CISSP – Certified Information Systems Security Professional

With today's complex and diverse enterprise networks, maintaining security is one of the greatest challenges organisations face. It is difficult to properly configure systems and networks for maximum security.

Any weakness in the defence is enough to render the organisation vulnerable. The skill set required of the security team is very wide. In an effort to define the knowledgebase required for enterprise security (ISC)2 have defined the Common Body of Knowledge (CBK), which consists of ten test domains.

The Certified Information Systems Security Professional CISSP® exam is built from a pool of multiple-choice questions drawn from the CBK.

Prerequisites:

For CISSP ISC2 exam requires that candidates have work experience (4 years with degree or 5 years without degree) in two, or more of the ten test domains of the information systems [IS] security Common Body of Knowledge (CBK). Note that candidates for CISSP without the required work experience can still sit the exam and become an associate CISSP. 

Course Content

Security Management Practices

• Identification of information assets

• Policies, standards, procedures

• Confidentiality, integrity, and availability.

• Data classification,

• Risk management, risk assessment, and risk analysis;

• Countermeasure evaluation

• Security roles

• Security awareness training

• Personnel policy

Security Architecture & Models

• Computer architectures

• Security models

• Trusted Computer Base

• ITSEC

• TCSEC

• Common Criteria

• OS security components

• IETF IPSEC

• Certification and Accreditation

• Security issues associated with system architectures

Access Control Systems & Methodology

• Access Control techniques

• Access Control Administration

• Access Control Models

• Identification and Authentication Techniques

• Single Sign-On (SSO)

• Access Control Methodologies and Implementation

• File and Data Ownership and Custodianship

• Methods of Attack

• Monitoring

• Penetration Testing 

Applications & Systems Development

• Systems development management

• Change Control

• Certification

• Accreditation

• Security Control Architecture

• Malicious Code

• Virus writers Hackers, crackers, and phreaks

• Virus protection, types of computer viruses

• Mobile code security issues

Cryptography

• Cryptographic basics

• Comparison of cryptographic algorithms

• Key management

• Key Distribution Methods

• Kerberos,

• ISAKMP

• Public Key Algorithms

• Public Key Infrastructure (PKI)

• Certificate Authorities

• Smart cards and tokens

• Methods of Attack

Telecommunications & Network Security

• ISO/OSI Layers and Characteristics

• Remote Access Dial-In User System/Terminal Access Control

• RADIUS/TACACS

• Internet/Intranet/Extranet

• Secure communication protocols

• Virtual Private Network (VPN)

• Network Address Translation

• E-mail security

• Facsimile security

• Secure Voice Communications

• Security boundaries and how to translate security policy to controls

• Network Attacks and Countermeasures

Operations Security

• Administrative Management

• Separation of Duties and Responsibilities

• Backup of Critical information

• Standards of Due Care/Due Diligence

• Record retention

• Control Types

• Operations Controls

• Resource Protection

• Auditing

• Reporting mechanisms

• Monitoring tools and techniques

• Failure recognition and response

• Intrusion detection

• Penetration testing techniques

• Inappropriate activities

• Internal threats and Countermeasures

• Violations, Breaches, and Reporting

Physical Security

• Physical site security controls

• Electronic site access controls

• Environment/Life Safety

• Physical security threats and countermeasures

• Fire (sensors, sprinklers, flooding systems, extinguishers)

• Water (leakage and flooding)

• Electrical (UPS and generators)

• Environmental

Business Continuity & Disaster Recovery Planning

• Business Continuity Planning

• Cold/Warm/Hot/Mobile Sites

• Recovery processes

• Disaster Recovery Planning

• Recovery Plan Development

• Emergency Response

• Reconstruction from Backups

• Crisis Management

• BCP/DRP Events

Law, Investigation & Ethics

• Legal categories

• Criminal Law

• Civil Law

• Administrative Law

• Investigations

• Rules of Evidence

• Collection and preservation of evidence

• Investigation Processes and Techniques

• Major categories of computer crime

• Incident Handling

• Ethics

• (ISC2) Code of Ethics