API tools faq
paste
opexxx

CISM_CISA_CISSP

opexxx
Jan 13th, 2022 (edited)
111
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 39.71 KB | None | 0 0
raw download clone embed print report
  1. Domain 1 — Information System Auditing Process
  2. • How can we Plan an audit to determine whether information systems are protected, controlled, and provide value to the organization?
  3. • How can we Conduct an audit in accordance with IS audit standards and a risk-based IS audit strategy?
  4. • How can we Communicate audit progress, findings, results and recommendations to stakeholders?
  5. • How can we Conduct audit follow-up to evaluate whether risk has been sufficiently addressed?
  6. • How can we Evaluate IT management and monitoring of controls?
  7. • How can we Utilize data analytics tools to streamline audit processes?
  8. • How can we Provide consulting services and guidance to the organization in order to improve the
  9. quality and control of information systems?
  10. • How can we Identify opportunities for process improvement in the organization’s IT policies and
  11. practices?
  12.  
  13. Domain 2 – Governance & Management of IT
  14. • How can we Evaluate the IT strategy for alignment with the organization’s strategies and objectives?
  15. • How can we Evaluate the effectiveness of IT governance structure and IT organizational structure?
  16. • How can we Evaluate the organization’s management of IT policies and practices?
  17. • How can we Evaluate the organization’s IT policies and practices for compliance with regulatory
  18. and legal requirements?
  19. • How can we Evaluate IT resource and portfolio management for alignment with the organization’s
  20. strategies and objectives?
  21. • How can we Evaluate the organization’s risk management policies and practices?
  22. • How can we Evaluate IT management and monitoring of controls?
  23. • How can we Evaluate the monitoring and reporting of IT key performance indicators (KPIs)?
  24. • How can we Evaluate whether IT supplier selection and contract management processes align
  25. with business requirements?
  26. • How can we Evaluate whether IT service management practices align with business requirements?
  27. • How can we Conduct periodic review of information systems and enterprise architecture?
  28. • How can we Evaluate data governance policies and practices?
  29. • How can we Evaluate the information security program to determine its effectiveness and
  30. alignment with the organization’s strategies and objectives?
  31. • How can we Evaluate potential opportunities and threats associated with emerging technologies,
  32. regulations, and industry practices?
  33.  
  34. Domain 3 – Information Systems Acquisition, Development, & Implementation
  35. • How can we Evaluate whether the business case for proposed changes to information systems meet business objectives?
  36. • How can we Evaluate the organization’s project management policies and practices?
  37. • How can we Evaluate controls at all stages of the information systems development life cycle?
  38. • How can we Evaluate the readiness of information systems for implementation and migration into
  39. production?
  40. • How can we Conduct post-implementation review of systems to determine whether project
  41. deliverables, controls and requirements are met?
  42. • How can we Evaluate change, configuration, release, and patch management policies and practices?
  43. Domain 4 – Information Systems Operations and Business Resilience
  44. • How can we Evaluate the organization’s ability to continue business operations?
  45. • How can we Evaluate whether IT service management practices align with business requirements?
  46. • How can we Conduct periodic review of information systems and enterprise architecture?
  47. • How can we Evaluate IT operations to determine whether they are controlled effectively and
  48. continue to support the organization’s objectives?
  49. • How can we Evaluate IT maintenance practices to determine whether they are controlled
  50. effectively and continue to support the organization’s objectives?
  51. • How can we Evaluate database management practices?
  52. • How can we Evaluate data governance policies and practices?
  53. • How can we Evaluate problem and incident management policies and practices?
  54. • How can we Evaluate change, configuration, release, and patch management policies and
  55. practices?
  56. • How can we Evaluate end-user computing to determine whether the processes are effectively
  57. controlled?
  58.  
  59. Domain 5 – Protection of Information Assets
  60. • How can we Conduct audit in accordance with IS audit standards and a risk-based IS audit strategy?
  61. • How can we Evaluate problem and incident management policies and practices?
  62. • How can we Evaluate the organization’s information security and privacy policies and practices?
  63. • How can we Evaluate physical and environmental controls to determine whether information
  64. assets are adequately safeguarded?
  65. • How can we Evaluate logical security controls to verify the confidentiality, integrity, and
  66. availability of information?
  67. • How can we Evaluate data classification practices for alignment with the organization’s policies
  68. and applicable external requirements?
  69. • How can we Evaluate policies and practices related to asset life cycle management?
  70. • How can we Evaluate the information security program to determine its effectiveness and
  71. alignment with the organization’s strategies and objectives?
  72. • How can we Perform technical security testing to identify potential threats and vulnerabilities?
  73. • How can we Evaluate potential opportunities and threats associated with emerging technologies,
  74. regulations, and industry practices?
  75.  
  76.  
  77.  
  78.  
  79. Domain 1 – Information Security Governance
  80. • Could you please Explain the need for and the desired outcomes of an effective information security strategy?
  81. • Could you please Create an information security strategy aligned with organizational goals and objectives?
  82. • How can you Gain stakeholder support using business cases?
  83. • How can you Identify key roles and responsibilities needed to execute an action plan?
  84. • How can you Establish metrics to measure and monitor the performance of security governance?
  85.  
  86. Domain 2 – Information Risk Management
  87. • Could you please Explain the importance of risk management as a tool to meet business needs and develop a security management program to support these needs?
  88. • How can you Identify, rank, and respond to a risk in a way that is appropriate as defined by organizational directives?
  89. • How can you Assess the appropriateness and effectiveness of information security controls?
  90. • How can you Report information security risk effectively?
  91.  
  92. Domain 3- Information Security Program Development and Management
  93. • How effectively you Align information security program requirements with those of other business function?
  94. • How do you Manage the information security program resources?
  95. • How do you Design and implement information security controls ?
  96. • How do you Incorporate information security requirements into contracts, agreements and third-
  97. party management processes?
