CISSP Passport 1st Edition Bobby E.

Rogers
Visit to download the full and correct content document:
https://ebookmass.com/product/cissp-passport-1st-edition-bobby-e-rogers/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

CISSP Passport 1st Edition Bobby E. Rogers

https://ebookmass.com/product/cissp-passport-1st-edition-bobby-e-
rogers/

CompTIA CySA+ Cybersecurity Analyst Certification

Passport (Exam CS0-002) Bobby E. Rogers

https://ebookmass.com/product/comptia-cysa-cybersecurity-analyst-
certification-passport-exam-cs0-002-bobby-e-rogers/

CRISC Certified in Risk and Information Systems Control

All-in-One Exam Guide, Second Edition, 2nd Edition
Peter H. Gregory & Bobby E. Rogers & Dawn Dunkerley

https://ebookmass.com/product/crisc-certified-in-risk-and-
information-systems-control-all-in-one-exam-guide-second-
edition-2nd-edition-peter-h-gregory-bobby-e-rogers-dawn-
dunkerley/

Understanding Urbanism 1st ed. Edition Dallas Rogers

https://ebookmass.com/product/understanding-urbanism-1st-ed-
edition-dallas-rogers/
Temporalities, Texts, Ideologies Bobby Xinyue

https://ebookmass.com/product/temporalities-texts-ideologies-
bobby-xinyue/

Entrepreneurial Finance 4th Edition Steven Rogers

https://ebookmass.com/product/entrepreneurial-finance-4th-
edition-steven-rogers/

CISSP Exam Certification Companion: 1000+ Practice

Questions and Expert Strategies for Passing the CISSP
Exam (Certification Study Companion Series) 1st Edition
Bouke
https://ebookmass.com/product/cissp-exam-certification-
companion-1000-practice-questions-and-expert-strategies-for-
passing-the-cissp-exam-certification-study-companion-series-1st-
edition-bouke/

CISSP Practice Exams, Fourth Edition Shon Harris

https://ebookmass.com/product/cissp-practice-exams-fourth-
edition-shon-harris/

The Promise of Bitcoin Bobby C. Lee

https://ebookmass.com/product/the-promise-of-bitcoin-bobby-c-lee/
Mike Meyers’

A+
CISSP
CompTIA ® ®

CERTIFICATION
PASSPORT
PASSPORT SEVENTH
(Exams 220-1001 & 220-1002) EDITION
About the Author

Bobby Rogers (he/his/him) is a cybersecurity proessional with over 30 years in the inor-
mation technology and cybersecurity ields. He currently works with a major engineering
company in Huntsville, Alabama, helping to secure networks and manage cyber risk or its
customers. Bobby’s customers include the U.S. Army, NASA, the State o ennessee, and
private/commercial companies and organizations. His specialties are cybersecurity engineer-
ing, security compliance, and cyber risk management, but he has worked in almost every area
o cybersecurity, including network deense, computer orensics and incident response, and
penetration testing.
Bobby is a retired Master Sergeant rom the U.S. Air Force, having served or over 21 years.
He has built and secured networks in the United States, Chad, Uganda, South Arica, Germany,
Saudi Arabia, Pakistan, Aghanistan, and several other remote locations. His decorations
include two Meritorious Service medals, three Air Force Commendation medals, the National
Deense Service medal, and several Air Force Achievement medals. He retired rom active
duty in 2006.
Bobby has a master o science in inormation assurance and a bachelor o science in
computer inormation systems (with a dual concentration in Russian language), and two
associate o science degrees. His many certiications include CISSP-ISSEP, CRISC, CySA+,
CEH, and MCSE: Security.
Bobby has narrated and produced over 30 computer training videos or several training
companies and currently produces them or Pluralsight (https://www.pluralsight.com). He
is also the author o CompTIA Mobility+ All-in-One Exam Guide (Exam MB0-001), CRISC
Certiied in Risk and Inormation Systems Control All-in-One Exam Guide, and Mike Meyers’
CompTIA Security+ Certiication Guide (Exam SY0-401), and is the contributing author/
technical editor or the popular CISSP All-in-One Exam Guide, Ninth Edition, all o which are
published by McGraw Hill.

