Title: CISSP
1CISSP
- Certified Information Systems Security
Professional
???? ????? ???? ????? ????? 86
2CISSP
- ????? ? ???? ??? ?????? CISSP ???? Certified
Information Systems Security Professional ?????
?? ???? (ISC) ² - The International Information Systems Security
Certification Consortium, Inc - ?? ????. ??? ???? ?? ??? 1989 ?? ????? ??
???????? ??? ??????? ?? ??????? ???? ? ?? ???
???? ????? ??? ?????? ?? ????? ????? ??????? ??
?? ??? ? ?????? ???? ?? ??? ????.
3- ??? ????? ( (ISC) ² ) ?????" ?? ??? ???? ?
??????? ?? ?????? ????? ????? ??? ?? ??? ?????
????? - U.S. (NSA) National Security Agency
- ????? ??? ??? ???? ?? ???? ?????????
- ISO/IEC Standard 170242003,
- ??? ????? . ?? ???? ?? ??? ?????
- U.S. Department of Defense (DoD)
- ??? ????? ??? ??? .
- ISO/IEC 170242003 specifies requirements for a
body certifying persons against specific
requirements, including the development and
maintenance of a certification scheme for
personnel - The United States Department of Defense (DOD or
DoD) is the federal department charged with
coordinating and supervising all agencies and
functions of the government relating directly to
national security and the military. The
organization and functions of the DOD are set
forth in Title 10 of the United States Code
4- ?????? ??????? ?? ??? ???? ?? ?????? ? ??????? ?
????? ?? ?????? ??????? ????? ??????? ? ????
??? ???? - ???????? ??? ????? ????? ?? ????? ?? ?????.
- ???????? ?? ?? ???? ????? ?? ??? ????? ?????? ??
?? ????? ????? ?????? ???? ???????? - ??? ?? ???? ?? ????? ??? ????? ???? ? ???? ?????
???? ????? ????? - ?? ????? ????? ???? ? ????? ?? ?? 4 ??? ??? ?????
? ??? ????? ?? ?? ??? ?? ???? ? ????? ??? ?? ??
????? ??????.
5- ????? ????? ??? ????? ?? ???? ??? ???
- Certified Information Systems Security
Professional (CISSP)CISSP - Information Systems Security Architecture
Professional (ISSAP ) - Information Systems Security Management
Professional (ISSMP ) - Information Systems Security Engineering
Professional (ISSEP ) - Certification and Accreditation Professional (CAP
CM) - Systems Security Certified Practitioner (SSCP )
6Certified Information Systems Security
Professional (CISSP)
7Domains of CISSP
(1) Access control Systems Methodology
(3) Security Management Practices
(6) Security Architecture Model
(9) Laws, Investigations and Ethics
(4) Applications System development Security
(2) Telecommunications Network Security
(5) Cryptography
(7) Operations Security
(10) Physical Security
(8) Business continuity planning DRP
8Access Control Systems
Domain 1
9Access Control Systems Methodology
- ??? ????? ?? ??? ?? ???? ????? ? ????? ? ??????
??? ?????? ?? ?????? . ?? ??? ??? ???? ????????
????? - ?? ?????? ??????? ?????? ??? ?
- ?? ??????? ????? ???? ?
- ?????? ????? ????? ??? ?
- ?? ????? ?????? ?? ????? ??? ?
- ????? ?????? ??? ?????? ? ??????? ???? ?
10Access Control Systems Methodology
??? ????? ???? ????? ??? ????? ???
Accountability Access control technique Access
control Administration Access control
model Identification Authentication
Techniques Access control methodologies
Implementation File Data ownership
custodianship Methods of Attack Monitoring Penetra
tion Testing
11Telecommunications Network Security
Domain 2
12Telecommunications Network Security
- ISO/OSI Layers and characteristics
- Communication Network Security
- Internet/Intranet/Extranet
- Firewalls, Routers, Switches, Gateways, Proxies
- Protocols, Services, Security techniques
- E-mail Security
- Facsimile Security
- Secure Voice Communications
- Security boundaries and how to translate security
policy to control - Network Attacks countermeasures
13Telecommunications Network Security
- Communications network security as it relates
to voice communications - Data communications in terms of local area, wide
area, and remote access - Intranet/Internet/Extranet in terms of Firewalls,
Routers, TCP/IP - Communications security management techniques
in terms of preventive, detective and corrective
measures.
