CISSP Central

8.5 Define and apply secure coding guidelines and standards8.5.1 Security weaknesses and vulnerabilities at the source-code level8.5.2 Security of application programming interfaces (API)8.5.3 Secure Coding Practices8.5.4 Software-defined security

8.3 Assess the effectiveness of software security8.3.1 Auditing and logging of changes8.3.2 Risk analysis and mitigation8.4 Assess security impact of acquired software8.4.1 Commercial-off-the-shelf (COTS)8.4.2 Open Source8.4.3 Third-Party8.4.4 Managed Services (e.g.., enterprise applications)8.4.5 Cloud Services (e.g.., SaaS, IaaS, PaaS)

8.2 Identify & apply security controls in development environments8.2.1 Programming languages8.2.2 Libraries8.2.3 Tool sets8.2.4 Integrated Development Environment (IDE)8.2.5 Runtime8.2.6 Continuous Integration and Continuous Delivery (CI / CD)8.2.7 Software Configuration Management (SCM)8.2.8 Code Repositories8.2.9 Application security testing (e.g., SAST, DAST, IAST & SCA)

8.1 Understand and integrate security in the software development lifecycle8.1.1 Development Methodologies8.1.2 Maturity Models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))8.1.3 Operations & Maintenance8.1.4 Change Management8.1.5 Integrated Product Team (IPT)

7.13 Participate in Business Continuity (BC) planning and exercises7.14 Implement and manage physical security7.15 Address personnel safety and security concerns7.15.1 Travel7.15.2 Security Training & Awareness7.15.3 Emergency Management7.15.4 Duress

7.12 Test Disaster Recovery Plans7.12.1 Read-through/Checklist7.12.2 Walk-through/Tabletop7.12.3 Simulation7.12.4 Parallel7.12.5 Full Interruption7.12.6 Communications (e.g., stakeholders, test status, regulators)

7.11 Implement Disaster Recovery Process7.11.1 Response7.11.2 Personnel7.11.3 Communications7.11.4 Assessment7.11.5 Restoration7.11.6 Training & Awareness7.11.7 Lessons Learned

7.8 Implement and support patch and vulnerability management7.9 Understand and participate in change management processes7.10 Implement recovery strategies7.10.1 Backup storage strategies7.10.2 Recovery site strategies7.10.3 Multiple processing sites7.10.4 System resilience, high availability (HA), Quality of Service (QoS), and fault tolerance (FT)

7.7 Operate and maintain detection and preventative measures7.7.1 Firewall7.7.2 Intrusion detection and prevention systems7.7.3 Whitelisting/Blacklisting7.7.4 Third-party provided security services7.7.5 Sandboxing7.7.6 Honeypots / Honeynets7.7.7 Anti-malware7.7.8 Machine learning and artificial intelligence (AI) based tools

7.6 Conduct incident management7.6.1 Detection7.6.2 Response7.6.3 Mitigation7.6.4 Reporting7.6.5 Recovery7.6.6 Remediation7.6.7 Lessons Learned

7.5 Apply resource protection techniques7.5.1 Media Management7.5.2 Hardware and software asset management7.5.3 Data at rest/Data in transit

7.3 Perform Configuration Management (e.g., provisioning, baselining, automation)7.4 Apply foundational security operations concepts7.4.1 Need to know/Least privileges7.4.2 Separation of Duties (SoD) and responsibilities7.4.3 Privileged account management7.4.4 Job rotation7.4.5 Service Level Agreement (SLA)

7.2 Conduct logging and monitoring activities7.2.1 Intrusion detection and prevention systems (IDPS)7.2.2 Security information and Event Management (SIEM)7.2.3 Security orchestration, automation, and response (SOAR)7.2.4 Continuous Monitoring7.2.5 Egress Monitoring7.2.6 Log Management7.2.7 Threat Intelligence (e.g. Threat feeds, threat hunting)7.2.8 User and Entity Behavior Analytics (UEBA)