About the Technical Editor

Nichole O’Brien is a creative business leader with over 25 years o experience in cybersecurity
and I leadership, program management, and business development across commercial,
education, and ederal, state, and local business markets. Her ocus on innovative solutions is
demonstrated by the development o a commercial cybersecurity and I business group, which
she currently manages in a Fortune 500 corporation and has received the corporation’s annual
Outstanding Customer Service Award. She currently serves as Vice President o Outreach or
Cyber Huntsville, is on the Foundation Board or the National Cyber Summit, and supports
cyber education initiatives like the USSRC Cyber Camp. Nichole has bachelor’s and master’s
degrees in business administration and has a CISSP certiication.
 Mike Meyers’

A+
CISSP
CompTIA ® ®

CERTIFICATION
PASSPORT
PASSPORT SEVENTH
(Exams 220-1001 & 220-1002) EDITION

Bobby E. Rogers

New York Chicago San Francisco Athens

London Madrid Mexico City Milan
New Delhi Singapore Sydney Toronto

McGraw Hill is an independent entity rom (ISC)²® and is not afliated with (ISC)² in any manner. Tis study/training guide and/or material is not
sponsored by, endorsed by, or afliated with (ISC)2 in any manner. Tis publication and accompanying media may be used in assisting students to
prepare or the CISSP exam. Neither (ISC)² nor McGraw Hill warrants that use o this publication and accompanying media will ensure passing any
exam. (ISC)²®, CISSP®, CAP®, ISSAP®, ISSEP®, ISSMP®, SSCP®, and CBK® are trademarks or registered trademarks o (ISC)² in the United States and
certain other countries. All other trademarks are trademarks o their respective owners.
Copyright © 2023 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no
part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.

ISBN: 978-1-26-427798-8
MHID: 1-26-427798-9

The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-427797-1,
MHID: 1-26-427797-0.

eBook conversion by codeMantra

Version 1.0

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade-
marked name, we use names in an editorial fashion only, and to the benet of the trademark owner, with no intention of infringe-
ment of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw Hill eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate
training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.

Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of hu-
man or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such
information.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work
is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You
may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to
use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES
OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA
HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will
meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors
shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work.
Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of
the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or
cause arises in contract, tort or otherwise.
I’d like to dedicate this book to the cybersecurity proessionals who
tirelessly, and sometimes, thanklessly, protect our inormation and
systems rom all who would do them harm.
I also dedicate this book to the people who serve in uniorm as
military personnel, public saety proessionals, police, frefghters,
and medical proessionals, sacrifcing sometimes all that they are
and have so that we may all live in peace, security, and saety.

—Bobby Rogers
This page intentionally left blank
 DOMAIN vii

Contents at a Glance

1.0 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2.0 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.0 Security Architecture and Engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.0 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
5.0 Identity and Access Management (IAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
6.0 Security Assessment and esting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
7.0 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
8.0 Sotware Development Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
A About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

vii
This page intentionally left blank
 DOMAIN ix

Contents

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix

1.0 Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Objective 1.1 Understand, adhere to,
and promote professional ethics . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The (ISC)2 Code of Ethics                                              3
Code of Ethics Preamble                                         3
Code of Ethics Canons                                          3
Organizational Code of Ethics                                          4
Workplace Ethics Statements and Policies                          4
Other Sources for Ethics Requirements                             5
REVIEW                                                          7
11 QUESTIONS                                               7
11 ANSWERS                                                8
Objective 1.2 Understand and apply security concepts . . . . . . . . . . . 9
Security Concepts                                                   9
Data, Information, Systems, and Entities                            9
Confidentiality                                                10
Integrity                                                      11
Availability                                                   11
Supporting Tenets of Information Security                                11
Identification                                                  11
Authentication                                                11
Authenticity                                                  12
Authorization                                                 12
Auditing and Accountability                                      12
Nonrepudiation                                                12
Supporting Security Concepts                                    13

