opexxx

CISM_CISA_CISSP

Jan 13th, 2022 (edited)
120
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 39.71 KB | None | 0 0
  1. Domain 1 — Information System Auditing Process
  2. • How can we Plan an audit to determine whether information systems are protected, controlled, and provide value to the organization?
  3. • How can we Conduct an audit in accordance with IS audit standards and a risk-based IS audit strategy?
  4. • How can we Communicate audit progress, findings, results and recommendations to stakeholders?
  5. • How can we Conduct audit follow-up to evaluate whether risk has been sufficiently addressed?
  6. • How can we Evaluate IT management and monitoring of controls?
  7. • How can we Utilize data analytics tools to streamline audit processes?
  8. • How can we Provide consulting services and guidance to the organization in order to improve the
  9. quality and control of information systems?
  10. • How can we Identify opportunities for process improvement in the organization’s IT policies and
  11. practices?
  12.  
  13. Domain 2 – Governance & Management of IT
  14. • How can we Evaluate the IT strategy for alignment with the organization’s strategies and objectives?
  15. • How can we Evaluate the effectiveness of IT governance structure and IT organizational structure?
  16. • How can we Evaluate the organization’s management of IT policies and practices?
  17. • How can we Evaluate the organization’s IT policies and practices for compliance with regulatory
  18. and legal requirements?
  19. • How can we Evaluate IT resource and portfolio management for alignment with the organization’s
  20. strategies and objectives?
  21. • How can we Evaluate the organization’s risk management policies and practices?
  22. • How can we Evaluate IT management and monitoring of controls?
  23. • How can we Evaluate the monitoring and reporting of IT key performance indicators (KPIs)?
  24. • How can we Evaluate whether IT supplier selection and contract management processes align
  25. with business requirements?
  26. • How can we Evaluate whether IT service management practices align with business requirements?
  27. • How can we Conduct periodic review of information systems and enterprise architecture?
  28. • How can we Evaluate data governance policies and practices?
  29. • How can we Evaluate the information security program to determine its effectiveness and
  30. alignment with the organization’s strategies and objectives?
  31. • How can we Evaluate potential opportunities and threats associated with emerging technologies,
  32. regulations, and industry practices?
  33.  
  34. Domain 3 – Information Systems Acquisition, Development, & Implementation
  35. • How can we Evaluate whether the business case for proposed changes to information systems meet business objectives?
  36. • How can we Evaluate the organization’s project management policies and practices?
  37. • How can we Evaluate controls at all stages of the information systems development life cycle?
  38. • How can we Evaluate the readiness of information systems for implementation and migration into
  39. production?
  40. • How can we Conduct post-implementation review of systems to determine whether project
  41. deliverables, controls and requirements are met?
  42. • How can we Evaluate change, configuration, release, and patch management policies and practices?
  43. Domain 4 – Information Systems Operations and Business Resilience
  44. • How can we Evaluate the organization’s ability to continue business operations?
  45. • How can we Evaluate whether IT service management practices align with business requirements?
  46. • How can we Conduct periodic review of information systems and enterprise architecture?
  47. • How can we Evaluate IT operations to determine whether they are controlled effectively and
  48. continue to support the organization’s objectives?
  49. • How can we Evaluate IT maintenance practices to determine whether they are controlled
  50. effectively and continue to support the organization’s objectives?
  51. • How can we Evaluate database management practices?
  52. • How can we Evaluate data governance policies and practices?
  53. • How can we Evaluate problem and incident management policies and practices?
  54. • How can we Evaluate change, configuration, release, and patch management policies and
  55. practices?
  56. • How can we Evaluate end-user computing to determine whether the processes are effectively
  57. controlled?
  58.  
  59. Domain 5 – Protection of Information Assets
  60. • How can we Conduct audit in accordance with IS audit standards and a risk-based IS audit strategy?
  61. • How can we Evaluate problem and incident management policies and practices?
  62. • How can we Evaluate the organization’s information security and privacy policies and practices?
  63. • How can we Evaluate physical and environmental controls to determine whether information
  64. assets are adequately safeguarded?
  65. • How can we Evaluate logical security controls to verify the confidentiality, integrity, and
  66. availability of information?
  67. • How can we Evaluate data classification practices for alignment with the organization’s policies
  68. and applicable external requirements?
  69. • How can we Evaluate policies and practices related to asset life cycle management?
  70. • How can we Evaluate the information security program to determine its effectiveness and
  71. alignment with the organization’s strategies and objectives?
  72. • How can we Perform technical security testing to identify potential threats and vulnerabilities?
  73. • How can we Evaluate potential opportunities and threats associated with emerging technologies,
  74. regulations, and industry practices?
  75.  
  76.  
  77.  
  78.  
  79. Domain 1 – Information Security Governance
  80. • Could you please Explain the need for and the desired outcomes of an effective information security strategy?
  81. • Could you please Create an information security strategy aligned with organizational goals and objectives?
  82. • How can you Gain stakeholder support using business cases?
  83. • How can you Identify key roles and responsibilities needed to execute an action plan?
  84. • How can you Establish metrics to measure and monitor the performance of security governance?
  85.  
  86. Domain 2 – Information Risk Management
  87. • Could you please Explain the importance of risk management as a tool to meet business needs and develop a security management program to support these needs?
  88. • How can you Identify, rank, and respond to a risk in a way that is appropriate as defined by organizational directives?
  89. • How can you Assess the appropriateness and effectiveness of information security controls?
  90. • How can you Report information security risk effectively?
  91.  
  92. Domain 3- Information Security Program Development and Management
  93. • How effectively you Align information security program requirements with those of other business function?
  94. • How do you Manage the information security program resources?
  95. • How do you Design and implement information security controls ?
  96. • How do you Incorporate information security requirements into contracts, agreements and third-
  97. party management processes?
  98.  
