Professional Documents
Culture Documents
(Download pdf) Cissp Passport 1St Edition Bobby E Rogers full chapter pdf docx
(Download pdf) Cissp Passport 1St Edition Bobby E Rogers full chapter pdf docx
Rogers
Visit to download the full and correct content document:
https://ebookmass.com/product/cissp-passport-1st-edition-bobby-e-rogers/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
https://ebookmass.com/product/cissp-passport-1st-edition-bobby-e-
rogers/
https://ebookmass.com/product/comptia-cysa-cybersecurity-analyst-
certification-passport-exam-cs0-002-bobby-e-rogers/
https://ebookmass.com/product/crisc-certified-in-risk-and-
information-systems-control-all-in-one-exam-guide-second-
edition-2nd-edition-peter-h-gregory-bobby-e-rogers-dawn-
dunkerley/
https://ebookmass.com/product/understanding-urbanism-1st-ed-
edition-dallas-rogers/
Temporalities, Texts, Ideologies Bobby Xinyue
https://ebookmass.com/product/temporalities-texts-ideologies-
bobby-xinyue/
https://ebookmass.com/product/entrepreneurial-finance-4th-
edition-steven-rogers/
https://ebookmass.com/product/cissp-practice-exams-fourth-
edition-shon-harris/
https://ebookmass.com/product/the-promise-of-bitcoin-bobby-c-lee/
Mike Meyers’
A+
CISSP
CompTIA ® ®
CERTIFICATION
PASSPORT
PASSPORT SEVENTH
(Exams 220-1001 & 220-1002) EDITION
About the Author
Bobby Rogers (he/his/him) is a cybersecurity proessional with over 30 years in the inor-
mation technology and cybersecurity ields. He currently works with a major engineering
company in Huntsville, Alabama, helping to secure networks and manage cyber risk or its
customers. Bobby’s customers include the U.S. Army, NASA, the State o ennessee, and
private/commercial companies and organizations. His specialties are cybersecurity engineer-
ing, security compliance, and cyber risk management, but he has worked in almost every area
o cybersecurity, including network deense, computer orensics and incident response, and
penetration testing.
Bobby is a retired Master Sergeant rom the U.S. Air Force, having served or over 21 years.
He has built and secured networks in the United States, Chad, Uganda, South Arica, Germany,
Saudi Arabia, Pakistan, Aghanistan, and several other remote locations. His decorations
include two Meritorious Service medals, three Air Force Commendation medals, the National
Deense Service medal, and several Air Force Achievement medals. He retired rom active
duty in 2006.
Bobby has a master o science in inormation assurance and a bachelor o science in
computer inormation systems (with a dual concentration in Russian language), and two
associate o science degrees. His many certiications include CISSP-ISSEP, CRISC, CySA+,
CEH, and MCSE: Security.
Bobby has narrated and produced over 30 computer training videos or several training
companies and currently produces them or Pluralsight (https://www.pluralsight.com). He
is also the author o CompTIA Mobility+ All-in-One Exam Guide (Exam MB0-001), CRISC
Certiied in Risk and Inormation Systems Control All-in-One Exam Guide, and Mike Meyers’
CompTIA Security+ Certiication Guide (Exam SY0-401), and is the contributing author/
technical editor or the popular CISSP All-in-One Exam Guide, Ninth Edition, all o which are
published by McGraw Hill.
A+
CISSP
CompTIA ® ®
CERTIFICATION
PASSPORT
PASSPORT SEVENTH
(Exams 220-1001 & 220-1002) EDITION
Bobby E. Rogers
McGraw Hill is an independent entity rom (ISC)²® and is not afliated with (ISC)² in any manner. Tis study/training guide and/or material is not
sponsored by, endorsed by, or afliated with (ISC)2 in any manner. Tis publication and accompanying media may be used in assisting students to
prepare or the CISSP exam. Neither (ISC)² nor McGraw Hill warrants that use o this publication and accompanying media will ensure passing any
exam. (ISC)²®, CISSP®, CAP®, ISSAP®, ISSEP®, ISSMP®, SSCP®, and CBK® are trademarks or registered trademarks o (ISC)² in the United States and
certain other countries. All other trademarks are trademarks o their respective owners.
Copyright © 2023 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no
part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.
ISBN: 978-1-26-427798-8
MHID: 1-26-427798-9
The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-427797-1,
MHID: 1-26-427797-0.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade-
marked name, we use names in an editorial fashion only, and to the benet of the trademark owner, with no intention of infringe-
ment of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw Hill eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate
training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of hu-
man or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such
information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work
is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You
may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to
use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES
OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA
HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will
meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors
shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work.
Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of
the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or
cause arises in contract, tort or otherwise.
I’d like to dedicate this book to the cybersecurity proessionals who
tirelessly, and sometimes, thanklessly, protect our inormation and
systems rom all who would do them harm.
I also dedicate this book to the people who serve in uniorm as
military personnel, public saety proessionals, police, frefghters,
and medical proessionals, sacrifcing sometimes all that they are
and have so that we may all live in peace, security, and saety.