ix
x CISSP Passport

REVIEW                                                          14
12 QUESTIONS                                               14
12 ANSWERS                                                15
Objective 1.3 Evaluate and apply security governance principles . . . 16
Security Governance                                                 16
External Governance                                            16
Internal Governance                                            16
Alignment of Security Functions to Business Requirements                  17
Business Strategy and Security Strategy                            17
Organizational Processes                                        18
Organizational Roles and Responsibilities                           18
Security Control Frameworks                                     19
Due Care/Due Diligence                                         20
REVIEW                                                          21
13 QUESTIONS                                               21
13 ANSWERS                                                22
Objective 1.4 Determine compliance and other requirements . . . . . . 23
Compliance                                                        23
Legal and Regulatory Compliance                                 24
Contractual Compliance                                         25
Compliance with Industry Standards                               25
Privacy Requirements                                           25
REVIEW                                                          26
14 QUESTIONS                                               27
14 ANSWERS                                                28
Objective 1.5 Understand legal and regulatory issues that pertain to
information security in a holistic context. . . . . . . . . . . . . . . . . . . . 29
Legal and Regulatory Requirements                                     29
Cybercrimes                                                  29
Licensing and Intellectual Property Requirements                     30
Import/Export Controls                                          31
Transborder Data Flow                                          32
Privacy Issues                                                 32
REVIEW                                                          33
15 QUESTIONS                                               33
15 ANSWERS                                                34
Objective 1.6 Understand requirements for investigation types (i.e.,
administrative, criminal, civil, regulatory, industry standards) . . . 35
Investigations                                                      35
Administrative Investigations                                     35
Civil Investigations                                             35
 Contents xi
Criminal Investigations                                          36
Regulatory Investigations                                        36
Industry Standards for Investigations                              37
REVIEW                                                          37
16 QUESTIONS                                               38
16 ANSWERS                                                39
Objective 1.7 Develop, document, and implement security policy,
standards, procedures, and guidelines . . . . . . . . . . . . . . . . . . . . . 39
Internal Governance                                                 40
Policy                                                        40
Procedures                                                   40
Standards                                                    41
Guidelines                                                    41
Baselines                                                    42
REVIEW                                                          42
17 QUESTIONS                                               43
17 ANSWERS                                                44
Objective 1.8 Identify, analyze, and prioritize Business Continuity (BC)
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Business Continuity                                                  45
Business Impact Analysis                                        46
Developing the BIA                                             46
REVIEW                                                          47
18 QUESTIONS                                               47
18 ANSWERS                                                48
Objective 1.9 Contribute to and enforce personnel security policies
and procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Personnel Security                                                   49
Candidate Screening and Hiring                                   49
Employment Agreements and Policies                              50
Onboarding, Transfers, and Termination Processes                    50
Vendor, Consultant, and Contractor Agreements and Controls           52
Compliance Policy Requirements                                  53
Privacy Policy Requirements                                      53
REVIEW                                                          54
19 QUESTIONS                                               55
19 ANSWERS                                                56
Objective 1.10 Understand and apply risk management concepts . . . 57
Risk Management                                                   57
Elements of Risk                                               57
Identify Threats and Vulnerabilities                                59
xii CISSP Passport

Risk Assessment/Analysis                                       60
Risk Response                                                 63
Risk Frameworks                                               64
Countermeasure Selection and Implementation                      64
Applicable Types of Controls                                     65
Control Assessments (Security and Privacy)                         66
Monitoring and Measurement                                    67
Reporting                                                    67
Continuous Improvement                                        68
REVIEW                                                          68
110 QUESTIONS                                              69
110 ANSWERS                                               69
Objective 1.11 Understand and apply threat modeling concepts and
methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Threat Modeling                                                    70
Threat Components                                            70
Threat Modeling Methodologies                                  72
REVIEW                                                          73
111 QUESTIONS                                              73
111 ANSWERS                                               73
Objective 1.12 Apply Supply Chain Risk Management
(SCRM) concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Supply Chain Risk Management                                        74
Risks Associated with Hardware, Software, and Services              74
Third-Party Assessment and Monitoring                            76
Minimum Security Requirements                                  77
Service Level Requirements                                      77
REVIEW                                                          77
112 QUESTIONS                                              78
112 ANSWERS                                               79
Objective 1.13 Establish and maintain a security awareness, education,
and training program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Security Awareness, Education, and Training Program                      80
Methods and Techniques to Present Awareness and Training           80
Periodic Content Reviews                                        82
Program Effectiveness Evaluation                                 82
REVIEW                                                          82
113 QUESTIONS                                              83
113 ANSWERS                                               84
 Contents xiii