7.0 DOMAIN 7: SECURITY OPERATIONS7.1 Understand and support investigations7.1.1 Evidence Collection and Handling7.1.2 Reporting and Documentation7.1.3 Investigation Techniques7.1.4 Digital forensics tools, tactics, and procedures7.1.5 Artifacts (e.g., data, computers, networks, mobile devices)

6.4 Analyze test output and generate report6.4.1 Remediation6.4.2 Exception Handling6.4.3 Ethical disclosure6.5 Conduct or facilitate security audits6.5.1 Internal6.5.2 External6.5.3 Third Party6.5.4 Location

6.3 Collect Security Process data6.3.1 Account Management6.3.2 Management review and approval6.3.3 Key Performance and Risk Indicator6.3.4 Backup Verification data6.3.5 Training and Awareness6.3.6 Disaster Recovery (DR) and Business Continuity (BC)

6.2 Conduct Security Control Testing6.2.1 Vulnerability Assessment6.2.2 Penetration Testing6.2.3 Log Reviews6.2.4 Synthetic Transaction6.2.5 Code review and testing6.2.6 Misuse case testing6.2.7 Coverage analysis6.2.8 Interface Testing6.2.9 Breach attack simulations (BAS)6.2.10 Compliance checks

6.0 DOMAIN 6: SECURITY ASSESSMENT AND TESTING6.1 Design and Validate assessment, test, and audit strategies6.1.1 Internal6.1.2 External6.1.3 Third-party6.1.4 Location (e.g. on-premises, cloud, hybrid)

5.5 Manage the identity and access provisioning lifecycle5.5.1 Account access review (e.g., user, system, service)5.5.2 Provisioning and deprovisioning (e.g., on/off boarding & transfers)5.5.3 Role definition & transition (e.g. people assigned to new roles)5.5.4 Privilege escalation (e.g. use of sudo, auditing its use)5.5.5 Service Accounts Management5.5.6 Implement Authentication Systems

5.4 Implement and manage authorization mechanisms

5.3 Federated identity with a third-party service5.3.1 On-Premises5.3.2 Cloud5.3.3 Hybrid

5.2 Design identification and authentication Strategy (e.g., people, devices, and services)5.2.1 Groups and Roles5.2.2 Authentication, Authorization and Accounting (AAA) (e.g., MFA, password-less authentication)5.2.3 Session management5.2.4 Registration, proofing, and establishment of identity5.2.5 Federated Identity Management (FIM)5.2.6 Credential Management Systems (e.g. Password vault)5.2.7 Single Sign-on (SSO)5.2.8 Just-in-Time (JIT)

5.0 DOMAIN 5: IDENTITY & ACCESS MANAGEMENT (IAM)5.1 Control physical and logical access to assets5.1.1 Information5.1.2 Systems5.1.3 Devices5.1.4 Facilities5.1.5 Applications5.1.6 Services

4.3 Implement secure communication channels according to design4.3.1 Voice, video, and collaboration (e.g., conferencing, Zoom rooms)4.3.2 Remote access (e.g., network administrative functions)4.3.3 Data communications (e.g., backhaul networks, satellite)4.3.4 Third-party connectivity (e.g., telecom providers, h/w support)

4.2 Secure Network Components4.2.1 Operation of infrastructure4.2.2 Transmission Media4.2.3 Network Access Control (NAC) devices4.2.4 Endpoint Security (e.g. host-based)