  99. Domain 4 – Information Security Incident Management
  100. • Could you please confirm concepts and practices of Incident Management?
  101. • How do you Identify the components of an Incident Response Plan and evaluate its effectiveness?
  102. • How do you make the key concepts of Business Continuity Planning, or BCP and Disaster Recovery
  103. Planning, or DRP?
  104. • Please confirm techniques commonly used to test incident response capabilities?
  105.  
  106.  
  107.  
  108.  
  109. Domain 1 — Risk Management
  110. • How do you Collect and review environmental risk data?
  111. • How do you Identify potential vulnerabilities to people, processes and assets?
  112. • How do you Develop IT scenarios based on information and potential impact to the organization
  113. • Identify key stakeholders for risk scenarios?
  114. • How do you Establish risk register?
  115. • How do you Gain senior leadership and stakeholder approval of the risk plan?
  116. • How do you Collaborate to create a risk awareness program and conduct training?
  117.  
  118. Domain 2 – IT Risk Assessment
  119. • How do you Analyze risk scenarios to determine likelihood and impact?
  120. • How do you Identify current state of risk controls and their effectiveness ?
  121. • How do you Determine gaps between the current state of risk controls and the desired state ?
  122. • How to Ensure risk ownership is assigned at the appropriate level ?
  123. • How do you Communicate risk assessment data to senior management and appropriate
  124. stakeholders ?
  125. • How do you Update the risk register with risk assessment data ?
  126.  
  127. Domain 3 – Risk Response and Mitigation
  128. • How do you Align risk responses with business objectives?
  129. • How to Develop consult with and assist risk owners with development risk action plans?
  130. • How to Ensure risk mitigation controls are managed to acceptable levels?
  131. • How to Ensure control ownership is appropriately assigned to establish accountability?
  132. • How to Develop and document control procedures for effective control?
  133. • How do you Update the risk register?
  134. • How do you Validate that risk responses are executed according to risk action plans?
  135.  
  136. Domain 4 – Risk and Control Monitoring and Reporting
  137. • How do you do Risk and control monitoring and reporting?
  138. • Define key risk indicators (KRIs) and identify key performance indicators (KPIs) to enable
  139. performance measurement key risk indicators (KRIs) and key performance indicators (KPIs)?
  140. • How do you Determine the effectiveness of control assessments?
  141. • How do you Identify and report trends/changes to KRIs/KPIs that affect control performance or
  142. the risk profile ?
  143. • Securing Unstructured Data - What You Don't Know Can & Will Hurt You
  144. • Auditing Big Data Systems
  145. • Data Sharing Risks and Controls
  146. • Protect Your Data Against Insider Threats
  147. • Assessing Data Governance at Nationwide
  148. • Physical Data Security
  149. • Agile, DevOps & Compliance
  150. • Why Companies Fail PCI DSS Assessments and What to Do About It
  151. • Blockchain & Cryptocurrency Emerging Regulations in the USA
  152. • The New Privacy: GDPR, California Consumer Privacy Act, and the Future of Data Regulation (panel discussion)
  153. • Incorporating Security Practices into Business Practices
  154. • What Senior Executives (And Others) Want to See in Security KPIs
  155. • How to Operationalize Cybersecurity: Turning Policy into Action
  156. • Preparing for the Security Audit: Is Your ERP Ready?
  157. • Review & Secure an Email Server
  158. • Safeguarding Web Applications: A Different Perspective
  159. • Using Network Forensic Techniques to Detect Threats
  160. • Identifying Critical Flaws in Hardened Active Directory Environments
  161. • An Auditor’s Guide to Incident Response Plans
  162. • How Secure Are Your Vendors? Third Party Risk Management in Information Security
  163. • Secure Cloud Solutions
  164. • How to Ensure Vendor Compliance & the Mitigation of Third-Party Risks
  165. • Cloud Insecurity: The Need for Stronger Identity Management
  166. • SOC Reports: Reducing the Risk of Service Providers
  167. • AWS for Auditors
  168.  
  169. CPE on Demand: Data Security
  170. Your bundle includes the following sessions:
  171. • Securing Unstructured Data - What You Don't Know Can & Will Hurt You
  172. • Auditing Big Data Systems
  173. • Data Sharing Risks and Controls
  174. • Protect Your Data Against Insider Threats
  175. • Assessing Data Governance at Nationwide
  176. • Physical Data Security
  177.  
  178. CPE on Demand: Emerging GRC Challenges
  179. Your bundle includes the following sessions:
  180. • Agile, DevOps & Compliance
  181. • Why Companies Fail PCI DSS Assessments and What to Do About It
  182. • Blockchain & Cryptocurrency Emerging Regulations in the USA
  183. • The New Privacy: GDPR, California Consumer Privacy Act, and the Future of Data Regulation (panel
  184. discussion)
  185.  
  186. CPE on Demand: Security Practices for Business
  187. Your bundle includes the following sessions:
  188. • Incorporating Security Practices into Business Practices
  189. • What Senior Executives (And Others) Want to See in Security KPIs
  190. • How to Operationalize Cybersecurity: Turning Policy into Action
  191. • Preparing for the Security Audit: Is Your ERP Ready?
  192.  
  193. CPE on Demand: Technical Security Insights
  194. Your bundle includes the following sessions:
  195. • Review & Secure an Email Server
  196. • Safeguarding Web Applications: A Different Perspective
  197. • Using Network Forensic Techniques to Detect Threats
  198. • Identifying Critical Flaws in Hardened Active Directory Environments
  199. • An Auditor’s Guide to Incident Response Plans
  200.  
  201. CPE on Demand: Third-Party Services
  202. Your bundle includes the following sessions:
  203. • How Secure Are Your Vendors? Third Party Risk Management in Information Security
  204. • Secure Cloud Solutions
  205. • How to Ensure Vendor Compliance & the Mitigation of Third-Party Risks
  206. • Cloud Insecurity: The Need for Stronger Identity Management
  207. • SOC Reports: Reducing the Risk of Service Providers
  208. • AWS for Auditors
  209.  