2.0 Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Objective 2.1 Identify and classify information and assets. . . . . . . . . 86
Asset Classification                                                  86
Data Classification                                                  87
REVIEW                                                         
89
21 QUESTIONS                                               89
21 ANSWERS                                                90
Objective 2.2 Establish information and asset handling
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Information and Asset Handling                                        90
Handling Requirements                                         91
Information Classification and Handling Systems                     93
REVIEW                                                          94
22 QUESTIONS                                               95
22 ANSWERS                                                95
Objective 2.3 Provision resources securely . . . . . . . . . . . . . . . . . . . . . 96
Securing Resources                                                  96
Asset Ownership                                              96
Asset Inventory                                                96
Asset Management                                            97
REVIEW                                                          98
23 QUESTIONS                                               99
23 ANSWERS                                                99
Objective 2.4 Manage data lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Managing the Data Life Cycle                                          100
Data Roles                                                   100
Data Collection                                                102
Data Location                                                 102
Data Maintenance                                             102
Data Retention                                                103
Data Remanence                                              103
Data Destruction                                               103
REVIEW                                                          104
24 QUESTIONS                                               104
24 ANSWERS                                                105
Objective 2.5 Ensure appropriate asset retention
(e.g., End-of-Life (EOL), End-of-Support (EOS)). . . . . . . . . . . . . . . 105
Asset Retention                                                     105
Asset Life Cycle                                               106
End-of-Life and End-of-Support                                   106
xiv CISSP Passport

REVIEW                                                          108
25 QUESTIONS                                               108
25 ANSWERS                                                108
Objective 2.6 Determine data security controls and compliance
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Data Security and Compliance                                         109
Data States                                                   109
Control Standards Selection                                      110
Scoping and Tailoring Data Security Controls                        111
Data Protection Methods                                        111
REVIEW                                                          113
26 QUESTIONS                                               113
26 ANSWERS                                                114
3.0 Security Architecture and Engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Objective 3.1 Research, implement, and manage engineering
processes using secure design principles . . . . . . . . . . . . . . . . . . . 116
Threat Modeling                                                    116
Least Privilege                                                      116
Defense in Depth                                                    117
Secure Defaults                                                     117
Fail Securely                                                       117
Separation of Duties                                                 118
Keep It Simple                                                      119
Zero Trust                                                          119
Privacy by Design                                                   119
Trust But Verify                                                     119
Shared Responsibility                                                120
REVIEW                                                          120
31 QUESTIONS                                               121
31 ANSWERS                                                122
Objective 3.2 Understand the fundamental concepts of security
models (e.g., Biba, Star Model, Bell-LaPadula) . . . . . . . . . . . . . . . 122
Security Models                                                    122
Terms and Concepts                                            123
System States and Processing Modes                              124
Confidentiality Models                                          126
Integrity Models                                               127
Other Access Control Models                                     128
REVIEW                                                          128
32 QUESTIONS                                               129
32 ANSWERS                                                130
 Contents xv
Objective 3.3 Select controls based upon systems security
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Selecting Security Controls                                            130
Performance and Functional Requirements                          131
Data Protection Requirements                                    131
Governance Requirements                                       132
Interface Requirements                                         132
Risk Response Requirements                                     133
REVIEW                                                          133
33 QUESTIONS                                               134
33 ANSWERS                                                134
Objective 3.4 Understand security capabilities of Information Systems
(IS) (e.g., memory protection, Trusted Platform Module (TPM),
encryption/decryption) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Information System Security Capabilities                                 135
Hardware and Firmware System Security                           135
Secure Processing                                             137
REVIEW                                                          138
34 QUESTIONS                                               139
34 ANSWERS                                                139
Objective 3.5 Assess and mitigate the vulnerabilities of security
architectures, designs, and solution elements . . . . . . . . . . . . . . . 139
Vulnerabilities of Security Architectures, Designs, and Solutions              140
Client-Based Systems                                           140
Server-Based Systems                                          140
Distributed Systems                                            141
Database Systems                                             141
Cryptographic Systems                                          142
Industrial Control Systems                                       142
Internet of Things                                              143
Embedded Systems                                            143
Cloud-Based Systems                                           144
Virtualized Systems                                            145
Containerization                                               146
Microservices                                                 146
Serverless                                                    146
High-Performance Computing Systems                             146
Edge Computing Systems                                        146
REVIEW                                                          147
35 QUESTIONS                                               148
35 ANSWERS                                                148
xvi CISSP Passport