—Bobby Rogers
This page intentionally left blank
DOMAIN vii
Contents at a Glance
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
vii
This page intentionally left blank
DOMAIN ix
Contents
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
ix
x CISSP Passport
REVIEW 14
12 QUESTIONS 14
12 ANSWERS 15
Objective 1.3 Evaluate and apply security governance principles . . . 16
Security Governance 16
External Governance 16
Internal Governance 16
Alignment of Security Functions to Business Requirements 17
Business Strategy and Security Strategy 17
Organizational Processes 18
Organizational Roles and Responsibilities 18
Security Control Frameworks 19
Due Care/Due Diligence 20
REVIEW 21
13 QUESTIONS 21
13 ANSWERS 22
Objective 1.4 Determine compliance and other requirements . . . . . . 23
Compliance 23
Legal and Regulatory Compliance 24
Contractual Compliance 25
Compliance with Industry Standards 25
Privacy Requirements 25
REVIEW 26
14 QUESTIONS 27
14 ANSWERS 28
Objective 1.5 Understand legal and regulatory issues that pertain to
information security in a holistic context. . . . . . . . . . . . . . . . . . . . 29
Legal and Regulatory Requirements 29
Cybercrimes 29
Licensing and Intellectual Property Requirements 30
Import/Export Controls 31
Transborder Data Flow 32
Privacy Issues 32
REVIEW 33
15 QUESTIONS 33
15 ANSWERS 34
Objective 1.6 Understand requirements for investigation types (i.e.,
administrative, criminal, civil, regulatory, industry standards) . . . 35
Investigations 35
Administrative Investigations 35
Civil Investigations 35
Contents xi
Criminal Investigations 36
Regulatory Investigations 36
Industry Standards for Investigations 37
REVIEW 37
16 QUESTIONS 38
16 ANSWERS 39
Objective 1.7 Develop, document, and implement security policy,
standards, procedures, and guidelines . . . . . . . . . . . . . . . . . . . . . 39
Internal Governance 40
Policy 40
Procedures 40
Standards 41
Guidelines 41
Baselines 42
REVIEW 42
17 QUESTIONS 43
17 ANSWERS 44
Objective 1.8 Identify, analyze, and prioritize Business Continuity (BC)
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Business Continuity 45
Business Impact Analysis 46
Developing the BIA 46
REVIEW 47
18 QUESTIONS 47
18 ANSWERS 48
Objective 1.9 Contribute to and enforce personnel security policies
and procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Personnel Security 49
Candidate Screening and Hiring 49
Employment Agreements and Policies 50
Onboarding, Transfers, and Termination Processes 50
Vendor, Consultant, and Contractor Agreements and Controls 52
Compliance Policy Requirements 53
Privacy Policy Requirements 53
REVIEW 54
19 QUESTIONS 55
19 ANSWERS 56
Objective 1.10 Understand and apply risk management concepts . . . 57
Risk Management 57
Elements of Risk 57
Identify Threats and Vulnerabilities 59
xii CISSP Passport
Risk Assessment/Analysis 60
Risk Response 63
Risk Frameworks 64
Countermeasure Selection and Implementation 64
Applicable Types of Controls 65
Control Assessments (Security and Privacy) 66
Monitoring and Measurement 67
Reporting 67
Continuous Improvement 68
REVIEW 68
110 QUESTIONS 69
110 ANSWERS 69
Objective 1.11 Understand and apply threat modeling concepts and
methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Threat Modeling 70
Threat Components 70
Threat Modeling Methodologies 72
REVIEW 73
111 QUESTIONS 73
111 ANSWERS 73
Objective 1.12 Apply Supply Chain Risk Management
(SCRM) concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Supply Chain Risk Management 74
Risks Associated with Hardware, Software, and Services 74
Third-Party Assessment and Monitoring 76
Minimum Security Requirements 77
Service Level Requirements 77
REVIEW 77
112 QUESTIONS 78
112 ANSWERS 79
Objective 1.13 Establish and maintain a security awareness, education,
and training program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Security Awareness, Education, and Training Program 80
Methods and Techniques to Present Awareness and Training 80
Periodic Content Reviews 82
Program Effectiveness Evaluation 82
REVIEW 82
113 QUESTIONS 83
113 ANSWERS 84
Contents xiii
REVIEW 108
25 QUESTIONS 108
25 ANSWERS 108
Objective 2.6 Determine data security controls and compliance
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Data Security and Compliance 109
Data States 109
Control Standards Selection 110
Scoping and Tailoring Data Security Controls 111
Data Protection Methods 111
REVIEW 113
26 QUESTIONS 113
26 ANSWERS 114
3.0 Security Architecture and Engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Objective 3.1 Research, implement, and manage engineering
processes using secure design principles . . . . . . . . . . . . . . . . . . . 116
Threat Modeling 116
Least Privilege 116
Defense in Depth 117
Secure Defaults 117
Fail Securely 117
Separation of Duties 118
Keep It Simple 119
Zero Trust 119
Privacy by Design 119
Trust But Verify 119
Shared Responsibility 120
REVIEW 120
31 QUESTIONS 121
31 ANSWERS 122
Objective 3.2 Understand the fundamental concepts of security
models (e.g., Biba, Star Model, Bell-LaPadula) . . . . . . . . . . . . . . . 122
Security Models 122
Terms and Concepts 123
System States and Processing Modes 124
Confidentiality Models 126
Integrity Models 127
Other Access Control Models 128
REVIEW 128
32 QUESTIONS 129
32 ANSWERS 130
Contents xv
Objective 3.3 Select controls based upon systems security
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Selecting Security Controls 130
Performance and Functional Requirements 131
Data Protection Requirements 131
Governance Requirements 132
Interface Requirements 132
Risk Response Requirements 133
REVIEW 133
33 QUESTIONS 134
33 ANSWERS 134
Objective 3.4 Understand security capabilities of Information Systems
(IS) (e.g., memory protection, Trusted Platform Module (TPM),
encryption/decryption) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Information System Security Capabilities 135
Hardware and Firmware System Security 135
Secure Processing 137
REVIEW 138
34 QUESTIONS 139
34 ANSWERS 139
Objective 3.5 Assess and mitigate the vulnerabilities of security
architectures, designs, and solution elements . . . . . . . . . . . . . . . 139
Vulnerabilities of Security Architectures, Designs, and Solutions 140
Client-Based Systems 140
Server-Based Systems 140
Distributed Systems 141
Database Systems 141
Cryptographic Systems 142
Industrial Control Systems 142
Internet of Things 143
Embedded Systems 143
Cloud-Based Systems 144
Virtualized Systems 145
Containerization 146
Microservices 146
Serverless 146
High-Performance Computing Systems 146
Edge Computing Systems 146
REVIEW 147
35 QUESTIONS 148
35 ANSWERS 148
xvi CISSP Passport
REVIEW 376
713 QUESTIONS 376
713 ANSWERS 377
Objective 7.14 Implement and manage physical security . . . . . . . . . . 377
Physical Security 377
Perimeter Security Controls 378
Internal Security Controls 382
REVIEW 386
714 QUESTIONS 387
714 ANSWERS 387
Objective 7.15 Address personnel safety and security concerns . . . . 388
Personnel Safety and Security 388
Travel 388
Security Training and Awareness 389
Emergency Management 389
Duress 390
REVIEW 391
715 QUESTIONS 391
715 ANSWERS 392
8.0 Sotware Development Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Objective 8.1 Understand and integrate security in the Software
Development Life Cycle (SDLC) . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Software Development Life Cycle 394
Development Methodologies 395
Maturity Models 398
Operation and Maintenance 400
Change Management 401
Integrated Product Team 401
REVIEW 401
81 QUESTIONS 402
81 ANSWERS 403
Objective 8.2 Identify and apply security controls in software
development ecosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Security Controls in Software Development 403
Programming Languages 404
Libraries 405
Tool Sets 406
Integrated Development Environment 406
Runtime 406
Continuous Integration and Continuous Delivery 407
Security Orchestration, Automation, and Response 407
Software Configuration Management 408
Contents xxv
Code Repositories 408
Application Security Testing 408
REVIEW 411
82 QUESTIONS 411
82 ANSWERS 412
Objective 8.3 Assess the effectiveness of software security. . . . . . . . 412
Software Security Effectiveness 412
Auditing and Logging Changes 413
Risk Analysis and Mitigation 413
REVIEW 415
83 QUESTIONS 415
83 ANSWERS 415
Objective 8.4 Assess security impact of acquired software . . . . . . . . 416
Security Impact of Acquired Software 416
Commercial-off-the-Shelf Software 416
Open-Source Software 417
Third-Party Software 417
Managed Services 418
REVIEW 419
84 QUESTIONS 419
84 ANSWERS 420
Objective 8.5 Define and apply secure coding guidelines
and standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Secure Coding Guidelines and Standards 420
Security Weaknesses and Vulnerabilities at the Source-Code Level 420
Security of Application Programming Interfaces 421
Secure Coding Practices 422
Software-Defined Security 424
REVIEW 424
85 QUESTIONS 425
85 ANSWERS 425
A About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
System Requirements 427
Your Total Seminars Training Hub Account 427
Privacy Notice 427
Single User License Terms and Conditions 427
TotalTester Online 429
Technical Support 429
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
This page intentionally left blank
DOMAIN xxvii
Acknowledgments
A book isn’t simply written by one person; so many people had key roles in the production o
this study guide, so I’d like to take this opportunity to acknowledge and thank them. First and
oremost, I would like to thank the olks at McGraw Hill, Wendy Rinaldi, Caitlin Cromley-
Linn, and Janet Walden. All three worked hard to keep me on track and made sure that this
book met the highest standards o quality. hey are awesome people to work with, and I’m
grateul once again to work with them!