  210. 1 Domain 01—Security and Risk Management
  211. • 2 Objectives
  212. • 3 Importance of Information Security and Risk Management
  213. • 4 Role and Importance of CIA in ISM
  214. • 5 Confidentiality
  215. • 6 Integrity
  216. • 7 Availability
  217. • 8 Information Security
  218. • 9 Information Security Management
  219. • 10 Information Security Governance
  220. • 11 IT Security and Organizational Goals, Mission, and Objectives
  221. • 12 Goals, Mission, and Objectives
  222. • 13 Aligning Security with Goals, Mission, and Objectives
  223. • 14 Business Scenario
  224. • 15 Organizational Processes
  225. • 16 Auditing
  226. • 17 Control Framework
  227. • 18 Due Care
  228. • 19 Due Diligence
  229. • 20 Security Controls
  230. • 21 Service Level Agreements
  231. • 22 Managing Third - Party Governance
  232. • 23 Offshoring Privacy Requirements and Compliance
  233. • 24 Business Scenario
  234. • 25 Layers of Responsibility
  235. • 26 Security Policies
  236. • 27 Types of Security Policies
  237. • 28 Security Policy Implementation
  238. • 29 Policy Chart
  239. • 30 Standards, Guidelines, Procedures, and Baselines
  240. • 31 Business Scenario
  241. • 32 Compliance—Need for Compliance
  242. • 33 Regulatory Compliance
  243. • 34 Compliance
  244. • 35 Compliance (contd.)
  245. • 36 Compliance (contd.)
  246. • 37 Standards/Manuals/Guidelines for Compliance
  247. • 38 Computer Crimes
  248. • 39 Introduction to Computer Crimes
  249. • 40 Categories of Computer Crimes
  250. • 41 Business Scenarios
  251. • 42 Major Legal Systems
  252. • 43 Common Law and Civil Law
  253. • 44 Customary Law and Religious Law0
  254. • 45 Mixed Law
  255. • 46 Business Scenario
  256. • 47 Introduction to Intellectual Property (IP) Law
  257. • 48 Types of Intellectual Property (IP) Law
  258. • 49 Types of Intellectual Property (IP) Law (contd.)
  259. • 50 Types of Intellectual Property (IP) Law (contd.)
  260. • 51 Business Scenario
  261. • 52 Import or Export Controls and Trans - Border Data Flow
  262. • 53 Introduction to Privacy
  263. • 54 U.S. Privacy Laws
  264. • 55 U.S. Privacy Laws (contd.)
  265. • 56 U.S. Guidelines for Managing Privacy
  266. • 57 EU Council Directive (Law) on Data Protection
  267. • 58 The U.S.-European Union Safe Harbor
  268. • 59 Security Definitions
  269. • 60 Information Risk Management
  270. • 61 Business Scenario
  271. • 62 Introduction to Risk Analysis
  272. • 63 Goals of Risk Analysis
  273. • 64 Risk Analysis Team
  274. • 65 Steps for Risk Analysis
  275. • 66 Information and Assets Valuation
  276. • 67 Risk Analysis Types
  277. • 68 Quantitative Risk Analysis—Steps
  278. • 69 Quantitative Risk Analysis—Problem
  279. • 70 Qualitative Risk Analysis
  280. • 71 Delphi Technique
  281. • 72 Quantitative vs.Qualitative
  282. • 73 Hybrid Analysis
  283. • 74 Countermeasure Selection—Problem
  284. • 75 Countermeasure Selection—Other Factors
  285. • 76 Handling Risk
  286. • 77 Business Scenario
  287. • 78 Threat Modeling
  288. • 79 Need for Business Continuity Planning
  289. • 80 Basic Concepts—Disruptive Events
  290. • 81 Basic Concepts—Business Continuity Planning
  291. • 82 Importance of Business Continuity Planning
  292. • 83 Business Continuity Planning Phases
  293. • 84 BCP/DRP Phase 1—Project Initiation and Scoping
  294. • 85 BCP/DRP Phase 2—Business Impact Analysis (BIA)
  295. • 86 BIA—Goals
  296. • 87 BIA—Steps
  297. • 88 BIA Steps—Business Unit Level
  298. • 89 Maximum Tolerable Downtime (MTD)
  299. • 90 Failure and Recovery Metrics
  300. • 91 Failure and Recovery Metrics (contd.)
  301. • 92 Stages of Failure and Recovery
  302. • 93 BCP/DRP Phase 3—Identify Preventive Controls
  303. • 94 Importance of Managing Personnel Security
  304. • 95 Managing Personnel Security—Hiring Practices
  305. • 96 Managing Personnel Security—Employee Termination
  306. • 97 Vendor, Contractors, and Consultant Controls
  307. • 98 Best Work Practices
  308. • 99 Business Scenario
  309. • 100 Importance of Security Awareness Training
  310. • 101 Security Awareness Training: Awareness, Training, and Education
  311. • 102 Implementation of Security Awareness Training Program
  312. • 103 Importance of Content Updates
  313. • 104 Importance of Managing Security Function
  314. • 105 Best Practices—Budget and Establish Security Metrics
  315. • 106 Best Practices—Resources and Develop and Implement Strategies
  316. • 107 Best Practices—Completeness and Effectiveness of the Program
  317. • 108 Business Scenario
  318. • 109 (ISC)2 Code of Ethics
  319. • 110 Quiz
  320. • 111 Summary
  321. • 112 Conclusion
  322.  
  323.  
