Book description
The Official (ISC)2 Guide to the CISSP-ISSEP CBK provides an inclusive analysis of all of the topics covered on the newly created CISSP-ISSEP Common Body of Knowledge. The first fully comprehensive guide to the CISSP-ISSEP CBK, this book promotes understanding of the four ISSEP domains: Information Systems Security Engineering (ISSE); Certifica
Table of contents
- Cover
- Half Title
- Series Page
- Title Page
- Copyright Page
- Dedication
- Table of Contents
- Preface
- About the Author
-
ISSE Domain 1: Information Systems Security Engineering (ISSE)
- Overview
- Contributors and Reviewers
- 1 ISSE Introduction
-
2 ISSE Model Phase 1: Discover Information Protection Needs
- Introduction
- Systems Engineering Activity: Discover Needs
-
ISSE Activity: Discover Information Protection Needs
- Task 1: Define the Customer’s Mission/Business Needs
-
Task 2: Define the Information Management
- From Mission Needs to Information Management Needs
- Creating an Information Management Model (IMM)
- Step 1: Identify Processes
- Step 2: Identify the Information Being Processed
- FIPS 199
- NIST SP 800-60
- NIST SP 800-59
- DoD Mission Assurance Categories (MACs)
- Information Domains
- Step 3: Identify the Users of the Information and the Process
- Task 3: Define the Information Protection Policy (IPP)
- Conducting the Threat Analysis and Developing the Information Protection Policy
- Potential Harmful Events (PHEs)
- Harm to Information (HTI)
- Identifying Security Services and Developing the Information Protection Policy
- Security Services
- Creating the Information Protection Policy (IPP)
- Creating the IPP Document
- The Information Management Plan (IMP)
- Final Deliverable of Step 1
- Summary
- References
-
3 ISSE Model Phase 2: Define System Security Requirements
- Introduction
-
System Engineering Activity: Defining System Requirements
- Defining the System Context
-
Define System Requirements
- Define Customer Expectations (Task 6.1.1)
- Define Constraints (Tasks 6.1.2 and 6.1.3)
- Define Operational Scenarios (Task 6.1.4)
- Define Measures of Effectiveness (MOEs) (Task 6.1.5)
- Define System Boundaries (Task 6.1.6)
- Define Interfaces (Task 6.1.7)
- Define Utilization Environments (Task 6.1.8)
- Define Life-Cycle Process Concepts (Task 6.1.9)
- Define Functional Requirements (Task 6.1.10)
- Define Performance Requirements (Task 6.1.11)
- Define Modes of Operations (Task 6.1.12)
- Define Technical Performance Measures (Task 6.1.13)
- Define Design Characteristics (Task 6.1.14)
- Define Human Factors (Task 6.1.15)
- Establish Requirements Baseline (Task 6.1.16)
- Define Design Constraints
- The Preliminary System Concept of Operations (CONOPS)
- ISSE Activity: Defining System Security Requirements
- Final Deliverable of Step 2
- Summary
- References
-
4 ISSE Model Phase 3: Define System Security Architecture
- Introduction
- Defining System and Security Architecture
- System Engineering Activity: Designing System Architecture
-
ISSE Activity: Define the Security Architecture
- Design System Security Architecture
- Security Functional Analysis and Allocation
- Identify Security Components, Controls, or Technologies
- Additional Security Controls
- Requirements Traceability and the RTM
- Interface Identification and Security Architecture
- Trade-Off Analysis
- ISSE and Risk Management
- DoD Goal Security Architecture Example
- Final Deliverable of Designing System and Security Architectures
- Summary
- References
-
5 ISSE Model Phase 4: Develop Detailed Security Design
- Introduction
- Systems Engineering Activity: System Design
-
ISSE Activity: System Security Design
- Conducting the Security Trade-Off Analysis
- Security Synthesis
- ISSE Design Phases
- Allocating Security Mechanisms
- Identifying COTS/GOTS/Custom Security Products
- Identifying Security Mechanism Interfaces
- Developing Specifications: Common Criteria Profiles
- Life-Cycle Security Approach and the System Security Design Document
- Configuration Management and the Life-Cycle Security Approach
- Software Design
- Security Design Validation
- Prototyping for the ISSE Process
- ISSE Design and Risk Management
- Final Deliverables of Step 4
- Summary
- References
- Web Sites
- Software Design and Development Bibliography
-
6 ISSE Model Phase 5: Implement System Security
- Introduction
- System Engineering Activity: System Implementation
- ISSE and System Security Implementation
- ISSE and Risk Management
- Final Deliverable of Phase 5
- Summary
- References
- Web Sites
-
7 ISSE Model Phase 6: Assess Security Effectiveness
- Introduction