14Telecommunications Network Security
OSI 7 Layer
LAN
System
System
Router FW
WAN
Attack?
PSTN
Internet
E-mail
System
Voice FAX
- Security technique?
- VPN
- NAT
- Monitoring
15Security Management Practices
Domain 3
16????? ?????
- ?????? ????? ???? ??????? ???? ??? ????????
?????? ? ????? ? ????????? ? ????? ???? ????? ??
? ??????????? ? ???? ?? ? ?????????? ??? ?? ??
???? ?? ?????? ????? - - Confidentality
- - Integrity
- - Availability
17- ?? ??????? ?? ???????? ????? ???? ???? ???????
??????? ? ???? ???? ???? ??? ??????? ? ??? ????
????? ???? ? ????? ??? ???? ?????? ?? ?? ????
????? ???? ???? . - ?????? ???? ???? ??????? ? ???? ???? ? ????? ? ??
????? ?????? ???????? ??? ?? ?? ????? ??
????????? ??????? ? ???? ?? ?? ????.
18- ?????? ???? ???? ??????? ??? ????? ? ????? ????
??? ?????? ? ??????? Safeguard ??? ????? ????? ??
? ?????? ??????? ????? ???? Safeguard ?? ? ???? ?
??????? ?????? ?? ????. - ?????? ?? ??? ?? ???? ????? ?? ?????? ? ??? ???
????? ?? ?? ? ????? ??? ?????? ? ??????? ??
Guideline ?? ? ??????????? ???? ????? ?? ?????
?? ?????? ????? ???? ? ??????? ???? ???? ????????
?? ???? ??? ??? ????? ??????? ? ??????? ??? ?????
?? ????? ????? ?? ?? ???? ???? ?? ?????? ??? ??
????? ????.
19Application System Development Security
Management
Domain 4
20????? ?????
- Applications and systems development security
- ????????? ?? ?? ?????? ??? ??????? ???? ?????
????? ????? ??????. - ????????? ?? ?? ?????? ????? ?????? ??? ???????
???? ????? ????? ????? ???????. - ????? ?? Application
- Agent, Applets, Software, Database, Knowledge
base, Data warehouses - Application ?? ????? ????? ??? ?? ?????? ????.
21????? ???? ?? ?????
- Application Issues
- Databases and Data Warehousing
- Data/Information Storage
- Knowledge-Based Systems
22????? ???? ?? ?????
- System Development Life Cycle
- Security Control Architecture
- Modes of Operation
- Integration Levels
- Service Level Agreement
23????? ???? ?? ?????
- Method of attack
- Malicous Code
24Application Systems Development Security
3.CBK ??
Application Security
request
DB DW
Client Application
Server Application
response
DB Security
Application Development Process Security
Attack
25 Cryptography
Domain 5
??? ?????
263.6 Cryptography
3.CBK ??
Cryptology the science of secret
codes. Cryptography deals with systems for
transforming data into codes.-Cryptographer.
Cryptanalysis deals with techniques for
illegitimately recovering the critical data from
cryptograms. Cryptanalyst.
Private Key algorithm Public Key algorithm
Sender
Receiver
Receivers Public key
Receivers private key
Secrete Key
Secrete Key
Clear text
Ciphertext
Clear text
Encipher
Decipher
PKI Application-SSL, IPSEC, HTTPS
Attack
27DescriptionÂ
- The Cryptography domain addresses the
- principles,
- means,
- and methods
- of securing information to ensure its
- integrity,
- confidentiality,
- and authenticity.
28Security Architectures and Models Domain
Domain 6
??? ?? ? ?????? ?????
29??? ?? ? ?????? ?????
?????? ? ??? ??? ????? ?? ????? ???? ? ?????? ?
?????? ? ???????????? ???? ???? ????? ? ?????
???? ? ??????? ? ??? ???? ????? ??? ???? ?
??????? ???? ? ???????? ? ?????? ????? ???? ??
???? ????? ???? ????? ???????? ? ?????? ? ?????
????? ?????????.
30??? ?? ? ?????? ?????
