...CISSP: The Domains Table of Contents INTRODUCTION 4 DOMAIN 1: ACCESS CONTROL WHAT’S NEW IN ACCESS CONTROL? AN OVERVIEW 5 5 7 DOMAIN 2: SOFTWARE DEVELOPMENT SECURITY WHAT’S NEW IN APPLICATIONS SECURITY (NOW SOFTWARE DEVELOPMENT SECURITY)? AN OVERVIEW 9 9 10 DOMAIN 3: BUSINESS CONTINUITY & DISASTER RECOVERY WHAT’S NEW? AN OVERVIEW 12 12 13 DOMAIN 4: CRYPTOGRAPHY WHAT’S NEW? AN OVERVIEW 17 17 18 DOMAIN 5: INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT WHAT’S NEW? AN OVERVIEW 21 21 22 DOMAIN 6: LEGAL, REGULATIONS, INVESTIGATIONS, AND COMPLIANCE WHAT’S NEW? AN OVERVIEW 24 24 26 DOMAIN 7: SECURITY OPERATIONS WHAT’S NEW? AN OVERVIEW 28 28 29 DOMAIN 8: PHYSICAL & ENVIRONMENTAL SECURITY WHAT’S NEW? AN OVERVIEW 32 32 33 DOMAIN 9: SECURITY ARCHITECTURE & DESIGN WHAT’S NEW? AN OVERVIEW 36 36 38 DOMAIN 10: TELECOMMUNICATIONS & NETWORK SECURITY WHAT’S NEW? AN OVERVIEW 40 40 41 INFOSEC INSTITUTE’S CISSP BOOT CAMP COURSE OVERVIEW COURSE SCHEDULE 44 44 45 INTRODUCTION (ISC)²’s CISSP Exam covers ten domains which are: Access Control Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal regulations, investigations, and compliance Operations Security Physical and Environmental Security Security Architecture and Design Telecommunications...
Words: 11687 - Pages: 47
...#1 SSDLC SSDLC is a version of the software development life cycle that focuses on security. It has been found that incorporating security within each phase from the beginning provides quicker time to recovery, less security flaws, quicker time to implementation, and provide a more secure architecture overall. An evaluation of your current processes will determine how to proceed in your security practices. This includes identifying how closely your company adheres to these best practices: Awareness & Training, Assessment & Audit, Development & Quality Assurance, Compliance, Vulnerability response, Metrics & Accountability, and Operational security. To determine how to implement the Security Software Development Life Cycle, there are roughly (depending on scope) 6 phases: Requirements Gathering, Design, Coding, Testing, Deployment, and Maintenance & Retirement. Requirements includes setting up security requirements, phase gates, and risk assessments. Design includes security considerations for design requirements, architecture & design reviews, and threat modeling. Coding includes static analysis performance and coding best practices. Testing includes fuzzing and vulnerability assessments. Deployment includes server and network configuration reviews. And maintenance & retirement includes changes, enhancements, and sunsetting of software. #2 Best practices In order to meet the demands of a challenging development environment, there are a number of best practices that...
Words: 682 - Pages: 3
...(ISC)2® CONTINUING PROFESSIONAL EDUCATION (CPE) POLICIES & GUIDELINES 2013 (ISC)² CPE Policies & Guidelines (rev. 8, November 18, 2013) ©2013 International Information Systems Security Certification Consortium, Inc. Page 1 of 16 (ISC)² CPE Policies & Guidelines (rev 8.November 18, 2013) ©2013 International Information Systems Security Certification Consortium, Inc. Table of Contents Overview .................................................................................................................................................................................... 3 CPE General Requirements ........................................................................................................................................................ 3 Required Number of CPE Credits ............................................................................................................................................... 4 Concentrations ....................................................................................................................................................................... 5 Multiple Credentials ............................................................................................................................................................... 5 Rollover CPE ..............................................................................................................................................................................
