Fundamentals of Information Systems Security

This book's objective is to have a quick but in-depth review of the topics required to pass the Certified Information Systems Security Professional (CISSP)[1] exam.

Physical and Environmental Security edit

Physical (Environmental) Security Challenges

Site Location

  • Site Fabric and Infrastructure

The Layered Defense Model

Physical Considerations

Working with Others to Achieve Physical and Procedural Security

Physical and Procedural Security Methods, Tools, and Techniques

Procedural Controls

Infrastructure Support Systems

Fire Prevention, Detection, and Suppression

Boundary Protection

Building Entry Points

Keys and Locking Systems

Walls, Doors, and Windows

Access Controls

Closed-Circuit Television (CCTV)

Intrusion Detection Systems

Portable Device Security

Asset and Risk Registers

Information Protection and Management Services

  • Managed Services
  • Audits, Drills, Exercises, and Testing
  • Vulnerability and Penetration Tests
  • Environmental Crisis
  • Maintenance and Service Issues
  • Education, Training, and Awareness
  • Cloud security

Information Security and Risk Management edit

  • Security Program
  • Security Controls
  • The Elements of Security

Core Information Security Principles

  • Confidentiality
  • Integrity
  • Availability

Information Security Management Governance

  • Security Governance
  • Security Policies, Procedures, Standards, Guidelines, and Baselines
  • Organizational Security Models

Organizational Behavior

  • Organizational Structure Evolution
  • Best Practices
  • Security Roles and Responsibilities
  • Reporting Model
  • Enterprise-wide Security Oversight

Security Awareness, Training, and Education

  • Conducting A Formal Security Awareness Training
  • Awareness Activities and Methods

Information Risk Management

  • Risk Management Concepts
  • Risk Handling Strategies
  • Risk Assessment/Analysis

Information Classification

  • Introduction
  • Classification Types
  • Guidelines for Information Classification
  • Criteria for Information Classification
  • Data Classification Procedures
  • Classification Controls


  • Basic Concepts
  • Professional Code of Ethics
  • Example Topics in Computer Ethics
  • Common Computer Ethics Fallacies
  • Hacking and Hacktivism

Access Control Systems edit

  • Access Control Challenges
  • Access Control Principles
  • Access Control Criteria
  • Access Control Practices

Security Principles

Identification Authentication and Authorization

  • Identification and Authentication
  • Identity Management

Access Control Categories

  • Administrative
  • Physical
  • Technical

Access Control Types

Access Control Threats

  • Denial of Service(DoS/DDoS)
  • Buffer Overflows
  • Malicious Software
  • Password Crackers
  • Spoofing/Masquerading
  • Emanations
  • Shoulder Surfing
  • Object Reuse
  • Data Remanence
  • Backdoor/Trapdoor
  • Dictionary Attacks
  • Bruteforce Attacks
  • Social Engineering

Access Control Technologies

  • Single Sign-On
  • Kerberos
  • Security Domain
  • Thin Clients

Access Control Models

  • Discretionary Access Control
  • Mandatory Access Control
  • Non Discretionary or Role Based Access Control

Access Control Techniques

  • Rule-Based Access Control
  • Constrained User Interface
  • Access Control Matrix
  • Content Dependent Access Control
  • Context Dependent Access Control

Access Control Administration

  • Centralized Access Control
  • Decentralized Access Control

Access Control Monitoring(IDS/IPS)

  • Intrusion Detection Systems
  • Intrusion Prevention System

Access Control Assurance

  • Basic Concepts

Cryptography edit

Security Architecture and Design edit

Computer System Architecture

  • Central Processing Unit (CPU)
  • Storage
  • Operating Systems
  • Firmware
  • Virtual Machines
  • Hybrid/Cloud Computing Architecture

Systems Security Architecture

  • Security Design Principles
  • Trusted Computing Base

Security Models

  • Lattice Models
  • State Machine Models
  • Noninterference Models
  • Bell—LaPadula Confidentiality Model
  • Biba Integrity Model
  • Clark—Wilson Integrity Model
  • Access Control Matrix
  • Information Flow Models
  • Graham—Denning Model
  • Harrison—Ruzzo—Ullman Model
  • Brewer—Nash (Chinese Wall)

Security Product Evaluation Methods and Criteria

  • Rainbow Series
  • Information Technology Security Evaluation Criteria (ITSEC)
  • Common Criteria
  • Certification and Accreditation

Business Continuity and Disaster Recovery Planning edit


Core Information Security Principles: Availability, Integrity, Confidentiality (AIC)

Why Continuity Planning?