  98.  
  99. Domain 4 – Information Security Incident Management
  100. • Could you please confirm concepts and practices of Incident Management?
  101. • How do you Identify the components of an Incident Response Plan and evaluate its effectiveness?
  102. • How do you make the key concepts of Business Continuity Planning, or BCP and Disaster Recovery
  103. Planning, or DRP?
  104. • Please confirm techniques commonly used to test incident response capabilities?
  105.  
  106.  
  107.  
  108.  
  109. Domain 1 — Risk Management
  110. • How do you Collect and review environmental risk data?
  111. • How do you Identify potential vulnerabilities to people, processes and assets?
  112. • How do you Develop IT scenarios based on information and potential impact to the organization
  113. • Identify key stakeholders for risk scenarios?
  114. • How do you Establish risk register?
  115. • How do you Gain senior leadership and stakeholder approval of the risk plan?
  116. • How do you Collaborate to create a risk awareness program and conduct training?
  117.  
  118. Domain 2 – IT Risk Assessment
  119. • How do you Analyze risk scenarios to determine likelihood and impact?
  120. • How do you Identify current state of risk controls and their effectiveness ?
  121. • How do you Determine gaps between the current state of risk controls and the desired state ?
  122. • How to Ensure risk ownership is assigned at the appropriate level ?
  123. • How do you Communicate risk assessment data to senior management and appropriate
  124. stakeholders ?
  125. • How do you Update the risk register with risk assessment data ?
  126.  
  127. Domain 3 – Risk Response and Mitigation
  128. • How do you Align risk responses with business objectives?
  129. • How to Develop consult with and assist risk owners with development risk action plans?
  130. • How to Ensure risk mitigation controls are managed to acceptable levels?
  131. • How to Ensure control ownership is appropriately assigned to establish accountability?
  132. • How to Develop and document control procedures for effective control?
  133. • How do you Update the risk register?
  134. • How do you Validate that risk responses are executed according to risk action plans?
  135.  
  136. Domain 4 – Risk and Control Monitoring and Reporting
  137. • How do you do Risk and control monitoring and reporting?
  138. • Define key risk indicators (KRIs) and identify key performance indicators (KPIs) to enable
  139. performance measurement key risk indicators (KRIs) and key performance indicators (KPIs)?
  140. • How do you Determine the effectiveness of control assessments?
  141. • How do you Identify and report trends/changes to KRIs/KPIs that affect control performance or
  142. the risk profile ?
  143. • Securing Unstructured Data - What You Don't Know Can & Will Hurt You
  144. • Auditing Big Data Systems
  145. • Data Sharing Risks and Controls
  146. • Protect Your Data Against Insider Threats
  147. • Assessing Data Governance at Nationwide
  148. • Physical Data Security
  149. • Agile, DevOps & Compliance
  150. • Why Companies Fail PCI DSS Assessments and What to Do About It
  151. • Blockchain & Cryptocurrency Emerging Regulations in the USA
  152. • The New Privacy: GDPR, California Consumer Privacy Act, and the Future of Data Regulation (panel discussion)
  153. • Incorporating Security Practices into Business Practices
  154. • What Senior Executives (And Others) Want to See in Security KPIs
  155. • How to Operationalize Cybersecurity: Turning Policy into Action
  156. • Preparing for the Security Audit: Is Your ERP Ready?
  157. • Review & Secure an Email Server
  158. • Safeguarding Web Applications: A Different Perspective
  159. • Using Network Forensic Techniques to Detect Threats
  160. • Identifying Critical Flaws in Hardened Active Directory Environments
  161. • An Auditor’s Guide to Incident Response Plans
  162. • How Secure Are Your Vendors? Third Party Risk Management in Information Security
  163. • Secure Cloud Solutions
  164. • How to Ensure Vendor Compliance & the Mitigation of Third-Party Risks
  165. • Cloud Insecurity: The Need for Stronger Identity Management
  166. • SOC Reports: Reducing the Risk of Service Providers
  167. • AWS for Auditors
  168.  
  169. CPE on Demand: Data Security
  170. Your bundle includes the following sessions:
  171. • Securing Unstructured Data - What You Don't Know Can & Will Hurt You
  172. • Auditing Big Data Systems
  173. • Data Sharing Risks and Controls
  174. • Protect Your Data Against Insider Threats
  175. • Assessing Data Governance at Nationwide
  176. • Physical Data Security
  177.  
  178. CPE on Demand: Emerging GRC Challenges
  179. Your bundle includes the following sessions:
  180. • Agile, DevOps & Compliance
  181. • Why Companies Fail PCI DSS Assessments and What to Do About It
  182. • Blockchain & Cryptocurrency Emerging Regulations in the USA
  183. • The New Privacy: GDPR, California Consumer Privacy Act, and the Future of Data Regulation (panel
  184. discussion)
  185.  
  186. CPE on Demand: Security Practices for Business
  187. Your bundle includes the following sessions:
  188. • Incorporating Security Practices into Business Practices
  189. • What Senior Executives (And Others) Want to See in Security KPIs
  190. • How to Operationalize Cybersecurity: Turning Policy into Action
  191. • Preparing for the Security Audit: Is Your ERP Ready?
  192.  
  193. CPE on Demand: Technical Security Insights
  194. Your bundle includes the following sessions:
  195. • Review & Secure an Email Server
  196. • Safeguarding Web Applications: A Different Perspective
  197. • Using Network Forensic Techniques to Detect Threats
  198. • Identifying Critical Flaws in Hardened Active Directory Environments
  199. • An Auditor’s Guide to Incident Response Plans
  200.  