Words: 6091 - Pages: 25
...Certification – Project Management Professional * This certificate recognizes an individual's ability to lead and direct projects. A PMP certification is a globally-recognized credential. * 3. MCSE Certification – Private Cloud. * The MCSE Private Cloud certification proves your knowledge about building a private cloud solution with Windows Server 2008 and System Center 2012. * 4. VCP Certification – VMware Certified Professional * This certification validates your ability to install, configure and administer a Cloud environment using v-Cloud Director and related components. * 5. CISSP Certification – Certified Information Systems Security Professional * CISSP is a globally recognized certification that broadly tests, evaluates and validates an individual’s knowledge, skills and experience in the field of information security. PMP, MCSE, and CISSP are in demand now and into the future since they are the most popular and highly sought after IT certifications offered. All these certifications are globally renowned and the employers highly appreciate if the job candidates hold any these certifications. The demand for IT certifications has increased in the last few years due to the overall demand for IT professionals, and the salaries are slowly increasing. Another reason is the number of security threats affecting the global technological infrastructure continues to increase at a rapid pace, and the threats in...
Words: 448 - Pages: 2
...creation, regulatory compliance assistance and assessments. Currently our firm looks to operate in a more secure manner by addressing security related issues of government and mid-sized organizations. We currently have our headquarters and only office in a different state from the RFP state. We are now up to 22 full-time employees. 8 Employees that will be working on the new prospective products and services are certified professionals. 5 have a CISSP certifications, 4 hold a CISM certification, 4 hold a GIAC and GSEC certifications and 6 hold other GIAC certifications. We have won four major contracts in the last four years for vulnerability assessments and penetration tests. We do not offer source code review to assess security and do not employ development security specialists. Positive Gaps: • Been in business for 5 consecutive years • Reported annual gross sales of more than one million dollars • Presented 4 references in last four years similar to requirements of this document. • Have four people who have a CISSP and CISM certifications. Negative Gaps: • Do not have a permanent office in the state. • Currently have managed security service provider contract with an agency in the state. • Cannot provide previous reports for other clients of source code to assess its security and do not employ developmental security...
Words: 290 - Pages: 2
...Executive Summary The need for auditors with technology skills have increased, this is why the IT auditing profession has become very important. Information Technology auditors analyze the information technology structure, operations, and software of an organization. They are in charge of identifying better ways in which the organization’s systems can meet their needs in a better and more reliable way. IT auditors can basically design new systems by configuring hardware and software programs and they also test the systems to make sure they are working properly. Most IT auditors work in offices, obviously with computer systems. Some IT auditors work with the same company for years making sure the information systems and internal controls work properly. Some other IT auditors work for CPA firms that provide auditing services, and are required to travel to evaluate the information systems of clients. For the most part IT auditors work independently, but when they are assigned to larger and/or complicated projects, they use the collaboration of other peers. James Reinhard, CPA, CIA, CISA, manager of Simon Property Group Inc. who has more than 20 years’ experience in IT and integrated auditing states that “The ideal IT auditor should be able to discuss IP routing with the network folks in one hour and financial statement disclosures with the controller in the next” (Scharf, 2008). To become the ideal IT auditor IT audit certifications are the best option. IT audit...
Words: 5614 - Pages: 23
...INFORMATION SECURITY SPECIALIST Multicertified Expert in Enterprise Security Strategies Infosec specialist whose qualifications include a degree in computer science; CISSP, MCSE and Security+ designations; and detailed knowledge of security tools, technologies and best practices. Nine years of experience in the creation and deployment of solutions protecting networks, systems and information assets for diverse companies and organizations. TECHNOLOGY SUMMARY * Security Technologies: Retina Network Security Scanner; SSH; SSL; Digital Certificates; Anti-Virus Tools (Norton, Symantec, Ghost, etc.) * Systems: Unix-Based Systems (Solaris, Linux, BSD); Windows (all) * Networking: LANs, WANs, VPNs, Routers, Firewalls, TCP/IP * Software: MS Office (Word, Excel, Outlook, Access, PowerPoint) KEY SKILLS * Network & System Security * Risk Management * Vulnerability Assessments * Authentication & Access Control | * System Monitoring * Regulatory Compliance * System Integration Planning * Multitier Network Architectures | IT EXPERIENCE * XYZ Co., Sometown, FL, Information Security Consultant, 2009-Present * ABC Co., Sometown, TN, Senior Information Security Specialist, 2004-2008 * 123 Co., Sometown, FL, Information Security Specialist, 2002-2004 * R&R Ltd., Sometown, FL, Network Administrator, 2000-2002 Became an expert in information systems security for multiple clients and employers. Recent Project...