Reality of Terrorist Attack

Natural Disasters

Internal and External Audit Oversight

Legislative and Regulatory Requirements

Industry and Professional Standards

NFPA 1600

ISO 17799

Defense Security Service (DSS)

National Institute of Standards and Technology (NIST)

Good Business Practice or the Standard of Due Care

Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning

Revenue Loss

Extra Expense

Compromised Customer Service

Embarrassment or Loss of Confidence Impact

Hidden Benefits of Continuity Planning

Organization of the BCP/DRP Domain Chapter

Project Initiation Phase

Current State Assessment Phase

Design and Development Phase

Implementation Phase

Management Phase

Project Initiation Phase Description

Project Scope Development and Planning

Executive Management Support

BCP Project Scope and Authorization

Executive Management Leadership and Awareness

Continuity Planning Project Team Organization and Management

Disaster or Disruption Avoidance and Mitigation

Project Initiation Phase Activities and Tasks Work Plan

Current State Assessment Phase Description

Understanding Enterprise Strategy, Goals, and Objectives

Enterprise Business Processes Analysis

People and Organizations

Time Dependencies

Motivation, Risks, and Control Objectives


Technical Issues and Constraints

Continuity Planning Process Support Assessment

Threat Assessment

Risk Management

Business Impact Assessment (BIA)

Benchmarking and Peer Review

Sample Current State Assessment Phase Activities and Tasks Work Plan

Development Phase Description

Recovery Strategy Development

Work Plan Development

Develop and Design Recovery Strategies

Data and Software Backup Approaches

DRP Recovery Strategies for IT

BCP Recovery Strategies for Enterprise Business Processes

Developing Continuity Plan Documents and Infrastructure Strategies

Developing Testing/Maintenance/Training Strategies

Plan Development Phase Description

Building Continuity Plans

Contrasting Crisis Management and Continuity Planning Approaches

Building Crisis Management Plans

Testing/Maintenance/Training Development Phase Description

Developing Continuity and Crisis Management Process Training and Awareness Strategies

Sample Phase Activities and Tasks Work Plan

Implementation Phase Description

Analyze CPPT Implementation Work Plans

Program Short- and Long-Term Testing

Continuity Plan Testing (Exercise) Procedure Deployment

Program Training, Awareness, and Education

Emergency Operations Center (EOC)

Management Phase Description

Program Oversight

Continuity Planning Manager Roles and Responsibilities



Sample Questions

Appendix A: Addressing Legislative Compliance within Business Continuity Plans



Patriot Act

Other Issues

OCC Banking Circular 177

Telecommunications and Network Security edit


Basic Concepts

Network Models

OSI Reference Model

TCP/IP Model

Network Security Architecture

The Role of the Network in IT Security

Network Security Objectives and Attack Modes

Methodology of an Attack

Network Security Tools

Layer 1: Physical Layer

Concepts and Architecture

Communication Technology

Network Topology

Technology and Implementation


Twisted Pair

Coaxial Cable

Fiber Optics

Patch Panels


Wireless Transmission Technologies

Layer 2: Data-Link Layer

Concepts and Architecture


Transmission Technologies

Technology and Implementation


Wireless Local Area Networks

Address Resolution Protocol (ARP)

Point-to-Point Protocol (PPP)

Layer 3: Network Layer

Concepts and Architecture

Local Area Network (LAN)

Wide Area Network (WAN) Technologies

Metropolitan Area Network (MAN)

Global Area Network (GAN)

Technology and Implementation



End Systems

Internet Protocol (IP)

Virtual Private Network (VPN)


Dynamic Host Configuration Protocol (DHCP)

Internet Control Message Protocol (ICMP)

Internet Group Management Protocol (IGMP)

Layer 4: Transport Layer

Concepts and Architecture

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

Technology and Implementation

Scanning Techniques

Denial of Service

Layer 5: Session Layer

Concepts and Architecture

Technology and Implementation

Remote Procedure Calls

Directory Services

Access Services

Layer 6: Presentation Layer

Concepts and Architecture

Technology and Implementation

Transport Layer Security (TLS)

Layer 7: Application Layer

Concepts and Architecture

Technology and Implementation

Asynchronous Messaging (E-mail and News)

Instant Messaging

Data Exchange (World Wide Web)

Peer-to-Peer Applications and Protocols

Administrative Services

Remote-Access Services

Information Services

Voice-over-IP (VoIP)