I would also like to sincerely thank Nitesh Sharma, Senior Project Manager, Knowledge-
Works Global Ltd, who worked on the post-production or the book, and Bill McManus, who
did the copyediting work or the book. hey are also great olks to work with. Nitesh was so
patient and proessional with me at various times when I did not exactly meet a deadline and
I’m so grateul or that. I’ve worked with Bill a ew times on dierent book projects, and I must
admit I’m always in awe o him (and a bit intimidated by him, but really glad in the end to
have him help on my projects), since he is an awesome copyeditor who catches every single
one o the plentiul mistakes I make during the writing process. I have also gained a signiicant
respect or Bill’s knowledge o cybersecurity, as he’s always been able to key in on small nuances
o wonky explanations that even I didn’t catch and suggest better ways to write them. He’s the
perect person to make sure this book lows well, is understandable to a reader, and is a higher-
quality resource. hank you, Bill!
here are many other people on the production side who contributed signiicantly to the
publication o this book, including Rachel Fogelberg, ed Laux, homas Somers, and Je
Weeks, as well as others. My sincere thanks to them all or their hard work.
I also want to thank my amily or their patience and understanding as I took time away
rom them to write this book. I owe them a great deal o time I can never pay back, and I am
very grateul or their love and support.
xxvii
xxviii CISSP Passport
And last, but certainly not least, I want to thank the technical editor, Nichole O’Brien.
I’ve worked with Nichole on tons o real-world cybersecurity projects o and on or at least
ten years now. I’ve lost count o how many proposals, risk assessment reports, customer meet-
ings, and cyber-related problems she has suered through with me, yet she didn’t hesitate
to jump in and become the technical editor or this book. Nichole is absolutely one o the
smartest businesspeople I know in cybersecurity, as well as simply a really good person, and
I have an ininite amount o proessional and personal respect or her. his book is so much
better or having her there to correct my mistakes, ask critical questions, make me do more
research, and add a dierent and unique perspective to the process. hanks, Nichole!
—Bobby Rogers
DOMAIN xxix
Introduction
Welcome to CISSP Passport! his book is ocused on helping you to pass the Certiied Inor-
mation Systems Security Proessional (CISSP) certiication examination rom the Interna-
tional Inormation System Security Certiication Consortium, or (ISC)². he idea behind
the Passport series is to give you a concise study guide or learning the key elements o the
certiication exam rom the perspective o the required objectives published by (ISC)², in their
CISSP Certiication Exam Outline. Cybersecurity proessionals can review the experience
requirements set orth by (ISC)² at https://www.isc2.org/Certiications/CISSP/experience-
requirements. he basic requirement is ive years o cumulative paid work experience in two
or more o the eight CISSP domains, or our years o such experience plus either a our-year
college degree or an additional credential rom the (ISC)² approved list. (ISC)² requires that
you document this experience beore you can be ully certiied as a CISSP. For those candidates
who do not yet meet the experience requirements, they may achieve Associate o (ISC)² status
by passing the examination. Associates o (ISC)² are then allowed up to six years to accumulate
the required ive years o experience to become ull CISSPs.
he eight domains and the approximate percentage o exam questions they represent are
as ollows:
CISSP Passport assumes that you have already studied long and hard or the CISSP exam
and now just need a quick reresher beore you take the exam. his book is meant to be a
“no lu ” concise study guide with quick acts, deinitions, memory aids, charts, and brie
explanations. Because this guide gives you the key concepts and acts, and not the in-depth
xxix
xxx CISSP Passport
explanations surrounding those acts, you should not use this guide as your only study source
to prepare or the CISSP exam. here are numerous books you can use or your deep studying,
such as CISSP All-in-One Exam Guide, Ninth Edition, also rom McGraw Hill.
I recommend that you use this guide to reinorce your knowledge o key terms and con-
cepts and to review the broad scope o topics quickly in the inal ew days beore your CISSP
exam, ater you’ve done all o your “deep” studying. his guide will help you memorize ast
acts, as well as reresh your memory about topics you may not have studied or a while.
his guide is organized around the most recent CISSP exam domains and objectives
released by (ISC)², which is May 1, 2021 at the time o writing this book. Keep in mind that
(ISC)² reserves the right to change or update the exam objectives anytime at its sole discretion
and without any prior notice, so you should check the (ISC)² website or any recent changes
beore you begin reading this guide and again a week or so beore taking the exam to make sure
you are studying the most updated materials.
he structure o this study guide parallels the structure o the eight CISSP domains pub-
lished by (ISC)², presented in the same numerical order in the book, with individual domain
objectives also ordered by objective number in each domain. Each domain in this guide is
equivalent to a regular book chapter, so this guide has eight considerably large “chapters” with
individual sections devoted to the objective numbers. his organization is intended to help
you learn and master each objective in a logical way. Because some domain objectives overlap,
you will see a bit o redundancy in topics discussed throughout the book; where this is the case,
the topic is presented in its proper context within the current domain objective and you’ll see
a cross-reerence to the other objective(s) in which the same topic is discussed.
Each domain contains the ollowing useul items to call out points o interest.
EXAM TIP Indicates critical topics you’re likely to see on the actual exam
NOTE Points out ancillary but pertinent information, as well as areas for
further study
Cross-Reference
Directs you to other places in the book where concepts are covered, for your reference
he end o each objective gives you two handy tools. he “Review” section provides a
synopsis o the objective—a great way to quickly review the critical inormation. hen the
“Questions” and “Answers” sections enable you to test your newly acquired knowledge. For
urther study, this book includes access to online practice exams that will help to prepare you
or taking the exam itsel. All the inormation you need or accessing the exam questions is
provided in the appendix. I recommend that you take the practice exams to identiy where
you have knowledge gaps and then go back and review the relevant material as needed.