  324. • 1 Domain 02 Asset Security
  325. • 2 Objectives
  326. • 3 Importance of Asset Security
  327. • 4 Need for Information Classification
  328. • 5 Information Classification Objectives
  329. • 6 Government or Military Sector Classification
  330. • 7 Commercial or Private Sector Classification
  331. • 8 Information Classification Criteria
  332. • 9 Data Classification Considerations
  333. • 10 Role Responsible for Data Classification
  334. • 11 Business Scenario
  335. • 12 Data Management
  336. • 13 Best Practices for Data Management
  337. • 14 Data Policy
  338. • 15 Data Ownership
  339. • 16 Data Ownership Best Practices
  340. • 17 Data Custodians
  341. • 18 Data Custodians (contd.)
  342. • 19 Data Quality
  343. • 20 Data Quality—Aspects
  344. • 21 Data Quality Assurance and Quality Control
  345. • 22 Data Documentation
  346. • 23 Data Documentation Practices
  347. • 24 Data Standards
  348. • 25 Data Control Lifecycle
  349. • 26 Data Specification and Modeling
  350. • 27 Database Maintenance
  351. • 28 Data Audit
  352. • 29 Data Storage and Archiving
  353. • 30 Data Security
  354. • 31 Data Access, Sharing, and Dissemination
  355. • 32 Data Publishing
  356. • 33 Data Handling Requirements
  357. • 34 Media Resource Protection
  358. • 35 Data Remanence
  359. • 36 Business Scenario
  360. • 37 Asset Management
  361. • 38 Software Licensing
  362. • 39 Equipment Lifecycle
  363. • 40 Protecting Privacy
  364. • 41 Ensuring Appropriate Retention
  365. • 42 Data Security Controls
  366. • 43 Data in Transit—Best Practices
  367. • 44 Scoping and Tailoring
  368. • 45 Scoping and Tailoring (contd.)
  369. • 46 Standards Selection—US DoD
  370. • 47 Standards Selection—International Standards
  371. • 48 Standards Selection National Cyber Security Framework Manual
  372. • 49 Standards Selection Center for Strategic and International Studies
  373. • 50 Standards Selection Critical Security Controls
  374. • 51 Standards Selection Security Content Automation Protocol0
  375. • 52 Framework for Improving Critical Infrastructure Cybersecurity
  376. • 53 Business Scenario
  377.  
  378. 1 Domain 03 Security Engineering
  379. • 2 Objectives
  380. • 3 Security Architecture and Design - Case Study
  381. • 4 Security Engineering
  382. • 5 Architecture Framework
  383. • 6 Zachman Framework
  384. • 7 TOGAF
  385. • 8 ITIL
  386. • 9 Creating a Security Architecture
  387. • 10 Enterprise Security Architecture
  388. • 11 Common Security Services in ESA
  389. • 12 SABSA Framework
  390. • 13 SABSA Matrix
  391. • 14 Business Scenario
  392. • 15 ISO/IEC 27001:2013 Security Standards
  393. • 16 ISO/IEC 27002 Code of Practice for Information Security Management • 17 Security Models
  394. • 18 State Machine Model
  395. • 19 Multilevel Security Models
  396. • 20 Matrix-Based Model
  397. • 21 Non-Interference Model
  398. • 22 Information flow model
  399. • 23 Examples of Security Models: Bell–LaPadula Confidentiality Model
  400. • 24 Examples of Security Models: Biba Integrity Model
  401. • 25 Examples of Security Models: Clark–Wilson integrity model
  402. • 26 Brewer Nash, Graham Denning, and Harrison Ruzzo Ullman models
  403. • 27 Business Scenario
  404. • 28 Evaluation Criteria
  405. • 29 CSEC
  406. • 30 Information Technology Security Evaluation Criteria0
  407. • 31 Common Criteria
  408. • 32 Common Criteria Evaluation Process
  409. • 33 Common Criteria Levels
  410. • 34 Payment Card Industry Data Security Standard
  411. • 35 Certification and Accreditation
  412. • 36 Certification and Accreditation Standards
  413. • 37 SEI—CMMI0
  414. • 38 SEI—CMMI Levels
  415. • 39 Business Scenario
  416. • 40 System Security Architecture
  417. • 41 Mainframes and Other Thin Client Systems
  418. • 42 Middleware and Embedded Systems
  419. • 43 Pervasive Computing and Mobile Computing Devices
  420. • 44 System Components Processors
  421. • 45 System Components Memory
  422. • 46 System Components Storage
  423. • 47 System Components Trusted Computing Base (TCB)
  424. • 48 System Components Reference Monitor
  425. • 49 System Components—Trusted Platform Module (TPM)
  426. • 50 System Components Peripherals and Other Input/Output Devices
  427. • 51 System Components Operating System
  428. • 52 System Components Ring Model
  429. • 53 System Components System Kernel
  430. • 54 Distributed Systems
  431. • 55 Virtualization
  432. • 56 Hypervisor
  433. • 57 Cloud Computing
  434. • 58 Service models
  435. • 59 Grid Computing
  436. • 60 Peer to Peer Networking (P2P)
  437. • 61 Business Scenario
  438. • 62 Security Threats and Countermeasures
  439. • 63 Assessing and
  440. • 64 Assessing and
  441. • 65 Assessing and
  442. • 66 Best Practices
  443. • 67 Best Practices
  444. • 68 Best Practices
  445. • 69 Best Practices
  446. • 70 Best Practices
  447. • 71 Best Practices
  448. • 72 Best Practices
  449. • 73 Introduction to Cryptography
  450. • 74 Cryptographic Lifecycle
  451. • 75 Algorithm or Protocol Governance
  452. • 76 Cryptography Terms
  453. • 77 Strength of a Cryptosystem
  454. • 78 Cryptography Methods Substitution Cipher
  455. • 79 Cryptography Methods Transposition Cipher
  456. • 80 Cryptography Methods Book or Running Key Cipher
  457. • 81 Cryptography Methods Concealment Cipher
  458. • 82 Cryptography Methods Steganography and DRM
  459. • 83 Business Scenario
  460. • 84 Introduction to Symmetric Cryptography
  461. • 85 Symmetric Key Ciphers
  462. • 86 Block Cipher
  463. • 87 Stream Cipher
  464. • 88 Block Cipher Designs
  465. • 89 Data Encryption Standard (DES)
  466. • 90 DES Algorithm0
  467. • 91 DES Operation Modes Electronic Code Book
  468. • 92 DES Operation Modes Cipher Block Chainins
  469. • 93 DES Operation Modes Cipher Feed Back
  470. • 94 DES Operation Modes Output Feed Back
  471. • 95 DES Operation Modes—Counter
  472. • 96 Triple DES0
  473. • 97 Advanced Encryption Standard (AES)0
  474. • 98 AES Algorithm
  475. • 99 AES Algorithm Key Expansion and Initial Round
  476. • 100 Advanced Encryption Standard (AES) Algorithm—Rounds
  477. • 101 AES Algorithm Final Round
  478. • 102 Other Symmetric Systems
  479. • 103 Other Symmetric Systems (contd.)