Words: 368 - Pages: 2
...4.1 Excerpt Executive Summary Framework COBIT 4.1 The IT Governance Institute® The IT Governance Institute (ITGITM) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers original research, electronic resources and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. Disclaimer ITGI (the “Owner”) has designed and created this publication, titled COBIT® 4.1 (the “Work”), primarily as an educational resource for chief information officers (CIOs), senior management, IT management and control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, CIOs, senior management, IT management and control professionals should apply their own professional judgement to the specific circumstances presented by the particular systems or IT environment. Disclosure © 1996-2007 IT Governance Institute. All rights reserved. No part of...
Words: 14485 - Pages: 58
...Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant www.nethemba.com www.nethemba.com Nethemba – All About Security Highly experienced certified IT security experts (CISSP, C|EH, SCSecA) Core business: All kinds of penetration tests, comprehensive web application security audits, local system and wifi security audits, security consulting, forensic analysis, secure VoIP, ultrasecure systems OWASP activists: Leaders of Slovak/Czech OWASP chapters, coauthors of the most recognized OWASP Testing Guide v3.0, working on new version We are the only one in Slovakia/Czech Republic that offer: Penetration tests and security audits of SAP Security audit of smart RFID cards Unique own and sponsored security research in many areas (see our references – Vulnerabilities in public transport SMS tickets, cracked the most used Mifare Classic RFID cards) www.nethemba.com What are WAFs? Emerged from IDS/IPS focused on HTTP protocol and HTTP related attacks Usually contain a lot of complex regexp rules to match Support special features like cookie encryption, CSRF protection, etc. Except of free mod_security they are quite expensive (and often there is no correlation between the price and their filtering capabilities) www.nethemba.com WAFs implementations Usually they are deployed in “blacklisting mode” ...
Words: 527 - Pages: 3
...Week 2: Administrative Controls SE578 – Prof. Joseph Constantini By David Truong (D00571438) 1/18/2013 Table of Contents How do Administrative Controls demonstrate “due care?” 3 How does the absence of Administrative Controls impact corporate liability? 3 How do Administrative Controls influence the choice of Technical and Physical Controls 4 How would the absence of Administrative Controls affects prigects in the IT department 4 Summary 5 Reference 6 How do Administrative Controls demonstrate "due care?" Administrative Controls are guidelines that is set up by management in order to meet the standard that shows that how he company has taken precaution to prevent malicious intent as well as prevention against malicious intent. The controls that are implemented must show a degree in which the process is common and assist in the fortifying the company’s ability to prove its willingness to take action on correcting weaknesses within the company. This idea is also known as “due care.” They must include controls that contribute to individual accountability, ability to audit, and separation of duties. Administrative Controls can be identified with two specific category: detective administrative controls and preventative administrative controls. Ultimately, the purpose of Administrative Controls is to show that the company has taken the necessary precaution, the “due care,” to protect the confidentiality, integrity and availability...
Words: 896 - Pages: 4
...for IT Security. The most common certificate they offer is the Certified Information Systems Security Professional (CISSP). The CISSP is a certification that is recognized worldwide and acknowledges that you are qualified to work in several fields of information security. To obtain the CISSP Certification you must first meet the Requirement. A minimum of 5 years of security work, experience and accept the code of ethics, a background check, and endorsed qualifications are just a few you might expect to have when deciding to take the exam for this certification. Professionals that hold this certification have higher salaries than those who don’t. This would be something to consider if you are starting a career in the Cyber security field. Once your certificate is obtained it will be valid for three years. To renew you must either retake the test or provide 20 Continuing Professional Education (CPE) credits and pay a fee of $85.00 each year. A CPE credit can be earned by taking more classes, teaching, volunteering, and attending conferences. Each hour spent equals one CPE credit. The points earned are more if you publish books or prepare training for others. It consisted of 10 domains until April of 2015 when it was updated to 8 because of the increase in cyber threats and the changes in technology. Starting April first the CISSP exam will include 8 domains. They are Security and Risk Management, Asset Security, Security Engineering, Communications...