  201. CPE on Demand: Third-Party Services
  202. Your bundle includes the following sessions:
  203. • How Secure Are Your Vendors? Third Party Risk Management in Information Security
  204. • Secure Cloud Solutions
  205. • How to Ensure Vendor Compliance & the Mitigation of Third-Party Risks
  206. • Cloud Insecurity: The Need for Stronger Identity Management
  207. • SOC Reports: Reducing the Risk of Service Providers
  208. • AWS for Auditors
  209.  
  210. 1 Domain 01—Security and Risk Management
  211. • 2 Objectives
  212. • 3 Importance of Information Security and Risk Management
  213. • 4 Role and Importance of CIA in ISM
  214. • 5 Confidentiality
  215. • 6 Integrity
  216. • 7 Availability
  217. • 8 Information Security
  218. • 9 Information Security Management
  219. • 10 Information Security Governance
  220. • 11 IT Security and Organizational Goals, Mission, and Objectives
  221. • 12 Goals, Mission, and Objectives
  222. • 13 Aligning Security with Goals, Mission, and Objectives
  223. • 14 Business Scenario
  224. • 15 Organizational Processes
  225. • 16 Auditing
  226. • 17 Control Framework
  227. • 18 Due Care
  228. • 19 Due Diligence
  229. • 20 Security Controls
  230. • 21 Service Level Agreements
  231. • 22 Managing Third - Party Governance
  232. • 23 Offshoring Privacy Requirements and Compliance
  233. • 24 Business Scenario
  234. • 25 Layers of Responsibility
  235. • 26 Security Policies
  236. • 27 Types of Security Policies
  237. • 28 Security Policy Implementation
  238. • 29 Policy Chart
  239. • 30 Standards, Guidelines, Procedures, and Baselines
  240. • 31 Business Scenario
  241. • 32 Compliance—Need for Compliance
  242. • 33 Regulatory Compliance
  243. • 34 Compliance
  244. • 35 Compliance (contd.)
  245. • 36 Compliance (contd.)
  246. • 37 Standards/Manuals/Guidelines for Compliance
  247. • 38 Computer Crimes
  248. • 39 Introduction to Computer Crimes
  249. • 40 Categories of Computer Crimes
  250. • 41 Business Scenarios
  251. • 42 Major Legal Systems
  252. • 43 Common Law and Civil Law
  253. • 44 Customary Law and Religious Law0
  254. • 45 Mixed Law
  255. • 46 Business Scenario
  256. • 47 Introduction to Intellectual Property (IP) Law
  257. • 48 Types of Intellectual Property (IP) Law
  258. • 49 Types of Intellectual Property (IP) Law (contd.)
  259. • 50 Types of Intellectual Property (IP) Law (contd.)
  260. • 51 Business Scenario
  261. • 52 Import or Export Controls and Trans - Border Data Flow
  262. • 53 Introduction to Privacy
  263. • 54 U.S. Privacy Laws
  264. • 55 U.S. Privacy Laws (contd.)
  265. • 56 U.S. Guidelines for Managing Privacy
  266. • 57 EU Council Directive (Law) on Data Protection
  267. • 58 The U.S.-European Union Safe Harbor
  268. • 59 Security Definitions
  269. • 60 Information Risk Management
  270. • 61 Business Scenario
  271. • 62 Introduction to Risk Analysis
  272. • 63 Goals of Risk Analysis
  273. • 64 Risk Analysis Team
  274. • 65 Steps for Risk Analysis
  275. • 66 Information and Assets Valuation
  276. • 67 Risk Analysis Types
  277. • 68 Quantitative Risk Analysis—Steps
  278. • 69 Quantitative Risk Analysis—Problem
  279. • 70 Qualitative Risk Analysis
  280. • 71 Delphi Technique
  281. • 72 Quantitative vs.Qualitative
  282. • 73 Hybrid Analysis
  283. • 74 Countermeasure Selection—Problem
  284. • 75 Countermeasure Selection—Other Factors
  285. • 76 Handling Risk
  286. • 77 Business Scenario
  287. • 78 Threat Modeling
  288. • 79 Need for Business Continuity Planning
  289. • 80 Basic Concepts—Disruptive Events
  290. • 81 Basic Concepts—Business Continuity Planning
  291. • 82 Importance of Business Continuity Planning
  292. • 83 Business Continuity Planning Phases
  293. • 84 BCP/DRP Phase 1—Project Initiation and Scoping
  294. • 85 BCP/DRP Phase 2—Business Impact Analysis (BIA)
  295. • 86 BIA—Goals
  296. • 87 BIA—Steps
  297. • 88 BIA Steps—Business Unit Level
  298. • 89 Maximum Tolerable Downtime (MTD)
  299. • 90 Failure and Recovery Metrics
  300. • 91 Failure and Recovery Metrics (contd.)
  301. • 92 Stages of Failure and Recovery
  302. • 93 BCP/DRP Phase 3—Identify Preventive Controls
  303. • 94 Importance of Managing Personnel Security
  304. • 95 Managing Personnel Security—Hiring Practices
  305. • 96 Managing Personnel Security—Employee Termination
  306. • 97 Vendor, Contractors, and Consultant Controls
  307. • 98 Best Work Practices
  308. • 99 Business Scenario
  309. • 100 Importance of Security Awareness Training
  310. • 101 Security Awareness Training: Awareness, Training, and Education
  311. • 102 Implementation of Security Awareness Training Program
  312. • 103 Importance of Content Updates
  313. • 104 Importance of Managing Security Function
  314. • 105 Best Practices—Budget and Establish Security Metrics
  315. • 106 Best Practices—Resources and Develop and Implement Strategies
  316. • 107 Best Practices—Completeness and Effectiveness of the Program
  317. • 108 Business Scenario
  318. • 109 (ISC)2 Code of Ethics
  319. • 110 Quiz
  320. • 111 Summary
  321. • 112 Conclusion
  322.  
  323.  