4.0 DOMAIN 4: COMMUNICATION AND NETWORK SECURITY4.1 Apply secure design principles in network architectures4.1.1 Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models4.1.2 Internet Protocol (IP) version 4 and 6 (IPv6)4.1.3 Secure Protocols: IPsec, SSH, SSL/TLS4.1.4 Implications of multilayer protocols4.1.5 Converged Protocols (iSCSI, VoIP, etc.)4.1.6 Transport Architecture (Data/control/Management Plan, etc.)4.1.7 Performance Metrics (Bandwidth, Latency, Jitter, etc.)4.1.8 Traffic Flows (E.g., North-south, east-west)4.1.9 Physical Segmentation E.g., In-band, Out-of-band, air-gapped4.1.10 Logical Segmentation, E.g. VLANs, VPNs, Virtual Routing, etc.4.1.11 Microsegmentation4.1.12 Edge Networks (e.g., ingress/egress, peering)4.1.13 Wireless Networks (e.g. Bluetooth, Wi-Fi, Zigbee, Satellite)4.1.14 Cellular Networks (E.g. 4G, 5G)4.1.15 Content Distribution Network (CDN)4.1.16 Software Defined Networks (SDN)4.1.17 Virtual Private Cloud (VPC)4.1.18 Monitoring and Management

3.10 Manage the information system lifecycle3.10.1 Stakeholder needs & requirements3.10.2 Requirements Analysis3.10.3 Architectural design3.10.4 Development / Implementation3.10.5 Integration3.10.6 Verification & Validation3.10.7 Transition / deployment3.10.8 Operations and maintenance/sustainment3.10.9 Retirement / disposal

3.9 Design Site and Facility security controls3.9.1 Wiring closets/intermediate distribution frame3.9.2 Server rooms/data centers3.9.3 Media storage facilities3.9.4 Evidence storage3.9.5 Restricted and work area security3.9.6 Utilities and Heating, Ventilation, and Air Conditioning (HVAC)3.9.7 Environmental issues (e.g., natural disasters, man-made)3.9.8 Fire prevention, detection, and suppression3.9.9 Power (e.g., redundant, backup)

3.8 Apply security principles to site and facility design3.8.1 Facility Design3.8.2 Implement Site and Facility Security Controls3.8.3 Physical Security Threats3.8.4 Layered Defense Model

3.7 Understand methods of cryptanalytic attacks3.7.1 Brute-force3.7.2 Ciphertext only3.7.3 Known Plaintext3.7.4 Frequency Analysis3.7.5 Chosen Ciphertext3.7.6 Implementation Attacks3.7.7 Side-channel Attack (SCA)3.7.8 Fault injection3.7.9 Timing Attacks3.7.10 Man-in-the-Middle (MITM)3.7.11 Pass the hash3.7.12 Kerberos Exploitation3.7.13 Ransomware3.7.14 Other Key Attacks

3.6 Select and determine cryptographic solutions3.6.1 Cryptographic life cycle3.6.2 Cryptographic methods3.6.3 Public key infrastructure3.6.4 Key Management practices3.6.5 Digital Signatures and Digital Certificates

3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements3.5.1 Client-based systems3.5.2 Server-based systems3.5.3 Database systems3.5.4 Cryptographic Systems3.5.5 Operational Technology / Industrial Control Systems (ICS)3.5.6 Cloud-based Systems3.5.7 Distributed Systems3.5.8 Internet of Things (IOT)3.5.9 Microservices3.5.10 Containerization3.5.11 Serverless Computing3.5.12 Embedded systems3.5.13 High-Performance Computing systems3.5.14 Edge Computing Systems3.5.15 Virtualized systems

3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection,Trusted Platform Module (TPM), encryption/decryption)

3.3 Select controls based upon systems security requirementsHere we will go over the steps to take when deciding the security controls to deploy according to the needs of the system. Some of these needs were covered in Domain 1's discussion.