Objective 3.6 Select and determine cryptographic solutions . . . . . . . 148

Cryptography                                                       149
Cryptographic Life Cycle                                         149
Cryptographic Methods                                         151
Integrity                                                      154
Hybrid Cryptography                                            155
Digital Certificates                                             156
Public Key Infrastructure                                        156
Nonrepudiation and Digital Signatures                             158
Key Management Practices                                      158
REVIEW                                                          159
36 QUESTIONS                                               160
36 ANSWERS                                                161
Objective 3.7 Understand methods of cryptanalytic attacks. . . . . . . . 161
Cryptanalytic Attacks                                                161
Brute Force                                                   162
Ciphertext Only                                                162
Known Plaintext                                               162
Chosen Ciphertext and Chosen Plaintext                            163
Frequency Analysis                                             163
Implementation                                                163
Side Channel                                                  163
Fault Injection                                                 164
Timing                                                       164
Man-in-the-Middle (On-Path)                                     164
Pass the Hash                                                 165
Kerberos Exploitation                                           165
Ransomware                                                  165
REVIEW                                                          166
37 QUESTIONS                                               166
37 ANSWERS                                                167
Objective 3.8 Apply security principles to site and facility design . . . 167
Site and Facility Design                                               167
Site Planning                                                  167
Secure Design Principles                                        168
REVIEW                                                          172
38 QUESTIONS                                               172
38 ANSWERS                                                173
Objective 3.9 Design site and facility security controls . . . . . . . . . . . . 173
Designing Facility Security Controls                                     173
Crime Prevention Through Environmental Design                     174
Key Facility Areas of Concern                                     174
 Contents xvii
REVIEW                                                          181
39 QUESTIONS                                               181
39 ANSWERS                                                182
4.0 Communication and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Objective 4.1 Assess and implement secure design principles
in network architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Fundamental Networking Concepts                                     184
Open Systems Interconnection and Transmission Control Protocol/Internet
Protocol Models                                             185
Internet Protocol Networking                                     187
Secure Protocols                                               189
Application of Secure Networking Concepts                              193
Implications of Multilayer Protocols                               193
Converged Protocols                                            194
Micro-segmentation                                            195
Wireless Technologies                                               197
Wireless Theory and Signaling                                   197
Wi-Fi                                                        199
Bluetooth                                                    202
Zigbee                                                       202
Satellite                                                     203
Li-Fi                                                         203
Cellular Networks                                              204
Content Distribution Networks                                         205
REVIEW                                                          206
41 QUESTIONS                                               206
41 ANSWERS                                                207
Objective 4.2 Secure network components . . . . . . . . . . . . . . . . . . . . . 207
Network Security Design and Components                               208
Operation of Hardware                                          208
Transmission Media                                            212
Endpoint Security                                              213
REVIEW                                                          214
42 QUESTIONS                                               214
42 ANSWERS                                                214
Objective 4.3 Implement secure communication channels
according to design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Securing Communications Channels                                     215
Voice                                                        215
Multimedia Collaboration                                        218
xviii CISSP Passport