  324. • 1 Domain 02 Asset Security
  325. • 2 Objectives
  326. • 3 Importance of Asset Security
  327. • 4 Need for Information Classification
  328. • 5 Information Classification Objectives
  329. • 6 Government or Military Sector Classification
  330. • 7 Commercial or Private Sector Classification
  331. • 8 Information Classification Criteria
  332. • 9 Data Classification Considerations
  333. • 10 Role Responsible for Data Classification
  334. • 11 Business Scenario
  335. • 12 Data Management
  336. • 13 Best Practices for Data Management
  337. • 14 Data Policy
  338. • 15 Data Ownership
  339. • 16 Data Ownership Best Practices
  340. • 17 Data Custodians
  341. • 18 Data Custodians (contd.)
  342. • 19 Data Quality
  343. • 20 Data Quality—Aspects
  344. • 21 Data Quality Assurance and Quality Control
  345. • 22 Data Documentation
  346. • 23 Data Documentation Practices
  347. • 24 Data Standards
  348. • 25 Data Control Lifecycle
  349. • 26 Data Specification and Modeling
  350. • 27 Database Maintenance
  351. • 28 Data Audit
  352. • 29 Data Storage and Archiving
  353. • 30 Data Security
  354. • 31 Data Access, Sharing, and Dissemination
  355. • 32 Data Publishing
  356. • 33 Data Handling Requirements
  357. • 34 Media Resource Protection
  358. • 35 Data Remanence
  359. • 36 Business Scenario
  360. • 37 Asset Management
  361. • 38 Software Licensing
  362. • 39 Equipment Lifecycle
  363. • 40 Protecting Privacy
  364. • 41 Ensuring Appropriate Retention
  365. • 42 Data Security Controls
  366. • 43 Data in Transit—Best Practices
  367. • 44 Scoping and Tailoring
  368. • 45 Scoping and Tailoring (contd.)
  369. • 46 Standards Selection—US DoD
  370. • 47 Standards Selection—International Standards
  371. • 48 Standards Selection National Cyber Security Framework Manual
  372. • 49 Standards Selection Center for Strategic and International Studies
  373. • 50 Standards Selection Critical Security Controls
  374. • 51 Standards Selection Security Content Automation Protocol0
  375. • 52 Framework for Improving Critical Infrastructure Cybersecurity
  376. • 53 Business Scenario
  377.  
  378. 1 Domain 03 Security Engineering
  379. • 2 Objectives
  380. • 3 Security Architecture and Design - Case Study
  381. • 4 Security Engineering
  382. • 5 Architecture Framework
  383. • 6 Zachman Framework
  384. • 7 TOGAF
  385. • 8 ITIL
  386. • 9 Creating a Security Architecture
  387. • 10 Enterprise Security Architecture
  388. • 11 Common Security Services in ESA
  389. • 12 SABSA Framework
  390. • 13 SABSA Matrix
  391. • 14 Business Scenario
  392. • 15 ISO/IEC 27001:2013 Security Standards
  393. • 16 ISO/IEC 27002 Code of Practice for Information Security Management • 17 Security Models
  394. • 18 State Machine Model
  395. • 19 Multilevel Security Models
  396. • 20 Matrix-Based Model
  397. • 21 Non-Interference Model
  398. • 22 Information flow model
  399. • 23 Examples of Security Models: Bell–LaPadula Confidentiality Model
  400. • 24 Examples of Security Models: Biba Integrity Model
  401. • 25 Examples of Security Models: Clark–Wilson integrity model
  402. • 26 Brewer Nash, Graham Denning, and Harrison Ruzzo Ullman models
  403. • 27 Business Scenario
  404. • 28 Evaluation Criteria
  405. • 29 CSEC
  406. • 30 Information Technology Security Evaluation Criteria0
  407. • 31 Common Criteria
  408. • 32 Common Criteria Evaluation Process
  409. • 33 Common Criteria Levels
  410. • 34 Payment Card Industry Data Security Standard
  411. • 35 Certification and Accreditation
  412. • 36 Certification and Accreditation Standards
  413. • 37 SEI—CMMI0
  414. • 38 SEI—CMMI Levels
  415. • 39 Business Scenario
  416. • 40 System Security Architecture
  417. • 41 Mainframes and Other Thin Client Systems
  418. • 42 Middleware and Embedded Systems
  419. • 43 Pervasive Computing and Mobile Computing Devices
  420. • 44 System Components Processors
  421. • 45 System Components Memory
  422. • 46 System Components Storage
  423. • 47 System Components Trusted Computing Base (TCB)
  424. • 48 System Components Reference Monitor
  425. • 49 System Components—Trusted Platform Module (TPM)
  426. • 50 System Components Peripherals and Other Input/Output Devices
  427. • 51 System Components Operating System
  428. • 52 System Components Ring Model
  429. • 53 System Components System Kernel
  430. • 54 Distributed Systems
  431. • 55 Virtualization
  432. • 56 Hypervisor
  433. • 57 Cloud Computing
  434. • 58 Service models
  435. • 59 Grid Computing
  436. • 60 Peer to Peer Networking (P2P)
  437. • 61 Business Scenario
  438. • 62 Security Threats and Countermeasures
  439. • 63 Assessing and
  440. • 64 Assessing and
  441. • 65 Assessing and
  442. • 66 Best Practices
  443. • 67 Best Practices
  444. • 68 Best Practices
  445. • 69 Best Practices
  446. • 70 Best Practices
  447. • 71 Best Practices
  448. • 72 Best Practices
  449. • 73 Introduction to Cryptography
  450. • 74 Cryptographic Lifecycle
  451. • 75 Algorithm or Protocol Governance
  452. • 76 Cryptography Terms
  453. • 77 Strength of a Cryptosystem
  454. • 78 Cryptography Methods Substitution Cipher
  455. • 79 Cryptography Methods Transposition Cipher
  456. • 80 Cryptography Methods Book or Running Key Cipher
  457. • 81 Cryptography Methods Concealment Cipher
  458. • 82 Cryptography Methods Steganography and DRM
  459. • 83 Business Scenario
  460. • 84 Introduction to Symmetric Cryptography
  461. • 85 Symmetric Key Ciphers
  462. • 86 Block Cipher
  463. • 87 Stream Cipher
  464. • 88 Block Cipher Designs
  465. • 89 Data Encryption Standard (DES)
  466. • 90 DES Algorithm0
  467. • 91 DES Operation Modes Electronic Code Book
  468. • 92 DES Operation Modes Cipher Block Chainins
  469. • 93 DES Operation Modes Cipher Feed Back
  470. • 94 DES Operation Modes Output Feed Back
  471. • 95 DES Operation Modes—Counter
  472. • 96 Triple DES0
  473. • 97 Advanced Encryption Standard (AES)0
  474. • 98 AES Algorithm
  475. • 99 AES Algorithm Key Expansion and Initial Round
  476. • 100 Advanced Encryption Standard (AES) Algorithm—Rounds
  477. • 101 AES Algorithm Final Round
  478. • 102 Other Symmetric Systems
  479. • 103 Other Symmetric Systems (contd.)