General References

Sample Questions


Application Security edit

Domain Description and Introduction

Current Threats and Levels

Application Development Security Outline

Expectation of the CISSP in This Domain

Applications Development and Programming Concepts and Protection

Current Software Environment

Open Source

Full Disclosure


Process and Elements

The Programming Procedure

The Software Environment

Threats in the Software Environment

Buffer Overflow

Citizen Programmers

Covert Channel

Malicious Software (Malware)

Malformed Input Attacks

Memory Reuse (Object Reuse)

Executable Content/Mobile Code

Social Engineering

Time of Check/Time of Use (TOC/TOU)


Application Development Security Protections and Controls

System Life Cycle and Systems Development

Systems Development Life Cycle (SDLC)

Software Development Methods

Java Security

Object-Oriented Technology and Programming

Object-Oriented Security

Distributed Object-Oriented Systems

Software Protection Mechanisms

Security Kernels

Processor Privilege States

Security Controls for Buffer Overflows

Controls for Incomplete Parameter Check and Enforcement

Memory Protection

Covert Channel Controls


Password Protection Techniques

Inadequate Granularity of Controls

Control and Separation of Environments

Time of Check/Time of Use (TOC/TOU)

Social Engineering

Backup Controls

Software Forensics

Mobile Code Controls

Programming Language Support

Audit and Assurance Mechanisms

Information Integrity

Information Accuracy

Information Auditing

Certification and Accreditation

Information Protection Management

Change Management

Configuration Management

Malicious Software (Malware)

Malware Types





Remote-Access Trojans (RATs)

DDoS Zombies

Logic Bombs

Spyware and Adware


Malware Protection


Activity Monitors

Change Detection

Antimalware Policies

Malware Assurance

The Database and Data Warehousing Environment

DBMS Architecture

Hierarchical Database Management Model

Network Database Management Model

Relational Database Management Model

Object-Oriented Database Model

Database Interface Languages

Open Database Connectivity (ODBC)

Java Database Connectivity (JDBC)

eXtensible Markup Language (XML)

Object Linking and Embedding Database (OLE DB)

Accessing Databases through the Internet

Data Warehousing


Online Analytical Processing (OLAP)

Data Mining

Database Vulnerabilities and Threats

DBMS Controls

Lock Controls

Other DBMS Access Controls

View-Based Access Controls

Grant and Revoke Access Controls

Security for Object-Oriented (00) Databases

Metadata Controls

Data Contamination Controls

Online Transaction Processing (OLTP)

Knowledge Management

Web Application Environment

Web Application Threats and Protection



Sample Questions

Operations Security edit


Privileged Entity Controls


Ordinary Users

System Administrators

Security Administrators

File Sensitivity Labels

System Security Characteristics



Account Characteristics

Security Profiles

Audit Data Analysis and Management

System Accounts

Account Management

Resource Protection





Threats to Operations



Interruption and Nonavailability

Corruption and Modification



Hackers and Crackers

Malicious Code

Control Types

Preventative Controls

Detective Controls

Corrective Controls

Directive Controls

Recovery Controls

Deterrent Controls

Compensating Controls

Control Methods

Separation of Responsibilities

Least Privilege

Job Rotation

Need to Know

Security Audits and Reviews


Input/Output Controls

Antivirus Management

Media Types and Protection Methods

Object Reuse

Sensitive Media Handling






Misuse Prevention

Record Retention

Continuity of Operations

Fault Tolerance

Data Protection





Problem Management

System Component Failure

Power Failure

Telecommunications Failure

Physical Break-In


Production Delay

Input/Output Errors

System Recovery

Intrusion Detection System

Vulnerability Scanning

Business Continuity Planning

Change Control Management

Configuration Management

Production Software

Software Access Control

Change Control Process


Impact Assessment


Build and Test





Library Maintenance

Patch Management



Sample Questions

Legal, Regulations, Compliance and Investigations edit


Major Legal Systems

Common Law

Criminal Law

Tort Law

Administrative Law

Civil Law

Customary Law

Religious Law

Mixed Law

Information Technology Laws and Regulations

Intellectual Property Laws




Trade Secret

Licensing Issues



Computer Crime

International Cooperation

Incident Response

Response Capability

Incident Response and Handling


Investigative Phase


Analysis and Tracking

Recovery Phase

Recovery and Repair


Computer Forensics

Crime Scene

Digital/Electronic Evidence

General Guidelines



Sample Questions