  480. • 104 Business Scenario
  481. • 105 Introduction to Asymmetric Cryptography
  482. • 106 Introduction to Asymmetric Cryptography Diagram
  483. • 107 Introduction to RSA Algorithm
  484. • 108 RSA Algorithm Process
  485. • 109 Other Types of Asymmetric Cryptography Elliptic Curve Cryptosystems
  486. • 110 Other Types of Asymmetric Cryptography Diffie-Hellman Key Exchange
  487. • 111 Public Key Cryptography
  488. • 112 Symmetric vs. Asymmetric Cryptography
  489. • 113 Advantages and Disadvantages
  490. • 114 Introduction to Public Key Infrastructure
  491. • 115 PKI Certification0
  492. • 116 PKI Certification (contd.)
  493. • 117 PKI Steps—Part 1
  494. • 118 PKI Steps—Part 2
  495. • 119 One-Way Hash
  496. • 120 Hashing Algorithms
  497. • 121 Hashing Algorithms (contd.)
  498. • 122 Salting
  499. • 123 Message Authentication Code (MAC)
  500. • 124 Digital Signatures
  501. • 125 Key Management
  502. • 126 Key Management Principles
  503. • 127 Escrowed Encryption
  504. • 128 Business Scenario
  505. • 129 Need for Physical and Environmental Security0
  506. • 130 Business Scenario
  507. • 131 Site and Facility Design Criteria
  508. • 132 Information Protection Environment
  509. • 133 Crime Prevention Through Environmental Design (CPTED)
  510. • 134 Site Location
  511. • 135 Construction
  512. • 136 Support Facilities
  513. • 137 Business Scenario
  514. • 138 Secure Operational Areas
  515. • 139 Business Scenario
  516. • 140 Environmental Controls
  517. • 141 Environmental Controls (Contd.)
  518. • 142 Fire Detection and Suppression
  519. • 143 Power Supply
  520. • 144 Power Supply (contd.)
  521. • 145 HVAC
  522. • 146 Training and Awareness
  523. • 147 Business Scenario
  524.  
  525. 1 Domain 04—Communications and Network Security
  526. • 2 Objectives
  527. • 3 Importance of Communications and Network Security—Case Study
  528. • 4 Introduction to Secure Network Architecture and Design
  529. • 5 Open Systems Interconnection
  530. • 6 OSI Model Layers
  531. • 7 Physical Layer
  532. • 8 Data Link Layer
  533. • 9 Network Layer
  534. • 10 Transport Layer
  535. • 11 Session Layer
  536. • 12 Presentation Layer
  537. • 13 Application Layer
  538. • 14 Transmission Control Protocol/Internet Protocol (TCP/IP) Model
  539. • 15 Network Access Layer and Internet Layer
  540. • 16 Host-to-Host Layer and Application Layer
  541. • 17 Comparison of OSI and TCP/IP Models
  542. • 18 Introduction to IP Addressing
  543. • 19 IPv4 and IPv6
  544. • 20 Classful IP Addressing
  545. • 21 Class A
  546. • 22 Class B
  547. • 23 Class C
  548. • 24 Class D and Class E
  549. • 25 Classless Inter-Domain Routing
  550. • 26 Private Networks and Loopback Address
  551. • 27 Types of IP Addressing
  552. • 28 Routed and Routing Protocols
  553. • 29 Types of Network Protocols
  554. • 30 Transmission Control Protocol (TCP)
  555. • 31 User Datagram Protocol (UDP)
  556. • 32 Internet Protocol
  557. • 33 Address Resolution Protocol
  558. • 34 Internet Control Message Protocol (ICMP)
  559. • 35 Hypertext Transfer Protocol (HTTP)
  560. • 36 Implications of Multi-Layer Protocols
  561. • 37 Distributed Network Protocol
  562. • 38 LAN/Network Technologies
  563. • 39 Transmission Media
  564. • 40 Twisted Pair
  565. • 41 Coaxial Cable Box
  566. • 42 Fiber-Optic Cable Box
  567. • 43 Network Topologies
  568. • 44 Media Access Technologies
  569. • 45 Carrier-Sense Multiple Access with Collision Detection
  570. • 46 Carrier-Sense Multiple Access with Collision Avoidance
  571. • 47 Flavors of LAN transmission methods
  572. • 48 List of Networking Devices
  573. • 49 VLANs
  574. • 50 Gateways
  575. • 51 Network Access Control Devices
  576. • 52 Packet-Filtering and Application-Level
  577. • 53 Circuit-Level and Stateful-Inspection
  578. • 54 Firewall Architectures
  579. • 55 Network Security Terms
  580. • 56 Business Scenario
  581. • 57 Networks
  582. • 58 Types of Networks
  583. • 59 WAN Technologies
  584. • 60 WAN Switching and Devices
  585. • 61 Network Address Translation and Frame Relay
  586. • 62 Multi-Protocol Label Switching and VoIP
  587. • 63 Fiber Channel over Ethernet and Internet Small Computer System Interface
  588. • 64 Virtualized Networks
  589. • 65 Introduction to Remote Access
  590. • 66 VPN using PPTP and L2TP
  591. • 67 Internet Security Protocol (IPsec)
  592. • 68 Internet Security Protocol (IPsec) Modes of Operation
  593. • 69 IPsec Security Protocols—Authentication Header (AH)
  594. • 70 IPsec Security Protocols—Encapsulating Security Payload (ESP)
  595. • 71 Components of the IPsec Process
  596. • 72 Components of the IPsec Process (contd.)
