) 331
Ethics 333
(ISC)[superscript 2] Code of Ethics 333
Internet Architecture Board (IAB) - "Ethics and the Internet" (RFC 1087) 334
Additional References 334
Physical (Environmental) Security 339
Physical Security Threats 340
Site and Facility Design Considerations 343
Choosing a secure location 343
Designing a secure facility 344
Physical (Environmental) Security Controls 345
Physical access controls 345
Technical controls 349
Environmental and life safety controls 351
Administrative controls 356
Bringing It All Together 357
Additional References 358
The Part of Tens 363
Ten Test Preparation Tips 365
Get a Networking Certification First 365
Register Now! 365
Make a 60-Day Study Plan 366
Get Organized and Read! 366
Join a Study Group 367
Take Practice Exams 367
Take a CISSP Review Seminar 368
Develop a Test-Taking Strategy 368
Practice Drawing Circles! 369
Plan Your Travel 369
Ten Test Day Tips 371
Get a Good Night's Rest 371
Dress Comfortably (And Appropriately) 371
Eat a Good Breakfast 372
Arrive Early 372
Bring Your Registration Letter and ID 372
Bring Snacks and Drinks 372
Bring Prescription or Over-the-Counter Medications 373
Bring Extra Pencils and a Big Eraser 373
Leave Your Cell Phone, Pager, PDA, and Digital Watch Behind 373
Take Frequent Breaks 374
Ten More Sources for Security Certifications 375
ASIS International 375
Check Point 376
Cisco 376
CompTIA 377
DRI International 378
EC-Council 379
ISACA 379
(ISC)[superscript 2] 380
Microsoft 381
SANS/GIAC 381
Appendix and Bonus Chapters 383
About the CD-ROM 385
System Requirements 385
Contents 385
If You Have Problems (Of the CD Kind) 386
Index 387