This course provides the knowledge needed to implement security solutions within an enterprise policy framework| using a vendor-neutral format. This includes security and risk management programs| organizational policies and training| asset security| enterprise security architecture and engineering| network and communication security| identity and access management| security assessments and testing| operational security and secure software development. This course maps to the (ISC)² CISSP certification exam. Objective coverage is marked throughout the course.
You will benefit most from this course if you are an experienced security professional who intends to take an (ISC)² CISSP exam.
This course assumes that you have some applied knowledge of computers| networks| and cybersecurity principles in an enterprise environment.
Learning Objectives
Security and Risk Management
Understand| adhere to| and promote professional ethics
Understand and apply security concepts
Evaluate and apply security governance principles
Determine compliance and other requirements
Understand legal and regulatory issues that pertain to information security in a holistic context
Understand requirements for investigation types (i.e.| administrative| criminal| civil| regulatory| industry standards)
Develop| document| and implement security policy| standards| procedures| and guidelines
Contribute to and enforce personnel security policies and procedures
Understand and apply risk management concepts
Establish and maintain a security awareness| education| and training program
Asset Security
Identify and classify information and assets
Establish information and asset handling requirements
Provision resources securely
Manage data lifecycle
Ensure appropriate asset retention
Determine data security controls and compliance requirements
Security Architecture and Engineering
Research| implement and manage engineering processes using secure design principles
Understand the fundamental concepts of security models (e.g.| Biba| Star Model| Bell-LaPadula)
Select controls base upon system security requirements
Understand security capabilities of Information Systems
Assess and mitigate the vulnerabilities of security architectures| designs| and solution elements
Select and determine cryptographic solutions
Understand methods of cryptanalytic attacks
Apply security principles to site and facility design
Design site and facility security controls
Communication and Network Security
Assess and implement secure design principles in network architectures
Secure network components
Implement secure communication channels according to design
Identity and Access Management (IAM)
Control physical and logical access to assets
Manage identification and authentication of people| devices| and services
Federated identity with a third-party service
Manage the identity and access provisioning lifecycle
Security Assessment and Testing
Design and validate assessment| test| and audit strategies
Conduct security control testing
Collect security process data (e.g.| technical and administrative)
Analyze test output and generate report
Conduct or facilitate security audits
Security Operations
Understand and comply with investigations
Conduct logging and monitoring activities
Perform Configuration Management (CM) (e.g.| provisioning| baselining| automation)
Apply foundational security operations concepts
Apply resource protection
Conduct incident management
Operate and maintain detective and preventative measures
Implement and support patch and vulnerability management
Understand and participate in change management processes
Implement recovery strategies| Implement Disaster Recovery (DR) processes
Test Disaster Recovery Plans (DRP)| Participate in Business Continuity (BC) planning and exercises
Implement and manage physical security| Address personnel safety and security concerns
Software Development Security
Understand and integrate security in the Software Development Life Cycle (SDLC)
Identify and apply security controls in software development ecosystems
Assess the effectiveness of software security
Assess security impact of acquired software Assess security impact of acquired software
Define and apply secure coding guidelines and standards
9: Secure system design
System hardware vulnerabilities
Securing hosts
Physical security and safety
10: Specialized system security
Architecture elements
Databases
Mobile device security
Virtual and cloud systems
11: Network fundamentals
Network models
Physical networking
Network infrastructure devices
12: Network technologies
Local wireless networks
WAN technologies
Network convergence
13: Network protocols
IP addressing
Core protocols
Network ports and applications
14: Network security architecture
Network vulnerabilities
Packet flow
Network security systems
Network access technologies
15: Secure network configuration
Hardening networks
Securing communications
16: Identity management
Access control vulnerabilities
Identity systems
17: Access control technologies
Access control components
Authentication technologies
18: Vulnerability management
Security testing programs
Vulnerability assessment
Vulnerability management programs
19: Scanning and monitoring
Reconnaissance techniques
Network Monitoring
Data analysis
20: Incident response
Incident response planning
Incident response procedures
Investigation support
21: Security operations
Secure asset management
Resilience and business continuity
Fault tolerance and recovery
22: Software threats
Software Vulnerabilities
Malware
23: Secure development
Software development
Secure programs
Learning Objectives
Understand and apply the concepts of risk assessment| risk analysis| data classification| and security awareness and Implement risk management and the principles used to support it .
Apply a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization’s security processes| information security systems| personnel| and organization
Understand the structures| transmission methods| transport formats| and security measures used to provide confidentiality| integrity| and availability for transmissions over private and public communication.
Offer greater visibility into determining who or what may have altered data or system information| potentially affecting the integrity of those asset and match an entity| such as a person or a compute
Plan for technology development| including risk| and evaluate the system design against mission requirements| and identify where competitive prototyping and other evaluation techniques fit in the
process Protect and control information processing assets in centralized and distributed environments and execute the daily tasks required to keep security services operating reliably and efficiently.
Understand the Software Development Life Cycle (SDLC) and how to apply security to it| and identify which security control(s) are appropriate for the development environment| and assess the effectiveness.
of software security.
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):