I hope this book is helpul to you not only in studying or the CISSP exam but also as a quick
reerence guide you’ll use in your proessional lie. hanks or picking this book to help you
study, and good luck on the exam!
This page intentionally left blank
M A
O I
N
Security and 1.0
Risk Management
Domain Objectives
1
2 CISSP Passport
Domain 1, “Security and Risk Management,” is one of the key domains in understanding
critical security principles that you will encounter on the CISSP exam. The majority of the
topics in this domain include the administrative or managerial security measures put in
place to manage a security program. In this domain you will learn about professional ethics
and important fundamental security concepts. We will discuss governance and compliance,
investigations, security policies, and other critical management concepts. We will also
delve into business continuity, personnel security, and the all-important risk management
processes. We’ll also discuss threat modeling, explore supply chain risk management, and
finish the domain by examining the different aspects of security training and awareness
programs. These are all very important concepts that will help you to understand the subse-
quent domains, since they provide the foundations of knowledge you need to be successful
on the exam.
T he fact that (ISC)2 places professional ethics as the first objective in the first domain of
the CISSP exam requirements speaks volumes about the importance of ethics and ethi-
cal behavior in our profession. The continuing increases in network breaches, data loss, and
ransomware demonstrate the criticality of ethical conduct in this expanding information secu-
rity landscape. Our information systems security workforce is expanding at a rapid pace, and
these new recruits need to understand the professional discipline required to succeed. Some
may enter the field because they expect to make a lot of money, but ultimately competence,
integrity, and trustworthiness are the qualities necessary for success. Most professions have
published standards for ethical behavior, such as healthcare, law enforcement, accounting, and
many other professions. In fact, you would be hard-pressed to find a profession that does not
have at least some type of minimal ethical requirements for professional conduct.
While exam objective 1.1 is the only objective that explicitly covers ethics and professional
conduct, it’s important to emphasize them, since you will be expected to know them on the
exam and, more importantly, you will be expected to uphold them to maintain your CISSP sta-
tus. The first part of this exam objective covers the core ethical requirements from (ISC)2 itself.
Absent any other ethical standards that you may also be required to uphold in your profession,
from your organization, your customers, and even any other certifications you hold, the (ISC)2
Code of Ethics should be sufficient to guide you in ethical behavior and professional conduct
while you are employed as an information systems security professional for as long as you hold
the CISSP certification. The second part of the objective reviews other sources of professional
ethics that guide your conduct, such as those from industry or professional organizations.
First, let’s look at the (ISC)2 Code of Ethics.
DOMAIN 1.0 Objective 1.1 3
NOTE (ISC)2 updates the Code of Ethics from time to time, so it is best to
occasionally go to the (ISC)2 website and review it for any changes. This allows you
to keep up with current requirements and serves to remind you of your ethical and
professional responsibilities.
“The safety and welfare of society and the common good, duty to our principals, and to
each other, requires that we adhere, and be seen to adhere, to the highest ethical stand-
ards of behavior. Therefore, strict adherence to this Code is a condition of certification.”
I. Protect society, the common good, necessary public trust and confidence, and the
infrastructure.
II. Act honorably, honestly, justly, responsibly, and legally.
III. Provide diligent and competent service to principals.
IV. Advance and protect the profession.
Obviously, these canons are intentionally broad and, unfortunately, someone could con-
strue them to fit almost any type of act by a CISSP, accidental or malicious, into one these
categories. However, the ethics complaint procedures specify a burden of proof involved with
making a complaint against the certification holder for violation of these canons. The com-
plaint procedures, set forth in the “Standing of Complainant” section, specify that “complaints
4 CISSP Passport
will be accepted only from those who claim to be injured by the alleged behavior.” Anyone
with knowledge of a breach of Canons I or II may file a complaint against someone, but only
principals, which are employers or customers of the certificate holder, can lodge a complaint
about any violation of Canon III, and only other certified professionals may register com-
plaints about violations of Canon IV.
Also according to the ethics complaint procedures, the complaint goes before an ethics
committee, which hears complaints of breaches of the Code of Ethics Canons, and makes a
recommendation to the board. But the board ultimately makes decisions regarding the validity
of complaints, as well as levees the final disciplinary action against the member, if warranted.
A person who has had an ethics complaint lodged against them under these four canons has a
right to respond and comment on the allegations, as there are sound due process procedures
built into this process.
EXAM TIP You should be familiar with the preamble and the four canons of
the (ISC)2 Code of Ethics for the exam. It’s a good idea to go to the (ISC)2 website and
review the most current Code of Ethics shortly before you take the exam.
As you can see, these points are directly aligned with the (ISC)2 Code of Ethics and, as with
many codes of conduct, offer no conflict with other codes that members may be subject to. In
fact, since codes of ethics and professional behavior are often similar, they support and serve
to strengthen the requirements levied on various individuals.
REVIEW
Objective 1.1: Understand, adhere to, and promote professional ethics In this objective
we focused on one of the more important objectives for the CISSP exam—one that’s often
overlooked in exam prep. We discussed codes of ethics, which are requirements intended
to guide our professional behavior. We specifically examined the (ISC)2 Code of Ethics,
as that is the most relevant to the exam. The Code of Ethics consists of a preamble and
four mandatory canons. (ISC)2 also has a comprehensive set of complaint procedures for
ethics complaints against certified members. The complaint procedures detail the process
for formally accusing a certified member of violating one or more of the four canons, while
ensuring a fair and impartial due process for the accused.
We also examined organizational ethics and discussed how some organizations may not
have a formalized code of ethics document, but their ethical or professional behavior expec-
tations may be contained in their policies. These are usually found in policies such as accept-
able use, acceptance of gifts, bribery, and other types of policies. Most of the policies that
affect professional behavior for employees are typically found in the employee handbook.
Finally, we discussed other sources of professional ethics, from professional organi-
zations and governance requirements that may define how to protect certain sensitive
data classifications. Absent any other core ethics document that prescribes professional
behavior, the (ISC)2 Code of Ethics is mandatory for CISSP certification holders and
should be used to guide their behavior.
1.1 QUESTIONS
1. You’re a CISSP who works for a small business. Your workplace has no formalized
code of professional ethics. Your manager recently asked you to fudge the results of
a vulnerability assessment on a group of production servers to make it appear as if
the security posture is improving. Absent a workplace code of ethics, which of the
following should guide your behavior regarding this request?
A. Your own professional conscience
B. (ISC)2 Code of Ethics
C. Workplace Acceptable Use Policy
D. The Computer Ethics Institute policies
2. Nichole is a security operations center (SOC) supervisor who has observed one of her
CISSP-certified subordinates in repeated violation of both the company’s requirements
for professional behavior and the (ISC)2 Code of Ethics. Which of the following
actions should she take?