  597. • 73 IPsec Process
  598. • 74 Secure Access Protocols
  599. • 75 Secure Access Protocols (contd.)
  600. • 76 Secure Access Protocols (contd.)
  601. • 77 Remote Access Security Methods
  602. • 78 Multimedia Collaboration
  603. • 79 Wireless Technologies
  604. • 80 IEEE Wireless Standards and Spread-Spectrum Technologies
  605. • 81 Direct Sequence Spread Spectrum and Frequency-Hopping Spread Spectrum
  606. • 82 WLAN Operational Modes
  607. • 83 Bluetooth
  608. • 84 Bluetooth Attack
  609. • 85 Blue Jacking and Blue Snarfing
  610. • 86 Blue Bugging, Backdoor Attacks, and Denial of Service Attacks
  611. • 87 Wireless Security
  612. • 88 Business Scenario
  613. • 89 Network Attacks
  614. • 90 Network Attacks (contd.)
  615. • 91 Network Attacks—Countermeasures
  616.  
  617. Domain 05 - Identity and Access Management
  618. • 1 Domain 05—Identity and Access Management
  619. • 2 Objectives
  620. • 3 Importance of Identity and Access Management in Information Security
  621. • 4 Controlling Physical and Logical Access to Assets
  622. • 5 Controlling Physical and Logical Access to Assets (contd.)
  623. • 6 Access Subject Object and Access control
  624. • 7 Identity and Access Management Policy
  625. • 8 Identification Authentication and Authorization
  626. • 9 Identity Management
  627. • 10 Identity and Access Provisioning Lifecycle
  628. • 11 Identity and Access Provisioning Lifecycle (contd.)
  629. • 12 Guidelines for User Identification
  630. • 13 Verifying Identification Information
  631. • 14 Strong Authentication
  632. • 15 Biometrics—Characteristics
  633. • 16 Types of Biometrics
  634. • 17 FRR FAR CER
  635. • 18 Passwords
  636. • 19 Password Types
  637. • 20 Tokens
  638. • 21 Token Device—Synchronous
  639. • 22 Token Device—Asynchronous
  640. • 23 Memory Cards and Smart Cards
  641. • 24 Attacks on Smart Cards—Fault Generation and Micro-Probing
  642. • 25 Access Criteria
  643. • 26 Authorization Concepts
  644. • 27 Identity Management Implementation
  645. • 28 Password Management
  646. • 29 Directory Management
  647. • 30 Directory Technologies
  648. • 31 Accounts Management
  649. • 32 Profile Management
  650. • 33 Web Access Management
  651. • 34 Single Sign-On (SSO)
  652. • 35 SSO Technologies
  653. • 36 Kerberos
  654. • 37 Kerberos Steps
  655. • 38 Problems with Kerberos
  656. • 39 Business Scenario
  657. • 40 Access Control Types—Security Layer
  658. • 41 Access Control Types—Functionality
  659. • 42 Business Scenaris
  660. • 43 Access Control Models—DAC
  661. • 44 Access Control Models—MAC
  662. • 45 Access Control Models—RBAC
  663. • 46 Business Scenario
  664. • 47 Access Control Concepts
  665. • 48 Types of Access Control Administration
  666. • 49 Remote Authentication Dial-In User Service (RADIUS)
  667. • 50 TACACS and TACACS
  668. • 51 DIAMETER
  669. • 52 Accountability
  670. • 53 Accountability (contd.)
  671. • 54 Session Management
  672. • 55 Registration and Proof of Identity
  673. • 56 Credential Management Systems
  674. • 57 Credential Management Systems—Risks and benefits • 58 Federated Identity Management
  675. • 59 Federated Identity Management Models
  676. • 60 Federated Identity Management Models (contd.)
  677. • 61 Federated Identity Management Models (contd.)
  678. • 62 Identity as a Service
  679. • 63 Identity as a Service—Functionality
  680. • 64 Identity as a Service—Possible Issues
  681. • 65 Integrate Third-Party Identity Services
  682. • 66 Integrate Third-Party Identity Services (contd.)
  683. • 67 Unauthorized Disclosure of Information
  684. • 68 Threats to Access Control
  685. • 69 Protection against Access Control Attacks
  686. • 70 Access Control Best Practices
  687. • 71 Access Control Best Practices (contd.)
  688.  
  689. Domain 06 - Security Assessment and Testing
  690. • 1 Domain 06—Security Assessment and Testing
  691. • 2 Objectives
  692. • 3 Security Assessment and Testing—Introduction
  693. • 4 Assessment and Test Strategies
  694. • 5 Vulnerability Assessment
  695. • 6 Penetration Testing
  696. • 7 Log Management
  697. • 8 Log Management—Advantages and Challenges
  698. • 9 Log Management—Best Practices
  699. • 10 Log Management—Operational Process
  700. • 11 Logged Events
  701. • 12 Synthetic Transactions
  702. • 13 Reasons to Use Synthetic Transactions
  703. • 14 Code Review and Testing
  704. • 15 Testing Techniques
  705. • 16 Security Testing in the SDLC
  706. • 17 Software Product Testing Levels
  707. • 18 Misuse Case Testing
  708. • 19 Misuse Case Testing—Scenarios
  709. • 20 Test Coverage Analysis
  710. • 21 Interface Testing
  711. • 22 API Testing (contd.