Remote Access                                                219

Data Communications                                          220
Virtualized Networks                                           222
Third-Party Connectivity                                         222
REVIEW                                                          223
43 QUESTIONS                                               223
43 ANSWERS                                                224
5.0 Identity and Access Management (IAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Objective 5.1 Control physical and logical access to assets . . . . . . . . 226
Controlling Logical and Physical Access                                  226
Logical Access                                                227
Physical Access                                               228
REVIEW                                                          228
51 QUESTIONS                                               228
51 ANSWERS                                                229
Objective 5.2 Manage identification and authentication of people,
devices, and services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Identification and Authentication                                       229
Identity Management Implementation                              230
Single/Multifactor Authentication                                 230
Accountability                                                 231
Session Management                                           232
Registration, Proofing, and Establishment of Identity                  232
Federated Identity Management                                  233
Credential Management Systems                                 233
Single Sign-On                                                234
Just-in-Time                                                  234
REVIEW                                                          235
52 QUESTIONS                                               236
52 ANSWERS                                                236
Objective 5.3 Federated identity with a third-party service . . . . . . . . 237
Third-Party Identity Services                                           237
On-Premise                                                   237
Cloud                                                        238
Hybrid                                                       238
REVIEW                                                          238
53 QUESTIONS                                               239
53 ANSWERS                                                239
 Contents xix
Objective 5.4 Implement and manage authorization mechanisms. . . 239
Authorization Mechanisms and Models                                  240
Discretionary Access Control                                     241
Mandatory Access Control                                       241
Role-Based Access Control                                      242
Rule-Based Access Control                                      242
Attribute-Based Access Control                                   243
Risk-Based Access Control                                       243
REVIEW                                                          243
54 QUESTIONS                                               244
54 ANSWERS                                                244
Objective 5.5 Manage the identity and access provisioning
lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Identity and Access Provisioning Life Cycle                               245
Provisioning and Deprovisioning                                  245
Role Definition                                                247
Privilege Escalation                                            248
Account Access Review                                              249
REVIEW                                                          251
55 QUESTIONS                                               251
55 ANSWERS                                                252
Objective 5.6 Implement authentication systems . . . . . . . . . . . . . . . . 252
Authentication Systems                                              252
Open Authorization                                             253
OpenID Connect                                               253
Security Assertion Markup Language                              253
Kerberos                                                     254
Remote Access Authentication and Authorization                    256
REVIEW                                                          257
56 QUESTIONS                                               257
56 ANSWERS                                                258
6.0 Security Assessment and esting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Objective 6.1 Design and validate assessment,
test, and audit strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Defining Assessments, Tests, and Audits                                 260
Designing and Validating Evaluations                                    261
Goals and Strategies                                           261
Use of Internal, External, and Third-Party Assessors                   262
REVIEW                                                          263
61 QUESTIONS                                               263
61 ANSWERS                                                264
xx CISSP Passport

Objective 6.2 Conduct security control testing . . . . . . . . . . . . . . . . . . 264

Security Control Testing                                              264
Vulnerability Assessment                                        265
Penetration Testing                                             265
Log Reviews                                                  267
Synthetic Transactions                                          268
Code Review and Testing                                        268
Misuse Case Testing                                           269
Test Coverage Analysis                                         269
Interface Testing                                               269
Breach Attack Simulations                                       270
Compliance Checks                                             270
REVIEW                                                          271
62 QUESTIONS                                               271
62 ANSWERS                                                272
Objective 6.3 Collect security process data (e.g., technical and
administrative) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Security Data                                                       272
Security Process Data                                           273
REVIEW                                                          275
63 QUESTIONS                                               276
63 ANSWERS                                                276
Objective 6.4 Analyze test output and generate report . . . . . . . . . . . . 277
Test Results and Reporting                                            277
Analyzing the Test Results                                       277
Reporting                                                    278
Remediation, Exception Handling, and Ethical Disclosure              278
REVIEW                                                          280
64 QUESTIONS                                               280
64 ANSWERS                                                280
Objective 6.5 Conduct or facilitate security audits . . . . . . . . . . . . . . . 281
Conducting Security Audits                                            281
Internal Security Auditors                                        282
External Security Auditors                                       282
Third-Party Security Auditors                                     283
REVIEW                                                          284
65 QUESTIONS                                               284
65 ANSWERS                                                284
 Contents xxi

