This is just an introduction episode of CISSP Central podcast, and this entire podcast series is based on a published book named C(R)ISSP: The most concise handbook for CISSP 2024, written by myself, which can be purchased directly from Amazon.
1.1 Understand, adhere to, and promote professional ethics1.1.1 (ISC)2 Code of Professional Ethics1.1.2 Organizational code of ethics1.2 Understand and apply security concepts1.2.1 Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation
1.3 Evaluate, apply, and sustain security governance principles.1.3.1 Alignment of the security function to business strategy1.3.2 Organizational processes (e.g., acquisitions, divestitures, etc.,)1.3.3 Organizational roles and responsibilities1.3.4 Security Control Frameworks1.3.5 Due Care and Due Diligence
1.4 Understanding of Info Security legal and regulatory problems1.4.1 Cybercrimes and data breaches1.4.2 Licensing and intellectual property requirements1.4.3 Import/export controls1.4.4 Transborder data flow.1.4.5 Issues Related to Privacy1.4.6 Contractual, Legal, Industry Standards, & Regulatory Requirements
1.5 Understand requirements for investigation types1.6 Develop, document, & implement security policy, standards, procedures, & guidelines1.6.1 Security Policies 71.6.2 Standards, Procedures Baselines, and Guidelines1.7 Identify, analyze, and prioritize Business Continuity (BC) requirements1.7.1 Business Impact Analysis1.7.2 External Dependencies
1.8 Contribute to and enforce personnel security policies and procedures1.8.1 Candidate Screening and Hiring1.8.2 Employment agreements and policy driven requirements1.8.3 Onboarding, transfers, and termination processes1.8.4 Vendor, consultant, and contractor agreements and controls
1.9 Understand and apply risk management concepts1.9.1 Threat and Vulnerability Identification1.9.2 Risk Analysis, assessment, and scope1.9.3 Risk response and treatment1.9.4 Applicable Types of Controls1.9.5 Control Assessments1.9.6 Continuous monitoring and measurement1.9.7 Reporting (e.g., Internal, External)1.9.8 Continuous improvement (e.g., risk maturity modeling)1.9.9 Risk Frameworks
1.10 Understand & apply threat modelling & Methodologies1.10.1 STRIDE Model1.10.2 PASTA Model1.10.3 DREAD Model
1.11 Apply supply chain risk management (SCRM) concepts1.11.1 Risks associated with the acquisition of products and services from suppliers and providers1.11.2 Risk mitigations 1.12 Establish and maintain a security awareness, education, and Training program1.12.1 Methods & techniques to increase awareness and training 1.12.2 Periodic content reviews to include emerging technologies and trends1.12.3 Program effectiveness evaluation
2.0 DOMAIN 2: ASSET SECURITY2.1 Identify and classify information and assets2.1.1 Data Classification2.1.2 Asset Classification2.1.3 Other key concepts of Asset Security
2.2 Establish information and asset handling requirements2.2.1 Information and Asset Handling:2.2.2 Handling Requirements:2.2.3 Media Storage:2.2.4 Transportation:2.2.5 Transmission & Transfer:2.2.6 Media retention and destruction:
2.3 Provision information and assets securely2.3.1 Information and asset ownership2.3.2 Asset inventory2.3.2 Asset Management
2.4 Manage Data Lifecycle2.4.1 Data Roles2.4.2 Data Collection2.4.3 Data Location2.4.4 Data Maintenance2.4.5 Data Retention2.4.6 Data Remanence2.4.7 Data Destruction
2.5 Ensure appropriate asset retention2.6 Determine data security controls & compliance requirements2.6.1 Data States2.6.2 Scoping and Tailoring (NIST SP 800-53B)2.6.3 Standards Selection2.6.4 Data Protection methods
3.0 DOMAIN 3: SECURITY ARCHITECTURE AND ENGINEERING3.1 Research, implement, and manage engineering processes using secure design principles.3.1.1 Threat Modeling3.1.2 Least Privilege3.1.3 Defense in depth3.1.4 Secure Defaults3.1.5 Fail Securely3.1.6 Separation of Duties3.1.7 Keep it simple and Small3.1.8 Zero trust or trust but verify3.1.9 Privacy by design (PbD)3.1.10 Shared Responsibility3.1.11 Secure Access Service Edge
3.2 Understand the fundamental concepts of security models3.2.1 Security Models3.2.2 Lattice-based models3.2.3 Rule-based models3.2.4 Other models & Concepts3.2.5 Evaluation Criteria (ITSEC, TCSEC and CC)
3.3 Select controls based upon systems security requirementsHere we will go over the steps to take when deciding the security controls to deploy according to the needs of the system. Some of these needs were covered in Domain 1's discussion.
3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection,Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements3.5.1 Client-based systems3.5.2 Server-based systems3.5.3 Database systems3.5.4 Cryptographic Systems3.5.5 Operational Technology / Industrial Control Systems (ICS)3.5.6 Cloud-based Systems3.5.7 Distributed Systems3.5.8 Internet of Things (IOT)3.5.9 Microservices3.5.10 Containerization3.5.11 Serverless Computing3.5.12 Embedded systems3.5.13 High-Performance Computing systems3.5.14 Edge Computing Systems3.5.15 Virtualized systems
3.6 Select and determine cryptographic solutions3.6.1 Cryptographic life cycle3.6.2 Cryptographic methods3.6.3 Public key infrastructure3.6.4 Key Management practices3.6.5 Digital Signatures and Digital Certificates