A. Report the violation to the company’s HR department only
B. Report the violation to (ISC)2 and the HR department
C. Ignore a one-time violation and counsel the individual
D. Report the violation to (ISC)2 only
8 CISSP Passport
1.1 ANSWERS
1. B Absent any other binding code of professional ethics from the workplace, the
(ISC)2 Code of Ethics binds certified professionals to a higher standard of behavior.
While using your own professional judgment is admirable, not everyone’s professional
standards are at the same level. Workplace policies do not always cover professional
conduct by cybersecurity personnel specifically. The Computer Ethics Institute policies
are not binding to cybersecurity professionals.
2. B Since the employee has violated both the company’s professional behavior
requirements and the (ISC)2 Code of Ethics, Nichole should report the actions to
both entities. Had the violation been only that of the (ISC)2 Code of Ethics, she would
not have necessarily needed to report it to the company. One-time violations may be
accidental and should be handled at the supervisor’s discretion; however, repeated
violations may warrant further action depending upon the nature of the violation
and the situation.
3. C The Sarbanes-Oxley (SOX) Code of Ethics requirements are part of the regulation
(Section 406 of the Act) enacted to prevent securities and financial fraud and require
organizations to enact codes of ethics to protect financial and personal data. The
other choices are not focused on data sensitivity or regulations, but rather apply to
technology and cybersecurity professionals.
4. A Although the argument can be made that falsifying an audit report could violate any
or all of the four (ISC)2 Code of Ethics Canons, the scenario specifically affects the canon
that requires professionals to perform diligent and competent service to principals.
DOMAIN 1.0 Objective 1.2 9
I n this objective we will examine some of the more fundamental concepts of security.
Although fundamental, they are critical in understanding everything that follows, since
everything we will discuss in future objectives throughout all CISSP domains relates to the
goals of security and their supporting tenets.
Security Concepts
To become certified as a CISSP, you must have knowledge and experience that covers a
wide variety of topics. However, regardless of the experience you may have in the different
domains, such as networking, digital forensics, compliance, or penetration testing, you need
to comprehend some fundamental concepts that are the basis of all the other security knowl-
edge you will need in your career. This core knowledge includes the goals of security and its
supporting principles.
In this objective we’re going to discuss this core knowledge, which serves as a reminder for
the experience you likely already have before attempting the exam. We’ll cover the goals of
security as well as the supporting tenets, such as identification, authentication, authorization,
and nonrepudiation. We will also discuss key supporting concepts such as principles of least
privilege and separation of duties. You’ll find that no matter what expertise you have in the
CISSP domains, these core principles are the basis for all of them. As we discuss each of these
core subjects we’ll talk about how different topics within the CISSP domains articulate to these
areas. First, it’s useful to establish common ground with some terms you’ll likely see through-
out this book and your studies for the exam.
between the two. For purposes of this book, and studying for the exam, data are raw, singular
pieces of fact or knowledge that have no immediate context or meaning. An example might be
an IP address, or domain name, or even an audit log entry, which by itself may not have any
meaning. Information is data organized into context and given meaning. An example might be
several pieces of data that are correlated to show an event that occurred on host at a specific
time by a specific individual.
EXAM TIP The CISSP exam objectives do not distinguish the differences
between the terms “information” and “data,” as they are often used interchangeably
in the profession as well. For the purposes of this book, we also will sometimes not
distinguish the difference and use the term interchangeably, depending on the context
and the exam objectives presented.
Confidentiality
Of the three primary goals of information security, confidentiality is likely the one that most
people associate with cybersecurity. Certainly, it’s important to make sure that systems and data
are kept confidential and only accessed by entities that have a valid reason, but the other goals
of security, which we will discuss shortly, are also of equal importance. Confidentiality is about
keeping information secret and, in some cases, private. It requires protecting information that
is not generally accessible to everyone, but rather only to a select few. Whether it’s personal
privacy or health data, proprietary company information, classified government data, or just
simply data of a sensitive nature, confidential information is meant to be kept secret. In later
objectives we will discuss different access controls, such as file permissions, encryption, authen-
tication schemes, and other measures, that are designed to keep data and systems confidential.
DOMAIN 1.0 Objective 1.2 11
Integrity
Integrity is the goal of security to ensure that data and systems are not modified or destroyed
without authorization. To maintain integrity, data should be altered only by an entity that has
the appropriate access and a valid reason to modify. Obviously, data may be altered purpose-
fully for malicious reasons, but accidental or unintentional changes may be caused by a well-
intentioned user or even by a bad network connection that degrades the integrity of a file or
data transmission. Integrity is assured through several means, including identification and
authentication mechanisms (discussed shortly), cryptographic methods (e.g., file hashing),
and checksums.
Availability
Availability means having information and the systems that process it readily accessible by
authorized users any time and in any manner they require. Systems and information do users
little good if they can’t get to and use those resources when needed, and simply preventing
their authorized use contradicts the availability goal. Availability can be denied accidentally
by a network or device outage, or intentionally by a malicious entity that destroys systems and
data or prevents use via denial-of-service attacks. Availability can be ensured through various
means including equipment redundancy, data backups, access control, and so on.
Identification
Identification is the act of presenting credentials that state (assert) the identity of an individ-
ual or entity. A credential is a piece of information (physical or electronic) that confirms the
identity of the credential holder and is issued by an authoritative source. Examples of creden-
tials used to identify an entity include a driver’s license, passport, username and password
combination, smart card, and so forth.
Authentication
Authentication occurs after identification and is the process of verifying that the credential
presented matches the actual identity of the entity presenting it. Authentication typically
occurs when an entity presents an identification and credential, and the system or network
verifies that credential against a database of known identities and characteristics. If the iden-
tity and credential asserted matches an entry in the database, the entity is authenticated.
12 CISSP Passport
Once this occurs, an entity is considered authenticated to the system, but that does not mean
that they have the ability to perform any actions with any resources. This is where the next
step, authorization, comes in.
Authenticity
Authenticity goes hand-in-hand with authentication, in that it is the validation of a user, an
action, a document, or other entity through verified means. User authenticity is established
with strong authentication mechanisms, for example; an action’s authenticity is established
through auditing and accountability mechanisms, and a document’s authenticity might be
established through integrity checks such as hashing.
Authorization
Authorization occurs only after an entity has been authenticated. Authorization determines
what actions the entity can take with a given resource, such as a computer, application, or
network. Note that it is possible for an entity to be authenticated but have no authorization
to take any action with a resource. Authorization is typically determined by considering an
individual’s job position, clearance level, and need-to-know status for a particular resource.
Authorization can be granted by a system administrator, a resource owner, or another entity
in authority. Authorization is often implemented in the form of permissions, rights, and privi-
leges used to interact with resources, such as systems and information.
EXAM TIP Remember that authorization consists of the actions an individual can
perform, and is based on their job duties, security clearance, and need-to-know,
Nonrepudiation
To hold entities, such as users, accountable for the actions they perform on objects, we must
be able to conclusively connect their identity to an event. Auditing is useful for recording
Another random document with
no related content on Scribd:
He had always been very respectable under the eyes of the world; to be
sure, he was quite respectable now; there was no fault to be found with the
party—his beautiful companion, indeed, was something quite new, and not
very much used to her present position; but there was nothing wrong in that.