7.0 Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Objective 7.1 Understand and comply with investigations . . . . . . . . 286
Investigations                                                     
286
Forensic Investigations                                          287
Evidence Collection and Handling                                 287
Digital Forensics Tools, Tactics, and Procedures                      290
Investigative Techniques                                        291
Reporting and Documentation                                    292
REVIEW                                                         
293
71 QUESTIONS                                               294
71 ANSWERS                                                294
Objective 7.2 Conduct logging and monitoring activities. . . . . . . . . . 295
Logging and Monitoring                                              295
Continuous Monitoring                                          296
Intrusion Detection and Prevention                                296
Security Information and Event Management                        297
Egress Monitoring                                             297
Log Management                                              298
Threat Intelligence                                             298
User and Entity Behavior Analytics                                301
REVIEW                                                         
302
72 QUESTIONS                                               303
72 ANSWERS                                                304
Objective 7.3 Perform Configuration Management (CM)
(e.g., provisioning, baselining, automation) . . . . . . . . . . . . . . . . . 304
Configuration Management Activities                                   304
Provisioning                                                  305
Baselining                                                    305
Automating the Configuration Management Process                  306
REVIEW                                                          306
73 QUESTIONS                                               307
73 ANSWERS                                                307
Objective 7.4 Apply foundational security operations concepts . . . . 308
Security Operations                                                  308
Need-to-Know/Least Privilege                                    308
Separation of Duties and Responsibilities                           309
Privileged Account Management                                  310
Job Rotation                                                  311
Service Level Agreements                                       312
REVIEW                                                          313
74 QUESTIONS                                               314
74 ANSWERS                                                314
xxii CISSP Passport

Objective 7.5 Apply resource protection . . . . . . . . . . . . . . . . . . . . . . . 314

Media Management and Protection                                     315
Media Management                                            315
Media Protection Techniques                                     315
REVIEW                                                          317
75 QUESTIONS                                               317
75 ANSWERS                                                318
Objective 7.6 Conduct incident management . . . . . . . . . . . . . . . . . . . 318
Security Incident Management                                         318
Incident Management Life Cycle                                  319
REVIEW                                                          324
76 QUESTIONS                                               325
76 ANSWERS                                                326
Objective 7.7 Operate and maintain detective and preventative
measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Detective and Preventive Controls                                      326
Allow-Listing and Deny-Listing                                   327
Firewalls                                                     328
Intrusion Detection Systems and Intrusion Prevention Systems          331
Third-Party Provided Security Services                             332
Honeypots and Honeynets                                       333
Anti-malware                                                 334
Sandboxing                                                   335
Machine Learning and Artificial Intelligence                         336
REVIEW                                                          336
77 QUESTIONS                                               338
77 ANSWERS                                                338
Objective 7.8 Implement and support patch and vulnerability
management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Patch and Vulnerability Management                                    339
Managing Vulnerabilities                                        339
Managing Patches and Updates                                  340
REVIEW                                                          342
78 QUESTIONS                                               342
78 ANSWERS                                                343
Objective 7.9 Understand and participate in change management
processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Change Management                                                344
Change Management Processes                                  344
REVIEW                                                          347
79 QUESTIONS                                               347
79 ANSWERS                                                348
 Contents xxiii
Objective 7.10 Implement recovery strategies . . . . . . . . . . . . . . . . . . . 348
Recovery Strategies                                                 348
Backup Storage Strategies                                       348
Recovery Site Strategies                                        351
Multiple Processing Sites                                        352
Resiliency                                                    355
High Availability                                               355
Quality of Service                                              356
Fault Tolerance                                                356
REVIEW                                                          357
710 QUESTIONS                                              358
710 ANSWERS                                               359
Objective 7.11 Implement Disaster Recovery (DR) processes. . . . . . . 359
Disaster Recovery                                                   359
Saving Lives and Preventing Harm to People                         360
The Disaster Recovery Plan                                            360
Response                                                    361
Personnel                                                    361
Communications                                               361
Assessment                                                  363
Restoration                                                   363
Training and Awareness                                         364
Lessons Learned                                               364
REVIEW                                                          365
711 QUESTIONS                                              366
711 ANSWERS                                               367
Objective 7.12 Test Disaster Recovery Plans (DRP). . . . . . . . . . . . . . . . 367
Testing the Disaster Recovery Plan                                      367
Read-Through/Tabletop                                         368
Walk-Through                                                 369
Simulation                                                    369
Parallel Testing                                                370
Full Interruption                                               370
REVIEW                                                          371
712 QUESTIONS                                              371
712 ANSWERS                                               372
Objective 7.13 Participate in Business Continuity (BC) planning
and exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Business Continuity                                                  372
Business Continuity Planning                                     373
Business Continuity Exercises                                    375
xxiv CISSP Passport