- ???? ?????? ?????? ? ?????? ???? ?? ? ??????????
- ????? ???? ??? ??? OSI
- ????? ??? ????
- ???? ?????? ??
- ???? ??? ??? ?????
- ???? ???????? ??????? ????? ????? ??
31??? ?? ? ?????? ?????
- ??????? ????? ?? ????? ?? ????? ? ?????? ?????
- ???? ????? ??? ????? ??? ???????/ ???? ??
- ??? ??? ?????? ???? ?? ??? ??????
- ??? ??? ?????? ??????
- ??? ??? ?????? ?? ?????? ???? ?? / ??? ???????
- ?????? ?????? ???? ?????? ????? ? ??? ?? ??
- ?????? PC ?? ? ??? ?? ??
- ???????? ?????? ?????
32Operations Security
Domain 7
????? ??????
33????? ???????
- ????? ?????? ?? ????? ????? ????? ??? ??? ??????
????? ??? ? ??????????? ?? ?? ??? ????? ??????
????? ??????? ?? ???. - ?? ?????? ???? ?????? ???? ? ?? ???? ?????? ????
???? ???? ??? ?? ????? ??????? ????? ??? - ??????? ??? ?????? ?? ????? ????? ? ?????? ???
???? - ????? ?????? ??? ??????? ?? ????? ??? IT/IS
- ????? ?? ? practice??? ?????
34????? ??
- ????? ??????? ??? ????? ??????
- ????? ?????? ???????
- ????? ?????? ????? ???????
- ????? ??? ????? ???????
- ????? ??????? ??????
- ????? ????? ??????
- ????? ? ??? ???? ??? ???? ???? ??????? ??? ??
????? - ????? ?????? ?????
- ????? ? ??? ??? ????? ????? ?????
- ????? ?? ???? ??? ????? ??????
35Business Continuity Planning
Domain 8
36- Recovery Strategy
- Business Continuity Planning
- Disaster Recovery Planning
- Recovery Planning
- The Xi Recovery team
37- Recovery Strategy
- Business Unit Priorities
- Alternatives
- Cold/Warm/Hot Mobile Sites
- Electronic Vaulting
- Processing Agreements
- Reciprocal/Mutual
- Recovery Plan Development
- Personnel Notification
- Emergency Response
- Backups and Off-site Storage
- Communications
- Utilities
- logistics and Supplies
- Fire and Water Protection
- Documentation
- implementation
- Testing/Maintenance
38- Disaster Recovery Planning
- Recovery Plan Development
- Emergency Response
- Personnel Notification
- Backups and Off-site Storage
- Communications
- Utilities
- Logistics and Supplies
- Fire and Water Protection
- Documentation
- Implementation
- Recovery Techniques
- Training/Testing/Maintenance
- Restoration
- Cleaning
- Procurement
- Data Recovery
- Relocation to Primary Site
39Law, Investigation and Ethics
Domain 9
40Law, Investigations Ethics
3.CBK ??
- The Law, Investigations, and Ethics domain
address computer crime laws regulations the
investigative measures and techniques which can
be used to determine if a crime has been
committed, methods to gather evidence if it has,
as well as the ethical issues and code of conduct
for the security professional. - Laws
- Major categories and types of laws
- Investigations
- Major categories of computer crimes
- Incident handling
- Ethics
?? CISSP Study Guide , ISC2
41Physical security
Domain 10
423.11 Physical security
3.CBK ??
- The Physical security domain addresses the
threats, vulnerabilities, and countermeasures
that can be utilized to physically protect an
enterprises resources and sensitive information.
These resources include people, the facility in
which they work, and the data, equipment, support
system, media, and supplies they utilize. - Facility Requirements
- Technical Controls
- Environment/Life Safety
- Physical security threats
- Elements of physical security
?? CISSP Study Guide , ISC2
433.11 Physical security
3.CBK ??
Environmental/Life safety -Power -water
leakage -fire detection -natural disaster
Facility -restricted area -visitor
control -Fence.. -Security guard -CCTV -Alarm,
detector
Resource
Technical controls -smart/dumb card -audit
trail -intrusion detection -biometric control
Physical security Threat -fire,
smoke -water -explosion -storm
?? CISSP Study Guide , ISC2