CISSP (Certified Information System Security Professional)
Access Control
This domain examines mechanisms and methods used to enable administrators and managers to control what subjects can access, the extent of their capabilities after authorization and authentication, and the auditing and monitoring of these activities. Some of the topics covered include
• Access control threats
• Identification and authentication technologies and techniques
• Access control administration • Single sign-on technologies
• Attack methods
Telecommunications and Network Security
This domain examines internal, external, public, and private communication systems; networking structures; devices; protocols; and remote access and administration. Some of the topics covered include
Information Security Governance and Risk Management
This domain examines the identification of company assets, the proper way to determine the necessary level of protection required, and what type of budget to develop for security implementations, with the goal of reducing threats and monetary loss. Some of the topics covered include
• Data classification
• Policies, procedures, standards, and guidelines
• Risk assessment and management
• Personnel security, training, and awareness
This domain examines mechanisms and methods used to enable administrators and managers to control what subjects can access, the extent of their capabilities after authorization and authentication, and the auditing and monitoring of these activities. Some of the topics covered include
• Access control threats
• Identification and authentication technologies and techniques
• Access control administration • Single sign-on technologies
• Attack methods
Telecommunications and Network Security
This domain examines internal, external, public, and private communication systems; networking structures; devices; protocols; and remote access and administration. Some of the topics covered include
- OSI model and layers
- Local area network (LAN), metropolitan area network (MAN), and wide area network (WAN) technologies
- Internet, intranet, and extranet issues
- Virtual private networks (VPNs), firewalls, routers, switches, and repeaters
- Network topologies and cabling • Attack method
Information Security Governance and Risk Management
This domain examines the identification of company assets, the proper way to determine the necessary level of protection required, and what type of budget to develop for security implementations, with the goal of reducing threats and monetary loss. Some of the topics covered include
• Data classification
• Policies, procedures, standards, and guidelines
• Risk assessment and management
• Personnel security, training, and awareness
Software Deployment Security
This domain examines secure software development approaches, application security, and software flaws. Some of the topics covered include
• Data warehousing and data mining
• Various development practices and their risks • Software components and vulnerabilities
• Malicious code
CryptographyThis domain examines cryptography techniques, approaches, and technologies. Some of the topics covered include
• Symmetric versus asymmetric algorithms and uses
• Public key infrastructure (PKI) and hashing functions
• Encryption protocols and implementation • Attack methods
Security Architecture and Design
This domain examines ways that software should be designed securely. It also covers international security measurement standards and their meaning for different types of platforms. Some of the topics covered include
Security Operations
This domain examines controls over personnel, hardware, systems, and auditing and monitoring techniques. It also covers possible abuse channels and how to recognize and address them. Some of the topics covered include
• Administrative responsibilities pertaining to personnel and job functions
• Maintenance concepts of antivirus, training, auditing, and resource protection activities
• Preventive, detective, corrective, and recovery controls • Security and fault-tolerance technologies
This domain examines secure software development approaches, application security, and software flaws. Some of the topics covered include
• Data warehousing and data mining
• Various development practices and their risks • Software components and vulnerabilities
• Malicious code
CryptographyThis domain examines cryptography techniques, approaches, and technologies. Some of the topics covered include
• Symmetric versus asymmetric algorithms and uses
• Public key infrastructure (PKI) and hashing functions
• Encryption protocols and implementation • Attack methods
Security Architecture and Design
This domain examines ways that software should be designed securely. It also covers international security measurement standards and their meaning for different types of platforms. Some of the topics covered include
- Operating states, kernel functions, and memory mapping
- Security models, architectures, and evaluations
- Evaluation criteria:Trusted Computer Security Evaluation Criteria (TCSEC), Information Technology Security Evaluation Criteria (ITSEC), and Common Criteria
- Common flaws in applications and systems
- Certification and accreditation
Security Operations
This domain examines controls over personnel, hardware, systems, and auditing and monitoring techniques. It also covers possible abuse channels and how to recognize and address them. Some of the topics covered include
• Administrative responsibilities pertaining to personnel and job functions
• Maintenance concepts of antivirus, training, auditing, and resource protection activities
• Preventive, detective, corrective, and recovery controls • Security and fault-tolerance technologies
Business Continuity and Disaster Recovery
This domain examines the preservation of business activities when faced with disruptions or disasters. It involves the identification of real risks, proper risk assessment, and countermeasure implementation. Some of the topics covered include
• Business resource identification and value assignment
• Business impact analysis and prediction of possible losses • Unit priorities and crisis management
• Plan development, implementation, and maintenance
Legal, Regulations, Investigations and Compliance
This domain examines computer crimes, laws, and regulations. It includes techniques for investigating a crime, gathering evidence, and handling procedures. It also covers how to develop and implement an incident-handling program. Some of the topics covered include
• Types of laws, regulations, and crimes
• Licensing and software piracy
• Export and import laws and issues
• Evidence types and admissibility into court
• Incident handling
• Forensics
Physical (Environmental) Security
This domain examines threats, risks, and countermeasures to protect facilities, hardware, data, media, and personnel.This involves facility selection, authorized entry methods, and environmental and safety procedures. Some of the topics covered include
• Restricted areas, authorization methods, and controls • Motion detectors, sensors, and alarms
• Intrusion detection
• Fire detection, prevention, and suppression
• Fencing, security guards, and security badge types
This domain examines the preservation of business activities when faced with disruptions or disasters. It involves the identification of real risks, proper risk assessment, and countermeasure implementation. Some of the topics covered include
• Business resource identification and value assignment
• Business impact analysis and prediction of possible losses • Unit priorities and crisis management
• Plan development, implementation, and maintenance
Legal, Regulations, Investigations and Compliance
This domain examines computer crimes, laws, and regulations. It includes techniques for investigating a crime, gathering evidence, and handling procedures. It also covers how to develop and implement an incident-handling program. Some of the topics covered include
• Types of laws, regulations, and crimes
• Licensing and software piracy
• Export and import laws and issues
• Evidence types and admissibility into court
• Incident handling
• Forensics
Physical (Environmental) Security
This domain examines threats, risks, and countermeasures to protect facilities, hardware, data, media, and personnel.This involves facility selection, authorized entry methods, and environmental and safety procedures. Some of the topics covered include
• Restricted areas, authorization methods, and controls • Motion detectors, sensors, and alarms
• Intrusion detection
• Fire detection, prevention, and suppression
• Fencing, security guards, and security badge types