ISC2 CISSP

Overview/Description
To identify the security requirements associated with identifying and protecting organizational information assets, perform the analysis techniques used in risk management, and recognize the responsibilities associated with different roles in an organization

Target Audience

Mid-level and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers

Prerequisites

A minimum of four years of professional experience in the information security field or three years plus a college degree

Expected Duration

3 to 6 Hours

Objectives :

 

Information Security and Risk Management

• Recognize the goals of security management and change control.
• Identify the change control mechanisms used to secure the operational environment.
• Recognize the objectives and criteria associated with data classification, and distinguish between information classification roles.
• Distinguish between policies, standards, baselines, and guidelines.
• Recognize best practices and procedures for dealing with different aspects of employee relations.
• Determine the appropriate security procedures for hiring a new employee in a given scenario.
• Identify the principles of risk management, distinguish between planning types, and recognize what's involved in the analysis of different threats and vulnerabilities.
• Calculate the potential loss expectancy and the cost of countermeasures used for risk reduction in a given scenario.
• Calculate the loss expectancy associated with an information asset, perform a cost-benefit analysis, and determine how to handle the risk depending on the outcome of the countermeasure.
• Identify the security-related responsibilities associated with different roles within an organization.

Overview/Description
To understand the principles of common computer architectures, distinguish between machine types and memory storage types, and recognize the logistics of common security models

Target Audience

Mid-level and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers

Prerequisites

A minimum of four years of professional experience in the information security field or three years plus a college degree

Expected Duration

2.25 to 4.5 Hours

Objectives :

 

Security Architecture and Design

• Recognize the components of the basic information system architecture and their functionality, and differentiate between hardware, software, and firmware.
• Differentiate between machine types and recognize the functions of network protocols and the resource manager.
• Distinguish between types of storage device and how they are used.
• Determine which system resources can be found at the different rings and how the rings control subject access to objects.
• Differentiate between key security concepts, recognize the role of TCB, reference monitor, and security kernel in protecting the operating system, and recognize the two basic access control types.
• Differentiate between the various criteria and standards used to evaluate security in a networking environment.
• Specify the security level that should be assigned to various objects and determine how to implement the standards.
• Recognize the logistics of various security models used to enforce rules and protection mechanisms

Overview/Description
To introduce access control concepts and methodologies and explain how they're implemented and administered in a centralized or decentralized environment

Target Audience

Mid-level and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers

Prerequisites

A minimum of four years of professional experience in the information security field or three years plus a college degree

Expected Duration

2.50 to 5 Hours

Objectives :

 

Access Control

• Identify the types of access control technologies used in a networking environment.
• Identify knowledge-based and characteristics-based authentication technologies.
• Recognize how single sign-on systems (SSOs), one-time passwords (OTPs), and smart cards are used for authentication.
• Determine the appropriate type of authentication to implement in a given enterprise scenario.
• Recognize ways of securing passwords and identify different types of attack against passwords and password files.
• Select the appropriate access control model for a scenario.
• Determine the most appropriate access control model to implement in a given scenario.
• Recognize how different types of access control technique control access to resources, and distinguish between centralized and decentralized access control administration mechanisms.
• Identify information detection system (IDS) mechanisms and implementation methods, and recognize various intrusion detection and prevention techniques.

Overview/Description
To understand different threats to the enterprise environment and recognize different ways of increasing the security of application development

Target Audience

Mid-level and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers

Prerequisites

A minimum of four years of professional experience in the information security field or three years plus a college degree

Expected Duration

2 to 4 Hours

Objectives :

 

Application Security

• Distinguish between open and closed source code and recognize the functionality of different program types.
• Distinguish between the types of attacks used in the enterprise environment and identify the appropriate methods to counteract them.
• Recognize the different types of malicious code that can affect a system or network and identify the methods that can be used to mitigate them.
• Identify the type of attack being perpetrated in a given scenario and determine the appropriate steps to counteract it.
• Recognize the characteristics of various knowledge-based systems and identify the activities involved in the different phases of the information systems development life cycle.
• Distinguish between various database models and technologies, and define basic concepts associated with databases and data warehousing.
• Select the appropriate database model for a given set of criteria.

Overview/Description
To understand the different mechanisms used to identify different types of attack and their effects, and protect system resources, e-mail and Internet communication to ensure operations security

Target Audience

Mid-level and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers

Prerequisites

A minimum of four years of professional experience in the information security field or three years plus a college degree

Expected Duration

2.25 to 4.5 Hours

Objectives :

 

Operations Security

• Recognize the activities involved in securing the operations of an enterprise and identify the technologies used to maintain network and resource availability.
• Identify the effects of various hardware and software violations on the system, and recognize how different types of operational and life-cycle assurance are used to secure operations.
• Determine the effects of different attacks on the network and identify the consequences of those effects.
• Recognize how different auditing and monitoring techniques are used to identify and protect against system and network attacks.
• Recognize the need for resource protection, distinguish between e-mail protocols, and identify different types of e-mail vulnerability.
• Identify basic mechanisms and security issues associated with the Web, and recognize different technologies for transferring and sharing files over the Internet.
• Recognize key reconnaissance attack methods and identify different types of administrative management and media storage control.
• Identify the appropriate security measures and controls for creating a more secure workspace in given scenarios.

Overview/Description
To recognize how different cryptographic technologies are used to provide confidentiality, integrity, and authentication for data being transferred across untrusted networks

Target Audience

Mid-level and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers

Prerequisites

A minimum of four years of professional experience in the information security field or three years plus a college degree

Expected Duration

2 to 4 Hours

Objectives :

 

Cryptography

• Define key cryptographic terms and distinguish between types of symmetric key algorithms.
• Distinguish between types of asymmetric algorithms.
• Determine the appropriate cryptography implementation for a given scenario.
• Distinguish between types of cipher and identify different categories of cryptanalytic attack.
• Distinguish between the various algorithms used for message authentication.
• Determine the appropriate hashing algorithm to use in a given scenario.
• Recognize how certificate authorities (CAs), digital signatures, and the Public Key Infrastructure (PKI) are used to provide confidentiality, integrity, and authentication.

Overview/Description
To understand the considerations and mechanisms involved in implementing the physical security of an enterprise

Target Audience

Mid-level and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers

Prerequisites

A minimum of four years of professional experience in the information security field or three years plus a college degree

Expected Duration

2 to 4 Hours

Objectives :

 

Physical (Environmental) Security

• Recognize basic threats to an organization's physical security and identify the security mechanisms used in securing an enterprise environment.
• Identify the security mechanisms and strategies used to protect the perimeter of a facility.
• Identify the appropriate physical security mechanisms to implement in a given scenario.
• Identify the appropriate mechanisms and controls for securing the inside of a building or facility.
• Select the most appropriate intrusion detection technology for a scenario.
• Determine the appropriate intrusion detection system to implement, given a specific scenario.
• Select the appropriate strategy for securing compartmentalized areas in a given scenario.