Nevertheless Frederick felt that there was something to pay for the strange
confusion of blessedness in which he seemed to have lost himself. He felt
this by intervals, and he kept as much as he could behind the curtains,
behind her. She was perfectly willing to occupy the centre of the box, to
rain down influence, to be seen and admired. “Mr. Eastwood, I wish you
would not keep behind me. Do let people see that I have some one to take
care of me. Papa has gone to sleep, of course,” said the beauty, and she
turned round upon Frederick with such a look that he remembered nothing
any more but her loveliness, and the delight of being near her. She chattered
through all the play, and he listened. She said a great deal that was silly, and
some things that were slightly vulgar, and he noted them, yet was not less
subjugated by a spell which was beyond resistance. I cannot be supposed to
understand this, nor to explain it. In such matters I can only record facts. He
was not under the delusion that she was a lofty, or noble, or refined being,
though she was Batty’s daughter. He presumed that she was Batty’s
daughter heart and soul; made of the same pâte, full of the same thoughts.
She was “not a lady,” beautiful, splendid, and well-dressed as she was; the
humble, little snub-nosed girl in the stalls below who looked up at this
vision of loveliness with a girl’s admiration had something which all the
wealth of the Indies could not have given to Miss Amanda. And Frederick
Eastwood saw this quite plainly, yet fell in love, or in madness, exactly as if
he had not seen it. The feeling, such as it was, was too genuine to make him
capable of many words; but he did his best to amuse her, and he listened to
all she said, which was a very good way of pleasing this young woman.
“I hope you mean to stay in town for some time,” he said, in one of the
pauses of her abundant talk.
“Not very long,” said Miss ’Manda. “Papa likes to live well, and to do
things in the best sort of way; so he spends a deal of money, and that can’t
last long. Our hotel isn’t like Mivart’s, and that sort of thing: but it is
dreadfully dear. We spend as much as—oh, I couldn’t venture to tell you
how much we spend a day. Papa likes to have everything of the best, and so
do I.”
“And so you ought,” said Frederick, adoring. “Pardon me if I am saying
too much.”
“Oh, you are not saying very much, Mr. Eastwood. It is I that am
talking,” said Amanda, “and as for our staying long here, that does not
much matter, for papa wants you to come to Sterborne. He has been talking
of it ever since he came back from Paris. What did you do to him to make
him take such a fancy to you? We don’t think the other Eastwoods behaved
vary nicely to us, and ever since he met with you papa has been telling me
of all your good qualities. You have put a spell upon him, I think.”
“He is very good, I am sure,” said Frederick, stiffening in spite of
himself.
“Oh, I know,” said Amanda, with a toss of her head. “We are not so fine
as you are, we don’t visit with county people, nor that sort of thing. But we
have plenty of people come to see us who are better off than the Eastwoods,
and better blood, too, so you need not be afraid. Papa has dealings with the
very best. We don’t like to be slighted,” said the beauty, with a gleam of
that red light from her beautiful eyes; “and when people put on airs, like
your cousin has done, it sets papa’s back up. That was why we went against
Sir Geoffrey at the election. But I hope you will come, Mr. Eastwood; papa
took such a fancy to you.”
“I have just been away from the office for a month. I fear I shall not have
leisure again for some time,” said Frederick, feeling that an invitation from
Batty was to be resisted, even when conveyed by such lovely lips.
“How hideous it must be not to be one’s own master; to have to ask for
‘leave’ like a servant,” cried ’Manda with a laugh; which speech set all
Frederick’s nerves ajar, and almost released him from the syren. He
withdrew into the shade of the curtains, and drew to him all the succour of
his pride.
“Yes, it is a pitiful position,” he said, with an angry laugh; “but I may
comfort myself that a great many people share it with me. Do you know I
am afraid I must leave you. This performance is endless, and rather dull.”
“Upon my word!” cried Miss Batty, “you are free-spoken, Mr. Frederick.
To tell a lady you are dull when she is doing her best to amuse you!”
“Pardon me, I spoke of the performance.”
“Oh, I don’t care much for the performance,” said Amanda, with a
beaming smile. “I like the lights and the music, and the feeling of being out
in the world. But you wouldn’t go off, and leave me—with papa asleep, and
no one to talk to?”
“I have an engagement—at my club.”
“Oh, if you wish to go away, Mr. Eastwood——” The beauty turned
away pouting, turning her lovely shoulders upon him, and tossing her
beautiful head. Frederick had risen partly in the liveliness of personal
offence, partly with an impulse of prudence, to escape while he might. But
his heart failed him when he saw the averted head, the resentful movement.
Batty dozed peacefully in his chair, interfering with no one. And something
tugged at the unfortunate young man, who stood undecided whether to fly
or to stay. To leave a lovely creature like this, the most beautiful woman he
had ever seen, alone, without any one to amuse her: to leave the place
vacant which a hundred no doubt would give their ears for! What harm
could it do him to stay? It was pleasant to spend an hour or two by the side
of anything so pretty. Come of it—what could come of it? It was an
accidental delight entirely, without connexion with the rest of his life; an
isolated event, without either origin or issue. Why should not he like others
enjoy himself for the moment? While he was thus hesitating Amanda turned
her head round with a sudden provoking glance. “Oh, have you not gone
yet?” she asked. Frederick felt, as it were, on his knees before her.
“Must I go? have I proved so unworthy of my privilege?” he cried
humbly, taking his seat with deprecating looks. Miss Batty did not wish him
to go, and said so freely, with unflattering plainness of speech.
“I should be left to listen to papa’s snores, which I can hear at home,”
she said. “I always prefer some one to talk to. I daresay, however, I should
not have been left long by myself, for there is Lord Hunterston down below
in those horrid stalls looking up. He is trying to catch my eye. No; I don’t
care to have too many. I shan’t see him as long as you stay.”
“Then I shall stay for ever,” said Frederick, inspired by that touch of
rivalship. Lord Hunterston, however, did manage to find his way up to the
box, whether by Miss ’Manda’s permission or not, and Frederick grew stiff
and resentful while the other foolish youth paid his homage. Lord
Hunterston pricked him into double eagerness, and sent all the suggestions
of prudence to the winds. Amanda proved herself thoroughly equal to the
occasion. She kept the two young men in hand with perfect skill, though she
allowed herself to be slightly insolent to Frederick, referring again to the
“leave” without which he could not budge. This time, however, the
reference did not make him angry, but only impressed him with the fact that
his admiration was nothing to her, and that every step of vantage-ground
would have to be fought for, and held with the exercise of all his powers.