3.2 Understand the fundamental concepts of security models3.2.1 Security Models3.2.2 Lattice-based models3.2.3 Rule-based models3.2.4 Other models & Concepts3.2.5 Evaluation Criteria (ITSEC, TCSEC and CC)

3.0 DOMAIN 3: SECURITY ARCHITECTURE AND ENGINEERING3.1 Research, implement, and manage engineering processes using secure design principles.3.1.1 Threat Modeling3.1.2 Least Privilege3.1.3 Defense in depth3.1.4 Secure Defaults3.1.5 Fail Securely3.1.6 Separation of Duties3.1.7 Keep it simple and Small3.1.8 Zero trust or trust but verify3.1.9 Privacy by design (PbD)3.1.10 Shared Responsibility3.1.11 Secure Access Service Edge

2.5 Ensure appropriate asset retention2.6 Determine data security controls & compliance requirements2.6.1 Data States2.6.2 Scoping and Tailoring (NIST SP 800-53B)2.6.3 Standards Selection2.6.4 Data Protection methods

2.4 Manage Data Lifecycle2.4.1 Data Roles2.4.2 Data Collection2.4.3 Data Location2.4.4 Data Maintenance2.4.5 Data Retention2.4.6 Data Remanence2.4.7 Data Destruction

2.3 Provision information and assets securely2.3.1 Information and asset ownership2.3.2 Asset inventory2.3.2 Asset Management

2.2 Establish information and asset handling requirements2.2.1 Information and Asset Handling:2.2.2 Handling Requirements:2.2.3 Media Storage:2.2.4 Transportation:2.2.5 Transmission & Transfer:2.2.6 Media retention and destruction:

2.0 DOMAIN 2: ASSET SECURITY2.1 Identify and classify information and assets2.1.1 Data Classification2.1.2 Asset Classification2.1.3 Other key concepts of Asset Security

1.11 Apply supply chain risk management (SCRM) concepts1.11.1 Risks associated with the acquisition of products and services from suppliers and providers1.11.2 Risk mitigations 1.12 Establish and maintain a security awareness, education, and Training program1.12.1 Methods & techniques to increase awareness and training 1.12.2 Periodic content reviews to include emerging technologies and trends1.12.3 Program effectiveness evaluation

1.10 Understand & apply threat modelling & Methodologies1.10.1 STRIDE Model1.10.2 PASTA Model1.10.3 DREAD Model

1.9 Understand and apply risk management concepts1.9.1 Threat and Vulnerability Identification1.9.2 Risk Analysis, assessment, and scope1.9.3 Risk response and treatment1.9.4 Applicable Types of Controls1.9.5 Control Assessments1.9.6 Continuous monitoring and measurement1.9.7 Reporting (e.g., Internal, External)1.9.8 Continuous improvement (e.g., risk maturity modeling)1.9.9 Risk Frameworks

1.8 Contribute to and enforce personnel security policies and procedures1.8.1 Candidate Screening and Hiring1.8.2 Employment agreements and policy driven requirements1.8.3 Onboarding, transfers, and termination processes1.8.4 Vendor, consultant, and contractor agreements and controls

1.5 Understand requirements for investigation types1.6 Develop, document, & implement security policy, standards, procedures, & guidelines1.6.1 Security Policies 71.6.2 Standards, Procedures Baselines, and Guidelines1.7 Identify, analyze, and prioritize Business Continuity (BC) requirements1.7.1 Business Impact Analysis1.7.2 External Dependencies

1.4 Understanding of Info Security legal and regulatory problems1.4.1 Cybercrimes and data breaches1.4.2 Licensing and intellectual property requirements1.4.3 Import/export controls1.4.4 Transborder data flow.1.4.5 Issues Related to Privacy1.4.6 Contractual, Legal, Industry Standards, & Regulatory Requirements

1.3 Evaluate, apply, and sustain security governance principles.1.3.1 Alignment of the security function to business strategy1.3.2 Organizational processes (e.g., acquisitions, divestitures, etc.,)1.3.3 Organizational roles and responsibilities1.3.4 Security Control Frameworks1.3.5 Due Care and Due Diligence

1.1 Understand, adhere to, and promote professional ethics1.1.1 (ISC)2 Code of Professional Ethics1.1.2 Organizational code of ethics1.2 Understand and apply security concepts1.2.1 Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation

This is just an introduction episode of CISSP Central podcast, and this entire podcast series is based on a published book named C(R)ISSP: The most concise handbook for CISSP 2024, written by myself, which can be purchased directly from Amazon.