- System Engineering Activity: System Assessment
-
ISSE and System Security Assessment
- Information Protection Effectiveness Activities
- System Security Profiling
-
Six Categories of Information Assurances
- 1. Processes (can be obtained by the way the system is built)
- 2. Properties (can be obtained by the way the system is built)
- 3. Analysis (can be obtained by an analysis of system descriptions for conformance to requirements and vulnerabilities)
- 4. Testing (can be obtained by testing the system itself to determine operating characteristics and to find vulnerabilities)
- 5. Guidance (can be obtained by the way the system is built)
- 6. Fielded Systems Evaluation (can be obtained by the operational experience and field evaluation of the system)
- NIST SP 800-55
- NIST SP 800-26
- NIST SP 800-42
- ISSE and Risk Management
- Final Deliverable of Phase 6
- Summary
- References
- Web Sites
-
ISSE Domain 2: Certification and Accreditation
- Contributors and Reviewers
-
8 DITSCAP and NIACAP
- Introduction
- DITSCAP and NIACAP Overview
- DITSCAP/NIACAP Definition
-
Phase 1: Definition
- Preparation Activity
-
Registration Activity
- Registration Task 1: Prepare Business or Operational Functional Description and System Identification
- Registration Task 2: Inform the DAA, Certifier, and User Representative That the System Will Require C&A Support (Register the System)
- Registration Task 3: Prepare the Environment and Threat Description
- Registration Task 4: Prepare System Architecture Description and Describe the C&A Boundary
- Registration Task 5: Determine the System Security Requirements
- Security Requirements Traceability Matrix (RTM)
- The Security System Authorization Agreement (SSAA)
- Negotiation Activity
-
Phase 2: Verification
- SSAA Refinement Activity
- System Development and Integration Activity
-
Initial Certification Analysis (ICA) Activity
- Initial Certification Analysis Task 1: System Architectural Analysis
- Initial Certification Analysis Task 2: Software, Hardware, and Firmware Design Analysis
- Initial Certification Analysis Task 3: Network Connection Rule Compliance Analysis
- Initial Certification Analysis Task 4: Integrity Analysis of Integrated Products
- Initial Certification Analysis Task 5: Life-Cycle Management Analysis
- Initial Certification Analysis Task 6: Security Requirements Validation Procedure Preparation
- Initial Certification Analysis Task 7: Vulnerability Assessment
- Analysis of the Certification Results Activity
-
Phase 3: Validation
- SSAA Refinement Activity
-
Certification Evaluation of the Integrated System Activity
- Certification Evaluation Task 1: Security Test and Evaluation (ST&E)
- Certification Evaluation Task 2: Penetration Testing
- Certification Evaluation Task 3: TEMPEST and RED-BLACK Verification
- Certification Evaluation Task 4: COMSEC Compliance Evaluation
- Certification Evaluation Task 5: System Management Analysis
- Certification Evaluation Task 6: Site Accreditation Survey
- Certification Evaluation Task 7: Contingency Plan Evaluation
- Certification Evaluation Task 8: Risk Management Review
- Recommendation to DAA Activity
- DAA Accreditation Decision Activity
-
Phase 4: Post Accreditation
-
System and Security Operation Activities
- System and Security Operation Task 1: SSAA Maintenance
- System and Security Operation Task 2: Physical, Personnel, and Management Control Review
- System and Security Operation Task 3: TEMPEST Evaluation
- System and Security Operation Task 4: COMSEC Compliance Evaluation
- System and Security Operation Task 5: Contingency Plan Maintenance
- System and Security Operation Task 6: Configuration Management
- System and Security Operation Task 7: System Security Management
- System and Security Operation Task 8: Risk Management Review
- Compliance Validation Activity
-
System and Security Operation Activities
- Summary
-
9 C&A NIST SP 800-37
- Introduction
- The C&A Process
- Phase 1: Initiation
- Phase 2: Security Certification
- Phase 3: Security Accreditation
- Phase 4: Continuous Monitoring
- Summary
- Domain 2 References
- Web Sites
- Acronyms
-
ISSE Domain 3: Technical Management
- Contributors and Reviewers
-
10 Technical Management
- Introduction
-
Planning the Effort
- Starting Off
- Goals
-
Plan the Effort
- Task 1: Estimate Project Scope
- Task 2: Identify Resources and Availability
- Task 3: Identify Roles and Responsibilities
- Task 4: Estimate Project Costs
- Task 5: Develop Project Schedule
- Task 6: Identify Technical Activities
- Task 7: Identify Deliverables
- Task 8: Define Management Interfaces
- Task 9: Prepare Technical Management Plan