  480. • 104 Business Scenario
  481. • 105 Introduction to Asymmetric Cryptography
  482. • 106 Introduction to Asymmetric Cryptography Diagram
  483. • 107 Introduction to RSA Algorithm
  484. • 108 RSA Algorithm Process
  485. • 109 Other Types of Asymmetric Cryptography Elliptic Curve Cryptosystems
  486. • 110 Other Types of Asymmetric Cryptography Diffie-Hellman Key Exchange
  487. • 111 Public Key Cryptography
  488. • 112 Symmetric vs. Asymmetric Cryptography
  489. • 113 Advantages and Disadvantages
  490. • 114 Introduction to Public Key Infrastructure
  491. • 115 PKI Certification0
  492. • 116 PKI Certification (contd.)
  493. • 117 PKI Steps—Part 1
  494. • 118 PKI Steps—Part 2
  495. • 119 One-Way Hash
  496. • 120 Hashing Algorithms
  497. • 121 Hashing Algorithms (contd.)
  498. • 122 Salting
  499. • 123 Message Authentication Code (MAC)
  500. • 124 Digital Signatures
  501. • 125 Key Management
  502. • 126 Key Management Principles
  503. • 127 Escrowed Encryption
  504. • 128 Business Scenario
  505. • 129 Need for Physical and Environmental Security0
  506. • 130 Business Scenario
  507. • 131 Site and Facility Design Criteria
  508. • 132 Information Protection Environment
  509. • 133 Crime Prevention Through Environmental Design (CPTED)
  510. • 134 Site Location
  511. • 135 Construction
  512. • 136 Support Facilities
  513. • 137 Business Scenario
  514. • 138 Secure Operational Areas
  515. • 139 Business Scenario
  516. • 140 Environmental Controls
  517. • 141 Environmental Controls (Contd.)
  518. • 142 Fire Detection and Suppression
  519. • 143 Power Supply
  520. • 144 Power Supply (contd.)
  521. • 145 HVAC
  522. • 146 Training and Awareness
  523. • 147 Business Scenario
  524.  
  525. 1 Domain 04—Communications and Network Security
  526. • 2 Objectives
  527. • 3 Importance of Communications and Network Security—Case Study
  528. • 4 Introduction to Secure Network Architecture and Design
  529. • 5 Open Systems Interconnection
  530. • 6 OSI Model Layers
  531. • 7 Physical Layer
  532. • 8 Data Link Layer
  533. • 9 Network Layer
  534. • 10 Transport Layer
  535. • 11 Session Layer
  536. • 12 Presentation Layer
  537. • 13 Application Layer
  538. • 14 Transmission Control Protocol/Internet Protocol (TCP/IP) Model
  539. • 15 Network Access Layer and Internet Layer
  540. • 16 Host-to-Host Layer and Application Layer
  541. • 17 Comparison of OSI and TCP/IP Models
  542. • 18 Introduction to IP Addressing
  543. • 19 IPv4 and IPv6
  544. • 20 Classful IP Addressing
  545. • 21 Class A
  546. • 22 Class B
  547. • 23 Class C
  548. • 24 Class D and Class E
  549. • 25 Classless Inter-Domain Routing
  550. • 26 Private Networks and Loopback Address
  551. • 27 Types of IP Addressing
  552. • 28 Routed and Routing Protocols
  553. • 29 Types of Network Protocols
  554. • 30 Transmission Control Protocol (TCP)
  555. • 31 User Datagram Protocol (UDP)
  556. • 32 Internet Protocol
  557. • 33 Address Resolution Protocol
  558. • 34 Internet Control Message Protocol (ICMP)
  559. • 35 Hypertext Transfer Protocol (HTTP)
  560. • 36 Implications of Multi-Layer Protocols
  561. • 37 Distributed Network Protocol
  562. • 38 LAN/Network Technologies
  563. • 39 Transmission Media
  564. • 40 Twisted Pair
  565. • 41 Coaxial Cable Box
  566. • 42 Fiber-Optic Cable Box
  567. • 43 Network Topologies
  568. • 44 Media Access Technologies
  569. • 45 Carrier-Sense Multiple Access with Collision Detection
  570. • 46 Carrier-Sense Multiple Access with Collision Avoidance
  571. • 47 Flavors of LAN transmission methods
  572. • 48 List of Networking Devices
  573. • 49 VLANs
  574. • 50 Gateways
  575. • 51 Network Access Control Devices
  576. • 52 Packet-Filtering and Application-Level
  577. • 53 Circuit-Level and Stateful-Inspection
  578. • 54 Firewall Architectures
  579. • 55 Network Security Terms
  580. • 56 Business Scenario
  581. • 57 Networks
  582. • 58 Types of Networks
  583. • 59 WAN Technologies
  584. • 60 WAN Switching and Devices
  585. • 61 Network Address Translation and Frame Relay
  586. • 62 Multi-Protocol Label Switching and VoIP
  587. • 63 Fiber Channel over Ethernet and Internet Small Computer System Interface
  588. • 64 Virtualized Networks
  589. • 65 Introduction to Remote Access
  590. • 66 VPN using PPTP and L2TP
  591. • 67 Internet Security Protocol (IPsec)
  592. • 68 Internet Security Protocol (IPsec) Modes of Operation
  593. • 69 IPsec Security Protocols—Authentication Header (AH)
  594. • 70 IPsec Security Protocols—Encapsulating Security Payload (ESP)
  595. • 71 Components of the IPsec Process
  596. • 72 Components of the IPsec Process (contd.)