He felt himself pitted against not Lord Hunterston only, but all the world. It
seemed impossible to imagine that this syren, who had conquered himself
by a glance, should not attract everybody that had the happiness of
approaching her. Terror, jealousy, and pride, all came in to aid the strongest
passion of all, which had already taken possession of him—terror of losing
her, jealousy of everybody who looked at her, and all the amour propre and
determination to elevate himself over the heads of his rivals that could lend
warmth to a young man’s determination. No prize is fully estimated until
the sense that it will be hotly contested bursts upon the competitor’s mind.
Frederick grew half wild when the time came for him to leave the theatre.
He secured her arm to lead her down-stairs, but only by dint of having all
his wits about him, and taking his rival unawares. And then he was
dismissed at the cab door, with all his nerves tingling, his heart beating, his
whole frame in a ferment. He walked home all the way, following the path
which her vehicle, so ignoble, and unfit for her to enter, must have taken; he
passed under the windows he supposed to be hers. In short, he did
everything that a foolish young man, mad with sudden excitement, and
what is called passion, is expected to do, and worked himself into a higher
and higher strain of excitement, as with his head full of thoughts of her he
made his way home, longing impatiently for the morning, when he might
see her again.
CHAPTER XX.
A FAMILY DINNER.
While this wild love-fever of Frederick’s had run its course, Nelly’s little
drama had also enacted itself, and the interview between Mrs. Eastwood
and Mr. Molyneux, Q.C., had taken place, so that the moment had been an
exciting one in the family story. The young people were absorbed in their
different adventures, and it was only the mother who felt, even though she
did not know, all that was going on, on either hand. She did not know what
it was which had moved Frederick so much out of his usual composure,
which had made him “engaged” and inaccessible to all family invitations or
arrangements during one entire week. He had never mentioned Miss Batty
or her beauty again, but he had been engaged every evening, going out early
and staying late, and making no allusion to where he had been. Indeed
during that period he had scarcely seen any of the family, except his mother
herself, who had waited to pour out his coffee for him at breakfast, and who
saw by his hurried manner and self-absorbed looks that something more
than ordinary must be going on. But he had offered no confidences, and
Mrs. Eastwood had not gone so far as to ask for any, partly from pride, and
partly from a compassionate unwillingness to disturb him any more than he
was already disturbed. The time when she could inquire into his troubles
and set them right was over. But she was uneasy about him, not knowing
what to think, anxious and unhappy; and she was still more distinctly
disturbed about the Molyneux business, and the engagements which she
might be forced into, against her will and her judgment, on Nelly’s account.
The shadow which thus had come upon her overshadowed the whole house,
as I have already said. It irritated Ernest Molyneux, and it made Nelly
unhappy. Nelly, poor child, had never known what it was to have any cross
influences in her life before. She had never been pulled two ways, never
divided in her affections or her allegiance. Few people appreciate the
difference this makes in a girl’s life. She is taken suddenly in the midst of
an existence which is all tender, filial duty, or that sweet counterfeit of filial
duty which animates the child’s mind who has a large part in deciding the
will of the parent who guides her, and is unconsciously the inspiration of
the very laws she obeys. This had been Nelly’s case. She and her mother
had been as one soul—the one ruling, the other obeying, but neither able to
discriminate from which came the original impulse; and now she felt herself
suddenly placed in a position, if not of antagonism to her mother, yet at
least of tenderest sympathy and union with one who declared himself so far
her mother’s antagonist. This curious turn and twist of circumstances made
the girl giddy,—it gave an uncertainty to all things, it confused her old
ideas, the ideas which she had held as unchangeable till the day before
yesterday, when they were suddenly undermined, and all her old gods made
to totter in their shrines.
“Your mother does not like me,” Molyneux said to her one day, when
Mrs. Eastwood, disturbed and worried by a communication from his father,
had been cold and distant to him. “It is always the way. She was nice
enough as long as I was only a young fellow dangling about the house; but
as soon as everything is settled, and you are ready to have me, Nelly, she
turns off at a tangent. Clearly, your mother does not like me——”
“How can you say so?” cried Nelly. “Oh, Ernest, as if it were possible
——”
“Quite possible,—indeed, quite common,” he said, shaking his head.
“You don’t know the world, darling, and I don’t wish you to; but when
people have to make sacrifices to establish their children, they don’t like it.
Nobody likes to have a sacrifice to make. I suppose I thought your mother
different, because she was your mother; but human nature is the same
everywhere,—though you, Nelly, Heaven be praised, have no knowledge of
the world——”
“Is it mamma you mean by the world?” said Nelly, disengaging herself
almost unconsciously from her lover’s arm.
“Don’t be vexed dear. Mothers are just like other people. When our
interests come to be in opposition to those of our nearest and dearest——”
“How can mamma’s interests be in opposition to ours?” said Nelly, with
open eyes.
“Well, I suppose our parents have got to provide for us,” said Molyneux.
“They have got to part with so much, on one side and the other, to set us up
—and they don’t like it—naturally. When it comes to be our turn we shall
not like it either. There is always a struggle going on, though your dear,
innocent eyes don’t see it; we trying to get as much as we can, they to give
us as little as they can;—that is what makes your mother look so glum at
me.”
“We trying to get as much as we can,—they to give us as little as they
can?” repeated Nelly, with a dreamy wonder in her tone. She dwelt on the
words as if she were counting them, like beads. She had withdrawn, quite
involuntarily and unawares, from his side.
“I don’t want to vex you about it,” he said, drawing closer to her. “It
can’t be helped, and after it is settled, things will come right again. You
don’t know anything about business, and I don’t want you to know about it
——”
“I know all about mamma’s business,” said Nelly. She withdrew again
with a little impatience from his close approach. She fell amusing and
thinking, and made some excuse, soon after, to get away from him. She was
startled beyond measure in the straight-forwardness of a soul unacquainted
with business. Very strange to her was this unexpected distinction and
separation. Was it really possible that her mother’s interests were opposite
to her own, for the first time in her life? “We trying to get as much as we
can,—they to give us as little as they can,” she said to herself, in the
solitude of her room, putting the fingers of one hand against those of the
other, as if to count the words. Nelly was bewildered,—her head was dizzy
through this strange whirlabout of heaven and earth,—the firm ground
seemed failing beneath her feet.
It was about this time that another person appeared on the family scene,
a man about whom none of the Eastwoods felt any particular interest, or
rather, against whom they had all a decided prejudice. This was John Vane,
a distant cousin of Innocent’s father, a squire in the north country, with
considerable, but poor estates, who had lived a wandering life for some
years, and who was considered by all who knew him “eccentric,” to say the
least. His true name was Reginald or Roland, or something of a sentimental
and ornamental description represented by the letter R; but Society, which
has a way of identifying character by this simple means, called him John.