- Task 10: Review Project Management Plan
- Task 11: Obtain Customer Agreement
- Managing the Effort
- Technical Roles and Responsibilities
- Technical Documentation
- Technical Management Tools
- Summary
- References
- Web Sites
-
ISSEP Domain 4: Introduction to United States Government Information Assurance Regulations
- Contributors and Reviewers
-
11 Information Assurance Organizations, Public Laws, and Public Policies
- Introduction
-
Section 1: Federal Agencies and Organizations
- U.S. Congress
- White House
- Office of Management and Budget (OMB)
- Director of Central Intelligence/Director of National Intelligence
- National Security Agency (NSA)
- National Institute of Standards and Technology (NIST)
- Committee on National Security Systems (CNSS)
- National Information Assurance Partnership (NIAP)
-
Section 2: Federal Laws, Executive Directives and Orders, and OMB Directives
-
U.S. Congress: Federal Laws
- H.R.145 Public Law: 100-235 (01/08/1988)
- Chapter 35 of title 44, United States Code
- H.R. 2458-48, Chapter 35 of Title 44, United States Code TITLE III — Information Security §301 Information Security
- 10 USC 2315 Defense Program
- 5 USC § 552a, PL 93-579: The U.S. Federal Privacy Act of 1974
- Fraud and Related Activity in Connection with Computers
- 18 USC § 1030. P.L. 99-474: The Computer Fraud and Abuse Act of 1984, Amended in 1994 and 1996, Broadened in 2001
- Executive Orders
-
Office of Management and Budget (OMB) Circular A-130
- History
- Circular No. A-130, Revised, Transmittal Memorandum No. 4 (November 2000)
- OMB M-99-18: Privacy Policies and Data Collection on Federal Web Sites (June 1999)
- OMB M-00-13: Privacy Policies and Data Collection on Federal Web Sites (June 2000)
- OMB M-00-07: Incorporating and Funding Security in Information Systems Investments (February 2000)
- OMB M-01-08: Guidance on Implementing the Government Information Security Reform Act (January 2001)
- OMB M-03-19: Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (August 6, 2003)
- Director of Central Intelligence Directive DCID 6/3
-
U.S. Congress: Federal Laws
- Summary
- References
- Web Sites
-
12 Department of Defense (DoD) Information Assurance Organizations and Policies
- Introduction
- Overview of DoD Policies
-
DoD Information Assurance (IA) Organizations and Departments
- Defensewide Information Assurance Program (DIAP)
- Defense Information Systems Agency (DISA)
- Defense Technical Information Center (DTIC®)
- National Security Agency (NSA) Information Assurance Directorate (IAD)
- Networks and Information Integration (NII)
- Information Assurance Support Environment (IASE)
- Defense Advanced Research Projects Agency (DARPA)
- DoD Issuances
- Summary
- References
- Web Sites
-
13 Committee on National Security Systems
- Introduction
- Overview of CNSS and NSTISSC
- CNSS and NSTISSC Issuances
-
CNSS Policies
- NSTISSP No. 6, National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems (April 1994)
- NSTISSP No. 7, National Policy on Secure Electronic Messaging Service (February 1995)
- NSTISSP No. 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products (Revision June 2003)
- NSTISSP No. 101, National Policy on Securing Voice Communications (September 1999)
- NSTISSP No. 200, National Policy on Controlled Access Protection (July 1987)
- CNSS Policy No. 14, National Policy Governing the Release of Information Assurance Products and Services to Authorized U.S. Persons or Activities That Are Not a Part of the Federal Government (November 2002), Superseded NCSC-2 (1983)
- NCSC-5, National Policy on Use of Cryptomaterial by Activities Operating in High Risk Environments (U) (January 1981)
- CNSS Directive
-
CNSS Instructions
- NSTISSI No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP) (April 2000)
- NSTISSI No. 4009, National Information System Security (INFOSEC) Glossary (Revised May 2003)
- CNSS (NSTISSI) Training Standards
- NSTISSI No. 4011, National Training Standard for INFOSEC Professionals (June 1994)
- CNSSI No. 4012 (June 2004), National Information Assurance Training Standard for Senior System Managers, Supersedes NSTISSI No. 4012, National Training Standard for Designated Approving Authority (DAA) (August 1997)
- CNSSI No. 4013 (March 2004), National Information Assurance Training Standard for System Administrators Supersedes NSTISSI No. 4013 National Training Standard for System Administrators (August 1997)
- CNSSI No. 4014 (April 2004), National Information Assurance Training Standard for Information Systems Security Officers (ISSO), Supersedes NSTISSI No. 4014, National Training Requirements for Information System Security Officers (August 1997)