  597. • 73 IPsec Process
  598. • 74 Secure Access Protocols
  599. • 75 Secure Access Protocols (contd.)
  600. • 76 Secure Access Protocols (contd.)
  601. • 77 Remote Access Security Methods
  602. • 78 Multimedia Collaboration
  603. • 79 Wireless Technologies
  604. • 80 IEEE Wireless Standards and Spread-Spectrum Technologies
  605. • 81 Direct Sequence Spread Spectrum and Frequency-Hopping Spread Spectrum
  606. • 82 WLAN Operational Modes
  607. • 83 Bluetooth
  608. • 84 Bluetooth Attack
  609. • 85 Blue Jacking and Blue Snarfing
  610. • 86 Blue Bugging, Backdoor Attacks, and Denial of Service Attacks
  611. • 87 Wireless Security
  612. • 88 Business Scenario
  613. • 89 Network Attacks
  614. • 90 Network Attacks (contd.)
  615. • 91 Network Attacks—Countermeasures
  616.  
  617. Domain 05 - Identity and Access Management
  618. • 1 Domain 05—Identity and Access Management
  619. • 2 Objectives
  620. • 3 Importance of Identity and Access Management in Information Security
  621. • 4 Controlling Physical and Logical Access to Assets
  622. • 5 Controlling Physical and Logical Access to Assets (contd.)
  623. • 6 Access Subject Object and Access control
  624. • 7 Identity and Access Management Policy
  625. • 8 Identification Authentication and Authorization
  626. • 9 Identity Management
  627. • 10 Identity and Access Provisioning Lifecycle
  628. • 11 Identity and Access Provisioning Lifecycle (contd.)
  629. • 12 Guidelines for User Identification
  630. • 13 Verifying Identification Information
  631. • 14 Strong Authentication
  632. • 15 Biometrics—Characteristics
  633. • 16 Types of Biometrics
  634. • 17 FRR FAR CER
  635. • 18 Passwords
  636. • 19 Password Types
  637. • 20 Tokens
  638. • 21 Token Device—Synchronous
  639. • 22 Token Device—Asynchronous
  640. • 23 Memory Cards and Smart Cards
  641. • 24 Attacks on Smart Cards—Fault Generation and Micro-Probing
  642. • 25 Access Criteria
  643. • 26 Authorization Concepts
  644. • 27 Identity Management Implementation
  645. • 28 Password Management
  646. • 29 Directory Management
  647. • 30 Directory Technologies
  648. • 31 Accounts Management
  649. • 32 Profile Management
  650. • 33 Web Access Management
  651. • 34 Single Sign-On (SSO)
  652. • 35 SSO Technologies
  653. • 36 Kerberos
  654. • 37 Kerberos Steps
  655. • 38 Problems with Kerberos
  656. • 39 Business Scenario
  657. • 40 Access Control Types—Security Layer
  658. • 41 Access Control Types—Functionality
  659. • 42 Business Scenaris
  660. • 43 Access Control Models—DAC
  661. • 44 Access Control Models—MAC
  662. • 45 Access Control Models—RBAC
  663. • 46 Business Scenario
  664. • 47 Access Control Concepts
  665. • 48 Types of Access Control Administration
  666. • 49 Remote Authentication Dial-In User Service (RADIUS)
  667. • 50 TACACS and TACACS
  668. • 51 DIAMETER
  669. • 52 Accountability
  670. • 53 Accountability (contd.)
  671. • 54 Session Management
  672. • 55 Registration and Proof of Identity
  673. • 56 Credential Management Systems
  674. • 57 Credential Management Systems—Risks and benefits • 58 Federated Identity Management
  675. • 59 Federated Identity Management Models
  676. • 60 Federated Identity Management Models (contd.)
  677. • 61 Federated Identity Management Models (contd.)
  678. • 62 Identity as a Service
  679. • 63 Identity as a Service—Functionality
  680. • 64 Identity as a Service—Possible Issues
  681. • 65 Integrate Third-Party Identity Services
  682. • 66 Integrate Third-Party Identity Services (contd.)
  683. • 67 Unauthorized Disclosure of Information
  684. • 68 Threats to Access Control
  685. • 69 Protection against Access Control Attacks
  686. • 70 Access Control Best Practices
  687. • 71 Access Control Best Practices (contd.)
  688.  
  689. Domain 06 - Security Assessment and Testing
  690. • 1 Domain 06—Security Assessment and Testing
  691. • 2 Objectives
  692. • 3 Security Assessment and Testing—Introduction
  693. • 4 Assessment and Test Strategies
  694. • 5 Vulnerability Assessment
  695. • 6 Penetration Testing
  696. • 7 Log Management
  697. • 8 Log Management—Advantages and Challenges
  698. • 9 Log Management—Best Practices
  699. • 10 Log Management—Operational Process
  700. • 11 Logged Events
  701. • 12 Synthetic Transactions
  702. • 13 Reasons to Use Synthetic Transactions
  703. • 14 Code Review and Testing
  704. • 15 Testing Techniques
  705. • 16 Security Testing in the SDLC
  706. • 17 Software Product Testing Levels
  707. • 18 Misuse Case Testing
  708. • 19 Misuse Case Testing—Scenarios
  709. • 20 Test Coverage Analysis
  710. • 21 Interface Testing
  711. • 22 API Testing (contd.