He was a man of three or four and thirty, with a brown complexion tanned
by much exposure to wind and weather, and a golden brown beard, which
was the chief feature about him to a stranger. His hair had worn off his
temples, and he had a threatening of baldness, as if the forest on his chin
had drawn all his locks downwards. His forehead was clear and open and
white, in contrast with the tanned and much-lined surface of the more
exposed parts of his face. He was by no means the nearest or even a near
relation of Innocent, but he had lost no time in seeking her out. He arrived
on the very day when this first touch of doubt and pain came into Nelly’s
belief in her lover; and it was by no means a happy household in which the
new comer appeared one bright spring morning shortly after the events we
have been telling. His mission was to ask what had become of his cousin’s
child, to ascertain in the most delicate way possible what was her position
in her aunt’s house, and to offer her, should that prove necessary, a refuge in
his own. He made this offer with so much grace and natural kindness that
Mrs. Eastwood’s prejudices against him fled like the morning dew. She was
prejudiced against everything (except poor Innocent) that bore the name of
Vane, and against this John Vane in particular, whose father had been a man
of very unsettled opinions, and who was understood to have been badly
brought up. Innocent, too, poor child, had been very badly brought up, and
Mrs. Eastwood shuddered at the idea of what might follow if the one
uninstructed nature was put into the hands of the other. But Mr. John Vane
had that sure passport to a woman’s favour—a frank and open countenance,
and a pair of smiling eyes which met your gaze frankly. He made so
pleasant an impression that Mrs. Eastwood ended by inviting him to a very
solemn dinner party which was to take place at her house that evening—a
dinner at which “the Molyneuxes” were to be present, though the
negotiations between Ernest’s side and Nelly’s side were yet far from being
completed. Major Railton, who had been one of the invited guests, had felt
his courage fail him at the last moment, and had sent an excuse on account
of his health. “Mr. Vane is a kind of a connexion,” Mrs. Eastwood said,
doubtfully, when she explained the change to her son. Frederick, who was
full of other thoughts, made no objection, and Mr. Vane, who was not less
pleased with his new acquaintances than they were with him, accepted
frankly. This dinner-party was a very great event in the family; and though
dinner-parties are not generally exciting occurrences, I may perhaps be
pardoned, for the sake of the issues, if I dwell upon it a little. The chief
guests were the Molyneuxes—Mr. and Mrs. and Miss, the latter of whom
we may drop out of the present history, having already enough people on
our hands. They were both of opinion that Mrs. Eastwood had “kept her eye
upon” Ernest for years, and that Nelly had made “a dead set” at him; and
they were accordingly dignified and a little condescending in their
cordiality. Mr. and Mrs. Brotherton also formed part of the company, along
with two other of Mrs. Eastwood’s advisers—Mr. Parchemin and Mrs.
Everard; and the party was made up to the number of sixteen (which was all
that could be comfortably accommodated at the Elms dinner table) by the
presence of Sir Alexis Longueville and his sister. In opposition to the
selection of this guest, Nelly had put forth the moral objections to him
which her lover had on a certain evening pressed so warmly upon her, but
had found, to her great amazement, that Ernest laughed at the whole matter,
and declared Longueville one of the best fellows going; while Mrs.
Eastwood silenced her with some indignation, declaring that she had known
him for twenty years, and would not have any old scandals raked up. Poor
Nelly, who knew nothing about the old scandals, but who felt the whole
responsibility thrown upon her, withdrew, hot with angry blushes, from the
discussion, feeling as if she had shown a shameful knowledge of the evil
reports of the past, which the poor child was, in fact, as ignorant of as a
baby. “We must forgive and forget,” even Ernest said to her. “Don’t be such
a terrible moralist, Nelly.” This, too, wounded poor Nelly, in the ignorance
and innocence of her youth.
The dinner went off as such dinners do everywhere. There was a great
display of all the Eastwood plate, and the meal itself lasted two hours and a
half, and included everything that was out of season, and all that was most
costly in the way of eating and drinking. Mrs. Eastwood, at the head of her
own table, with Sir Alexis on one side of her and Mr. Molyneux on the
other, tried her very best to feel no sort of opposition to the latter, and to
look as if nothing but family love and union was symbolized by their
meeting. Frederick, at the other end, with his head full of Amanda Batty,
endeavoured to give his best attention to the gorgeous Mrs. Barclay and the
dignified Mrs. Molyneux. He had his Charles the First look upon him, and
he was not judged severely by these ladies, who thought him superior to the
rest of the family, and very probably worried by his mother, whom Mrs.
Molyneux considered a scheming and worldly person. The other members
of the party had, no doubt, their own cares; but their cares do not concern us
greatly, except in so far as Nelly was concerned, whose poor little heart was
wounded and her mind confused, and who, in her position of fiancée, felt
this sort of formal reception of her by her lover’s parents to suggest all
kinds of strange doubts and miseries, and to throw uncertainty instead of
security upon the bond which had been tied so tightly, yet so happily, in the
cold, half-frozen garden but a little while before. No doubt that she loved
Ernest Molyneux, or that his love made her perfectly happy, had crossed her
mind then. She had been as full of gentle bliss as a girl could be, when she
had stolen in with him into the drawing-room in the firelight, frightened lest
any one should see how he held her hand, and yet unable to conceive how
anything or any one in the world could be ignorant of the new great flood of
light and joy which had flooded earth and heaven. In that beatific moment,
however, no idea of settlements or negotiations, or the suggestion that
Ernest might have done better, or that it was his business and hers to try to
get as much as they could, had entered into her mind. There are well-
seasoned and justly-regulated minds, even of twenty, which understand all
these accessories as well as the oldest of us, and have no nonsense about
them, and are robust enough to enter into the whole question “as a matter of
business.” But Nelly was not one of these. She had a great deal of nonsense
about her. She was shocked, chilled, brought to a stand suddenly, in the first
outset of her independent career. Her love seemed to have ceased to be real,
now that it was being talked about and struggled over, and Ernest, Ernest
himself——. She would not say, even in the depths of her own heart, any
more than this; but her poor little heart gave an inarticulate cry when he
opened up his philosophy to her with so much confidence, and
congratulated himself that she knew nothing of business. Nelly did not
know whether, perhaps, among the strange confusions of this world, he
might not be right. She saw no way out of the maze. She did not know how
she herself, if left to herself, could have bettered it; but her instinctive sense
of what was noble and ignoble, lovely and unlovely, was deeply wounded.
She was put out of harmony with herself and every one. If life was so—if
such gulfs were ready to open under your feet at your very first step in it,
was it worth living? Such was the painful question, not yet put into words,
that breathed through poor Nelly’s heart.
Mr. John Vane was on one side of her, and Ernest on the other; but Mrs.
Everard, who was a great conversationalist, had taken possession of young
Molyneux, and was putting him through a catechism. Nelly did not feel
herself capable of talk, but the kind looks of her next neighbour were
comforting, and he was touched by her downcast, yet bright, face.
“Miss Eastwood,” he said, “may I guess at something? I am a stranger,
but I am a connexion. You know your mother admitted my claims. This is a
solemn family assembly to celebrate something that is to make your