- NSTISSI No. 4015, National Training Standard for System Certifiers (December 2000)
- NSTISSI No. 7003, Protected Distribution Systems (December 1996)
- NACSI-6002, Protection of Government Contractor Telecommunications (June 1984)
-
CNSS Advisory Memoranda
- NSTISSAM COMPUSEC 1-98, The Role of Firewalls and Guards in Enclave Boundary Protection (December 1998)
- NSTISSAM COMPUSEC 1-99, Advisory Memorandum on the Transition from Trusted Computer System Evaluation Criteria to Evaluation Criteria (TCSEC) to the International Common Criteria (CC) for Information Security Technology Evaluation (March 1999)
- NSTISSAM INFOSEC/1-00, Advisory Memorandum for the Use of FIPS 140 Validated Cryptographic Modules in Protecting Unclassified National Security Systems (February 2000)
- NSTISSAM INFOSEC 2-00, Advisory Memorandum for the Strategy for Using National Information Assurance Partnership (NIAP) for the Evaluation of Commercial Off-the-Shelf (COTS) Security Enabled Information Technology Products (February 2000)
- CNSSAM 1-04, Advisory Memorandum for Information Assurance (IA) — Security through Product Diversity (July 2004)
- Summary
- References
- Web Sites
-
14 National Institute of Standards and Technology (NIST) Publications
- Introduction
-
Federal Information Processing Standards (FIPS)
- FIPS 46-3, Data Encryption Standard (DES) (Reaffirmed October 1999)
- FIPS 81, DES Mode of Operation (December 1980)
- FIPS 102, Guidelines for Computer Security Certification and Accreditation (September 1983)
- FIPS 140-2, Security Requirement for Cryptographic Modules (May 2001; Supersedes FIPS 140-1, January 1994)
- The DES Challenge
- FIPS 197, Advance Encryption Standard (AES) (November 2001)
- FIPS 197 and CNSS Policy No. 15
-
NIST Special Publications
- NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook (October 1995)
- NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems (September 1996)
- NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems (December 1998)
- NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication (October 2000)
- NIST SP 800-27 Rev. A, Engineering Principles for Information Technology Security: A Baseline for Achieving Security, Revision A (June 2004)
- NIST SP 800-30, Risk Management Guide for Information Technology Systems (January 2002)
- NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems (September 2002)
- Summary
- References
- Web Sites
-
15 National Information Assurance Partnership (NIAP) and Common Criteria (CC)
- Introduction
- Note to ISSEP: You are expected to know Common Criteria. Historical View of IT Security Evaluations
- National Information Assurance Partnership (NIAP)
-
The Common Criteria
-
CC Part 1: Introduction and General Model
- Protection Profile (PP)
- Security Target (ST)
- Target of Evaluation (TOE)
- Evaluation
- Evaluation Assurance Level (EAL)
- Security Environment
- Security Objectives
- Security Requirements
- TOE Summary Specification
- TOE Implementation
- Protection Profile and Security Target Contents
- Protection Profile Contents
- Security Target Contents
- CC Part 2: Security Functional Requirements
- CC Part 3: Security Assurance Requirements
- Protection Profile (PP) and Security Target (ST) Evaluation Criteria
- Assurance Classes, Families, and Components
- Assurance Maintenance Class
- Evaluation Assurance Levels
-
CC Part 1: Introduction and General Model
- CC Scenario
- Summary
- References
- Web Sites
- Appendix A: Linking ISSE Phases to SE Phases
- Appendix B: Enterprise Architecture
- Appendix C: Combining NIST SP 800-55 and SP 800-26
- Appendix D: Common Criteria Security Assurance Requirements
- Appendix E: ISSEP Sample Questions
- Index
Product information
- Title: Official (ISC)2® Guide to the CISSP®-ISSEP® CBK®
- Author(s):
- Release date: September 2005
- Publisher(s): Auerbach Publications
- ISBN: 9781135483081
You might also like
book
Official (ISC)2 Guide to the CISSP CBK, 4th Edition
As a result of a rigorous, methodical process that (ISC) follows to routinely update its credential …
book
The Official (ISC)2 Guide to the CISSP CBK Reference, 5th Edition
The only official, comprehensive reference guide to the CISSP All new for 2019 and beyond, this …
book
Official (ISC)2� Guide to the ISSAP� CBK, 2nd Edition
Candidates for the CISSP-ISSAP professional certification need to not only demonstrate a thorough understanding of the …
book
CCSP Official (ISC)2 Practice Tests
The only official CCSP practice test product endorsed by (ISC)² With over 1,000 practice questions, this …