  712. • 23 Interface Testing (contd.)
  713. • 24 GUI Testing
  714. • 25 Common Software Vulnerabilities
  715. • 26 Business Scenario
  716. • 27 Information Security Continuous Monitoring
  717. • 28 Information Security Continuous Monitoring—Strategy and Process
  718. • 29 Risk Evaluation and Control—Metrics
  719. • 30 Security Controls Monitoring Frequencies
  720. • 31 ISCM—Benefits
  721. • 32 Key Performance and Risk Indicators
  722. • 33 Internal and Third Party Audits
  723. • 34 Audit Frequency and Scope
  724. • 35 Statement on Auditing Standards No. 700
  725. • 36 Service Organization Controls
  726. • 37 SOC 1 Report
  727. • 38 SOC 2 Report
  728. • 39 SOC 2 Reports (contd.)
  729. • 40 SOC 3 Report
  730. • 41 SOC 1, SOC 2, and SOC 3 Comparison
  731. • 42 Audit Process—Audit Preparation Phase
  732. • 43 Audit Process—Audit Phases
  733. • 44 Business Scnarios
  734.  
  735. Domain 07 - Security Operations
  736. • 1 Domain 07—Security Operations
  737. • 2 Objectives
  738. • 3 Importance of Security Operations—Case Study
  739. • 4 Introduction to Investigations
  740. • 5 Investigation Challenges
  741. • 6 Investigations—Primary Activities
  742. • 7 Crime Scene
  743. • 8 Forensic Investigation Guidelines
  744. • 9 Incident Response Terminologies
  745. • 10 Incident Response Goals
  746. • 11 Incident Response Team
  747. • 12 Incident Response Procedures
  748. • 13 Incident Response Procedures (contd.)
  749. • 14 Incident Response Procedures (contd.)
  750. • 15 Incident Response Procedures (contd.)
  751. • 16 Business Scenario
  752. • 17 Evidence
  753. • 18 Evidence Lifecycle
  754. • 19 Chain of Evidence
  755. • 20 Types of Evidence
  756. • 21 Computer Forensics Procedure
  757. • 22 Requirements for Investigation Types
  758. • 23 Logging and Monitoring Activities
  759. • 24 Intrusion Detection System
  760. • 25 Intrusion Prevention System
  761. • 26 Security Information and Event Management (SIEM)
  762. • 27 Security Information and Event Management (SIEM)—Characteristics
  763. • 28 Continuous Monitoring
  764. • 29 Egress Filtering
  765. • 30 Data Leak or Loss Prevention (DLP)
  766. • 31 Steganography and Digital Watermarking
  767. • 32 Business Scenario
  768. • 33 Secure Provisioning of Resources through Configuration Management
  769. • 34 Secure Provisioning of Resources through Configuration Management (contd.
  770. • 35 Introduction to Security Operations
  771. • 36 Security Operations Concepts
  772. • 37 Security Operations
  773. • 38 Effects of Operations Controls on C.I.A.
  774. • 39 Business Scenario
  775. • 40 Operational Resilience
  776. • 41 Threats to Operations
  777. • 42 Threats to Operations (contd.)
  778. • 43 Vulnerabilities
  779. • 44 Controls
  780. • 45 Business Scenario
  781. • 46 Need for Controlling Privileged Accounts
  782. • 47 Identity and Access Management
  783. • 48 Types of Accounts
  784. • 49 Commonly Used Roles
  785. • 50 Commonly Used Roles (contd.)
  786. • 51 Monitoring Special Privileges
  787. • 52 Service Level Agreements (SLAs)
  788. • 53 Business Scenario
  789. • 54 Protect Valuable Assets
  790. • 55 Protecting Physical Assets
  791. • 56 Protecting Information Assets
  792. • 57 Protecting Resources
  793. • 58 Controls for Protecting Assets—Hardware Controls
  794. • 59 Controls for Protecting Assets—Software Controls
  795. • 60 Controls for Protecting Assets—Media Controls
  796. • 61 Controls for Protecting Assets—Administrative Controls
  797. • 62 Cloud and Virtual Storage
  798. • 63 Cloud and Virtual Storage Security Issues
  799. • 64 Types of Virtualized Storage
  800. • 65 Hard Copy Records
  801. • 66 Business Scenario
  802. • 67 Incident Management
  803. • 68 Security Measurements, Metrics, and Reporting
  804. • 69 Managing Security Technologies
  805. • 70 Incident Management—Detection Phase
  806. • 71 Intrusion Detection System
  807. • 72 Security Information Event Management (SIEM)
  808. • 73 Anti-Malware Systems
  809. • 74 Monitoring Techniques—Violation Analysis
  810. • 75 Incident Management—Other Phases
  811. • 76 Trusted Recovery and System Recovery
  812. • 77 Problem Management
  813. • 78 Operating and Maintaining Preventive Measures
  814. • 79 Patch Management
  815. • 80 Vulnerability Management
  816. • 81 Change Management
  817. • 82 Change Control Process
  818. • 83 Configuration Management
  819. • 84 Configuration Management (contd.)
  820. • 85 Business Scenario
  821. • 86 Develop a Recovery Strategy
  822. • 87 Types of Recovery—Business Recovery and Facility and Supply Recovery • 88 Types of Recovery—User Recovery
  823. • 89 Types of Recovery—Operational Recovery
  824. • 90 Recovery Partners Strategy
  825. • 91 Backup Sites
  826. • 92 Backup Sites (contd.)
  827. • 93 Backup Sites (contd.)