  712. • 23 Interface Testing (contd.)
  713. • 24 GUI Testing
  714. • 25 Common Software Vulnerabilities
  715. • 26 Business Scenario
  716. • 27 Information Security Continuous Monitoring
  717. • 28 Information Security Continuous Monitoring—Strategy and Process
  718. • 29 Risk Evaluation and Control—Metrics
  719. • 30 Security Controls Monitoring Frequencies
  720. • 31 ISCM—Benefits
  721. • 32 Key Performance and Risk Indicators
  722. • 33 Internal and Third Party Audits
  723. • 34 Audit Frequency and Scope
  724. • 35 Statement on Auditing Standards No. 700
  725. • 36 Service Organization Controls
  726. • 37 SOC 1 Report
  727. • 38 SOC 2 Report
  728. • 39 SOC 2 Reports (contd.)
  729. • 40 SOC 3 Report
  730. • 41 SOC 1, SOC 2, and SOC 3 Comparison
  731. • 42 Audit Process—Audit Preparation Phase
  732. • 43 Audit Process—Audit Phases
  733. • 44 Business Scnarios
  734.  
  735. Domain 07 - Security Operations
  736. • 1 Domain 07—Security Operations
  737. • 2 Objectives
  738. • 3 Importance of Security Operations—Case Study
  739. • 4 Introduction to Investigations
  740. • 5 Investigation Challenges
  741. • 6 Investigations—Primary Activities
  742. • 7 Crime Scene
  743. • 8 Forensic Investigation Guidelines
  744. • 9 Incident Response Terminologies
  745. • 10 Incident Response Goals
  746. • 11 Incident Response Team
  747. • 12 Incident Response Procedures
  748. • 13 Incident Response Procedures (contd.)
  749. • 14 Incident Response Procedures (contd.)
  750. • 15 Incident Response Procedures (contd.)
  751. • 16 Business Scenario
  752. • 17 Evidence
  753. • 18 Evidence Lifecycle
  754. • 19 Chain of Evidence
  755. • 20 Types of Evidence
  756. • 21 Computer Forensics Procedure
  757. • 22 Requirements for Investigation Types
  758. • 23 Logging and Monitoring Activities
  759. • 24 Intrusion Detection System
  760. • 25 Intrusion Prevention System
  761. • 26 Security Information and Event Management (SIEM)
  762. • 27 Security Information and Event Management (SIEM)—Characteristics
  763. • 28 Continuous Monitoring
  764. • 29 Egress Filtering
  765. • 30 Data Leak or Loss Prevention (DLP)
  766. • 31 Steganography and Digital Watermarking
  767. • 32 Business Scenario
  768. • 33 Secure Provisioning of Resources through Configuration Management
  769. • 34 Secure Provisioning of Resources through Configuration Management (contd.
  770. • 35 Introduction to Security Operations
  771. • 36 Security Operations Concepts
  772. • 37 Security Operations
  773. • 38 Effects of Operations Controls on C.I.A.
  774. • 39 Business Scenario
  775. • 40 Operational Resilience
  776. • 41 Threats to Operations
  777. • 42 Threats to Operations (contd.)
  778. • 43 Vulnerabilities
  779. • 44 Controls
  780. • 45 Business Scenario
  781. • 46 Need for Controlling Privileged Accounts
  782. • 47 Identity and Access Management
  783. • 48 Types of Accounts
  784. • 49 Commonly Used Roles
  785. • 50 Commonly Used Roles (contd.)
  786. • 51 Monitoring Special Privileges
  787. • 52 Service Level Agreements (SLAs)
  788. • 53 Business Scenario
  789. • 54 Protect Valuable Assets
  790. • 55 Protecting Physical Assets
  791. • 56 Protecting Information Assets
  792. • 57 Protecting Resources
  793. • 58 Controls for Protecting Assets—Hardware Controls
  794. • 59 Controls for Protecting Assets—Software Controls
  795. • 60 Controls for Protecting Assets—Media Controls
  796. • 61 Controls for Protecting Assets—Administrative Controls
  797. • 62 Cloud and Virtual Storage
  798. • 63 Cloud and Virtual Storage Security Issues
  799. • 64 Types of Virtualized Storage
  800. • 65 Hard Copy Records
  801. • 66 Business Scenario
  802. • 67 Incident Management
  803. • 68 Security Measurements, Metrics, and Reporting
  804. • 69 Managing Security Technologies
  805. • 70 Incident Management—Detection Phase
  806. • 71 Intrusion Detection System
  807. • 72 Security Information Event Management (SIEM)
  808. • 73 Anti-Malware Systems
  809. • 74 Monitoring Techniques—Violation Analysis
  810. • 75 Incident Management—Other Phases
  811. • 76 Trusted Recovery and System Recovery
  812. • 77 Problem Management
  813. • 78 Operating and Maintaining Preventive Measures
  814. • 79 Patch Management
  815. • 80 Vulnerability Management
  816. • 81 Change Management
  817. • 82 Change Control Process
  818. • 83 Configuration Management
  819. • 84 Configuration Management (contd.)
  820. • 85 Business Scenario
  821. • 86 Develop a Recovery Strategy
  822. • 87 Types of Recovery—Business Recovery and Facility and Supply Recovery • 88 Types of Recovery—User Recovery
  823. • 89 Types of Recovery—Operational Recovery
  824. • 90 Recovery Partners Strategy
  825. • 91 Backup Sites
  826. • 92 Backup Sites (contd.)
  827. • 93 Backup Sites (contd.)