Words: 2654 - Pages: 11
...Professional CCCI - Certified Computer Crime Investigator CCE - Certified Computer Examiner CCFT - Certified Computer Forensic Technician CCSA/CCSE Check Point CEECS - Certified Electronic Evidence Collection Specialist CEH - Certified Ethical Hacker CEIC - Computer and Enterprise Investigations Conference CFCE - Certified Forensic Computer Examiner CFE - Certified Fraud Examiner CFIA - Certified Forensic Investigation Analyst CHFI - Certified Hacking Forensic Investigator CIFI - Certified International Information Systems Forensic Investigator CISA - Certified Information Systems Auditor CISM - Certified Information Security Manager CISSP - Certified Information Systems Security Professional CISSP-ISSAP - Information Systems Security Architecture Professional CISSP-ISSEP - Information Systems Security Engineering Professional CISSP-ISSMP - Information Systems Security Management Professional CIW - Certified Internet Webmaster CNA - Certified Novell 5 Administrator CNE - Certified Netware Engineer CNSS 4013 Recognition CPE - Certified PGP Engineer - PGP Corporation CSA - Certified Security Analyst CSE - Certified Steganography Examiner CSFA - CyberSecurity Forensic Analyst CSICI - CyberSecurity Institute Certified Instructor CSIH - Certified Computer Security Incident Handler CSTA - Certified Security Testing Associate CSTP - Certified Security Testing Professional CTMA - Certified Telecom Management Administrator CTME - Certified Telecom Management Executive ...
Words: 1957 - Pages: 8
...| Administrative Controls | | | Administrative controls are basically directives from the senior management that provide the essential framework for the organizations security infrastructure. Administrative controls consist of the procedures that are implemented to define the roles, responsibilities, policies and various administrative functions that are required to manage the control environment as well as necessary to oversee and manage the confidentiality, integrity and availability of the organizations information assets. Administrative controls can range from very specific to very broad and can vary depending on the organizational needs, particular industry, and legal implications. Administrative controls can generally be broken down into six major categories which include operational policies and procedures, personnel security, evaluation, and clearances, security policies, monitoring, user management, and privilege management. Ultimately, the senior management within an organization must decide what role security will play within the organization and define the security goals and directives. Due care by definition is the care that an ordinary and reasonable person would take over their own property or information. An example of this would for a person to place documents that contain sensitive information such as social security cards, passports, etc. in a locked safe within their home. This measure is taken to ensure that only those individuals with authorized...
Words: 1204 - Pages: 5
...MMM Security system | Review of firm’s Qualifications | | | | MMM Security has been in business since 2002, providing our customers with the best customer service that is possible. Our annually gross sales have averaged around 1.6 Million U.S dollars for the last five year. Currently we have several projects on going with current customers that include managed security services, regulate commerce land management and penetration testing. We currently have five employees that have their CISSP certifications and four that have their CISM. If we are rewarded the contract we will need to find a location in your state, since we have no customers, in your state. We have begun the process of locating a building in your state. Our plan is to have a lease ready to be signed and modification of the office space plans with a contractor ready to begin work, if we are rewarded the contract, this should minimize our time for full occupancy of our office in your state. However a temporary location has been found for immediate, use incase our services are required before our permanent location is complete. Our firm has great experience in risk assessment, for example finding server rooms unlocked or servers just sitting in a corner, another example finding passwords hidden under key boards or other places on a desk and computers that have not had updates done in a very long time. Disaster recovery planning is another service we provide, our last project was a fully functioning...
Words: 352 - Pages: 2
...The Cost of Business Continuity Planning Versus the Potential of Risk Though the cost of mitigating risk can be high, the lack of proper business continuity planning and disaster recovery planning will leave a company is at risk of a catastrophic loss of revenue due to the loss of the Information Systems. Any company that relies on its Information Systems for their operations should invest the time and revenue in developing an efficient and effective Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). This study will compare the differences in what a Business Continuity Plan is used for and what a Disaster Recovery Plan is used for. Additionally, it will evaluate the risk having a Business Continuity Plan and Disaster Recovery Plan versus accepting the potential loss of revenue and business in the event of a disaster. It is important to any company that uses it Information Systems to generate revenue. If a company is effected by a disaster, the longer a company takes to respond to the emergency and recover its resources, the more time it will take the company to get back to normal operations (Harris, 2013, p. 887). As history has shown, our world has and will continue to experience many destructive events such as, floods, earthquakes, terrorism, hurricanes, and many other catastrophic events that could cripple a company that is not prepared. Disasters are uncontrollable and over time, every organization will have to deal with the fallout of a disaster. Three...
Words: 2924 - Pages: 12