  828. • 94 Backup Methods
  829. • 95 Importance of Maintaining Resilient Systems
  830. • 96 Redundancy and Fault Tolerance
  831. • 97 Redundancy and Fault Tolerance Methods
  832. • 98 Redundancy and Fault Tolerance Methods (contd.)
  833. • 99 Best Practices for Backup and Recovery
  834. • 100 Business Scenario
  835. • 101 Disaster Recovery—Planning Design and Development
  836. • 102 Planning Design and Development—Step 1 and Step 2
  837. • 103 Planning Design and Development—Step 3 and Step 4
  838. • 104 Disaster Recovery Phases—Implementation, Testing, and Training
  839. • 105 Importance of Testing
  840. • 106 Types of Testing
  841. • 107 Types of Testing (contd.)
  842. • 108 Types of Testing (contd.)
  843. • 109 Training
  844. • 110 Disaster Recovery Phases—Maintenance
  845. • 111 Disaster Recovery Phases—Maintenance (contd.) • 112 Business Scenario
  846. • 113 Perimeter Security
  847. • 114 Barriers
  848. • 115 Fences
  849. • 116 Gates
  850. • 117 Walls and Bollards
  851. • 118 Perimeter Intrusion Detection
  852. • 119 Business Scenario
  853. • 120 Importance of Lighting
  854. • 121 Types of Lighting Systems
  855. • 122 Types of Lights
  856. • 123 Access Control
  857. • 124 Types of Access Control Systems
  858. • 125 Business Scenario
  859. • 126 Building and Inside Security
  860. • 127 Personnel Security
  861. • 128 Business Scenario
  862.  
  863. Domain 08 - Software Development Security
  864. • 1 Domain 08 - Software Development Security
  865. • 2 Objectives
  866. • 3 Importance of Software Development Security
  867. • 4 System Environments
  868. • 5 Distributed Environment
  869. • 6 Client/Server Systems and Local Environment
  870. • 7 Distributed Data Processing and Agents
  871. • 8 Applets
  872. • 9 Programming Concepts
  873. • 10 Complier Vs Interpreter
  874. • 11 Programming and Software
  875. • 12 Threats in the Software Environment
  876. • 13 Threats in the Software Environment (contd.)
  877. • 14 Threats in the Software Environment (contd.)
  878. • 15 Threats in the Software Environment (contd.)
  879. • 16 Threats in the Software Environment (contd.)
  880. • 17 Threats in the Software Environment (contd.)
  881. • 18 Business Scenario
  882. • 19 System Life Cycle and Systems Development
  883. • 20 Systems Development Life Cycle
  884. • 21 SDLC—Operation and Maintenance
  885. • 22 Integrated Product Team (IPT)
  886. • 23 DevOps
  887. • 24 Software Testing Methods
  888. • 25 Software Testing Levels
  889. • 26 Application Controls
  890. • 27 Software Development Methods
  891. • 28 Software Development Methods (contd.)
  892. • 29 Software Development Methods (contd.)
  893. • 30 Software Development Methods (contd.)
  894. • 31 Software Development Methods (contd.)
  895. • 32 Java Security
  896. • 33 Secure Software Development Best Practices
  897. • 34 Business Scenario
  898. • 35 Object - Oriented Programming Terms
  899. • 36 Object - Oriented Programming Terms (contd.)
  900. • 37 Object-Oriented Programming—Definition
  901. • 38 Distributed Object-Oriented Systems
  902. • 39 Object Request Brokers
  903. • 40 COM—Component Object Model
  904. • 41 DCOM—Distributed Component Object Model
  905. • 42 CORBA—Common Object Request Broker Architecture
  906. • 43 Software Security and Assurance
  907. • 44 Software Security and Assurance
  908. • 45 Software Security and Assurance
  909. • 46 Software Security and Assurance
  910. • 47 Software Security and Assurance
  911. • 48 Software Security and Assurance
  912. • 49 Software Security and Assurance
  913. • 50 Software Security and Assurance
  914. • 51 Software Security and Assurance
  915. • 52 Software Security and Assurance
  916. • 53 Software Security and Assurance
  917. • 54 Software Security and Assurance
  918. • 55 Software Security and Assurance
  919. • 56 Software Security : XML and Security Assertion Markup Language
  920. • 57 Software Security: SOA
  921. • 58 Audit and Assurance Mechanisms
  922. • 59 Assessing the Effectiveness of Software Security
  923. • 60 Assessing the Effectiveness of Software Security (contd.)
  924. • 61 Assessing the Security Impact of Acquired Software
  925. • 62 Code Repositories and Application Programming Interfaces
  926. • 63 Business Scenario
  927. • 64 Database and Data Warehousing Environments
  928. • 65 Database Terms
  929. • 66 Types of Databases
  930. • 67 Types of Databases (contd.)
  931. • 68 Types of Databases (contd.)
  932. • 69 Types of Databases (contd.)
  933. • 70 Types of Databases (contd.)
  934. • 71 Database—Threats and Vulnerabilities
  935. • 72 Introduction to Data Warehousing
  936. • 73 Data Warehousing Concepts
  937. • 74 Database Normalization
  938. • 75 DBMS Controls
  939. • 76 Business Scenario
  940. • 77 Malwares—Types
  941. • 78 Malware Protection
  942. • 79 Business Scenario
  943. • 80 Importance and Role of Knowledge Management
  944. • 81 Knowledge-Based System/Artificial Intelligence
  945. • 82 Knowledge-Based System—Expert System
  946. • 83 Knowledge-Based System—Neural Network
  947. • 84 Web Application Environment—Threats and Vulnerabilities
  948. • 85 Web Application Environment Security
  949. • 86 Web Application Environment Security (contd.)
  950. • 87 Web Application Environment Security (contd.)
  951. • 88 Web Application Environment Security (contd.)
  952. • 89 The Ten Best Practices for Secure Software Development—(ISC)2
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!