  828. • 94 Backup Methods
  829. • 95 Importance of Maintaining Resilient Systems
  830. • 96 Redundancy and Fault Tolerance
  831. • 97 Redundancy and Fault Tolerance Methods
  832. • 98 Redundancy and Fault Tolerance Methods (contd.)
  833. • 99 Best Practices for Backup and Recovery
  834. • 100 Business Scenario
  835. • 101 Disaster Recovery—Planning Design and Development
  836. • 102 Planning Design and Development—Step 1 and Step 2
  837. • 103 Planning Design and Development—Step 3 and Step 4
  838. • 104 Disaster Recovery Phases—Implementation, Testing, and Training
  839. • 105 Importance of Testing
  840. • 106 Types of Testing
  841. • 107 Types of Testing (contd.)
  842. • 108 Types of Testing (contd.)
  843. • 109 Training
  844. • 110 Disaster Recovery Phases—Maintenance
  845. • 111 Disaster Recovery Phases—Maintenance (contd.) • 112 Business Scenario
  846. • 113 Perimeter Security
  847. • 114 Barriers
  848. • 115 Fences
  849. • 116 Gates
  850. • 117 Walls and Bollards
  851. • 118 Perimeter Intrusion Detection
  852. • 119 Business Scenario
  853. • 120 Importance of Lighting
  854. • 121 Types of Lighting Systems
  855. • 122 Types of Lights
  856. • 123 Access Control
  857. • 124 Types of Access Control Systems
  858. • 125 Business Scenario
  859. • 126 Building and Inside Security
  860. • 127 Personnel Security
  861. • 128 Business Scenario
  862.  
  863. Domain 08 - Software Development Security
  864. • 1 Domain 08 - Software Development Security
  865. • 2 Objectives
  866. • 3 Importance of Software Development Security
  867. • 4 System Environments
  868. • 5 Distributed Environment
  869. • 6 Client/Server Systems and Local Environment
  870. • 7 Distributed Data Processing and Agents
  871. • 8 Applets
  872. • 9 Programming Concepts
  873. • 10 Complier Vs Interpreter
  874. • 11 Programming and Software
  875. • 12 Threats in the Software Environment
  876. • 13 Threats in the Software Environment (contd.)
  877. • 14 Threats in the Software Environment (contd.)
  878. • 15 Threats in the Software Environment (contd.)
  879. • 16 Threats in the Software Environment (contd.)
  880. • 17 Threats in the Software Environment (contd.)
  881. • 18 Business Scenario
  882. • 19 System Life Cycle and Systems Development
  883. • 20 Systems Development Life Cycle
  884. • 21 SDLC—Operation and Maintenance
  885. • 22 Integrated Product Team (IPT)
  886. • 23 DevOps
  887. • 24 Software Testing Methods
  888. • 25 Software Testing Levels
  889. • 26 Application Controls
  890. • 27 Software Development Methods
  891. • 28 Software Development Methods (contd.)
  892. • 29 Software Development Methods (contd.)
  893. • 30 Software Development Methods (contd.)
  894. • 31 Software Development Methods (contd.)
  895. • 32 Java Security
  896. • 33 Secure Software Development Best Practices
  897. • 34 Business Scenario
  898. • 35 Object - Oriented Programming Terms
  899. • 36 Object - Oriented Programming Terms (contd.)
  900. • 37 Object-Oriented Programming—Definition
  901. • 38 Distributed Object-Oriented Systems
  902. • 39 Object Request Brokers
  903. • 40 COM—Component Object Model
  904. • 41 DCOM—Distributed Component Object Model
  905. • 42 CORBA—Common Object Request Broker Architecture
  906. • 43 Software Security and Assurance
  907. • 44 Software Security and Assurance
  908. • 45 Software Security and Assurance
  909. • 46 Software Security and Assurance
  910. • 47 Software Security and Assurance
  911. • 48 Software Security and Assurance
  912. • 49 Software Security and Assurance
  913. • 50 Software Security and Assurance
  914. • 51 Software Security and Assurance
  915. • 52 Software Security and Assurance
  916. • 53 Software Security and Assurance
  917. • 54 Software Security and Assurance
  918. • 55 Software Security and Assurance
  919. • 56 Software Security : XML and Security Assertion Markup Language
  920. • 57 Software Security: SOA
  921. • 58 Audit and Assurance Mechanisms
  922. • 59 Assessing the Effectiveness of Software Security
  923. • 60 Assessing the Effectiveness of Software Security (contd.)
  924. • 61 Assessing the Security Impact of Acquired Software
  925. • 62 Code Repositories and Application Programming Interfaces
  926. • 63 Business Scenario
  927. • 64 Database and Data Warehousing Environments
  928. • 65 Database Terms
  929. • 66 Types of Databases
  930. • 67 Types of Databases (contd.)
  931. • 68 Types of Databases (contd.)
  932. • 69 Types of Databases (contd.)
  933. • 70 Types of Databases (contd.)
  934. • 71 Database—Threats and Vulnerabilities
  935. • 72 Introduction to Data Warehousing
  936. • 73 Data Warehousing Concepts
  937. • 74 Database Normalization
  938. • 75 DBMS Controls
  939. • 76 Business Scenario
  940. • 77 Malwares—Types
  941. • 78 Malware Protection
  942. • 79 Business Scenario
  943. • 80 Importance and Role of Knowledge Management
  944. • 81 Knowledge-Based System/Artificial Intelligence
  945. • 82 Knowledge-Based System—Expert System
  946. • 83 Knowledge-Based System—Neural Network
  947. • 84 Web Application Environment—Threats and Vulnerabilities
  948. • 85 Web Application Environment Security
  949. • 86 Web Application Environment Security (contd.)
  950. • 87 Web Application Environment Security (contd.)
  951. • 88 Web Application Environment Security (contd.)
  952. • 89 The Ten Best Practices for Secure Software Development—(ISC)2
Add Comment
Please, Sign In to add comment