REVIEW                                                          376
713 QUESTIONS                                              376
713 ANSWERS                                               377
Objective 7.14 Implement and manage physical security . . . . . . . . . . 377
Physical Security                                                    377
Perimeter Security Controls                                      378
Internal Security Controls                                        382
REVIEW                                                          386
714 QUESTIONS                                              387
714 ANSWERS                                               387
Objective 7.15 Address personnel safety and security concerns . . . . 388
Personnel Safety and Security                                         388
Travel                                                       388
Security Training and Awareness                                  389
Emergency Management                                        389
Duress                                                       390
REVIEW                                                          391
715 QUESTIONS                                              391
715 ANSWERS                                               392
8.0 Sotware Development Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Objective 8.1 Understand and integrate security in the Software
Development Life Cycle (SDLC) . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Software Development Life Cycle                                       394
Development Methodologies                                     395
Maturity Models                                               398
Operation and Maintenance                                      400
Change Management                                           401
Integrated Product Team                                        401
REVIEW                                                          401
81 QUESTIONS                                               402
81 ANSWERS                                                403
Objective 8.2 Identify and apply security controls in software
development ecosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Security Controls in Software Development                               403
Programming Languages                                        404
Libraries                                                     405
Tool Sets                                                     406
Integrated Development Environment                              406
Runtime                                                      406
Continuous Integration and Continuous Delivery                      407
Security Orchestration, Automation, and Response                   407
Software Configuration Management                              408
 Contents xxv
Code Repositories                                              408
Application Security Testing                                      408
REVIEW                                                          411
82 QUESTIONS                                               411
82 ANSWERS                                                412
Objective 8.3 Assess the effectiveness of software security. . . . . . . . 412
Software Security Effectiveness                                        412
Auditing and Logging Changes                                    413
Risk Analysis and Mitigation                                     413
REVIEW                                                          415
83 QUESTIONS                                               415
83 ANSWERS                                                415
Objective 8.4 Assess security impact of acquired software . . . . . . . . 416
Security Impact of Acquired Software                                   416
Commercial-off-the-Shelf Software                                416
Open-Source Software                                          417
Third-Party Software                                           417
Managed Services                                             418
REVIEW                                                          419
84 QUESTIONS                                               419
84 ANSWERS                                                420
Objective 8.5 Define and apply secure coding guidelines
and standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Secure Coding Guidelines and Standards                                 420
Security Weaknesses and Vulnerabilities at the Source-Code Level      420
Security of Application Programming Interfaces                      421
Secure Coding Practices                                         422
Software-Defined Security                                       424
REVIEW                                                          424
85 QUESTIONS                                               425
85 ANSWERS                                                425
A About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
System Requirements                                                427
Your Total Seminars Training Hub Account                                427
Privacy Notice                                                 427
Single User License Terms and Conditions                                427
TotalTester Online                                                   429
Technical Support                                                   429

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
This page intentionally left blank
 DOMAIN xxvii

Acknowledgments

A book isn’t simply written by one person; so many people had key roles in the production o
this study guide, so I’d like to take this opportunity to acknowledge and thank them. First and
oremost, I would like to thank the olks at McGraw Hill, Wendy Rinaldi, Caitlin Cromley-
Linn, and Janet Walden. All three worked hard to keep me on track and made sure that this
book met the highest standards o quality. hey are awesome people to work with, and I’m
grateul once again to work with them!
I would also like to sincerely thank Nitesh Sharma, Senior Project Manager, Knowledge-
Works Global Ltd, who worked on the post-production or the book, and Bill McManus, who
did the copyediting work or the book. hey are also great olks to work with. Nitesh was so
patient and proessional with me at various times when I did not exactly meet a deadline and
I’m so grateul or that. I’ve worked with Bill a ew times on dierent book projects, and I must
admit I’m always in awe o him (and a bit intimidated by him, but really glad in the end to
have him help on my projects), since he is an awesome copyeditor who catches every single
one o the plentiul mistakes I make during the writing process. I have also gained a signiicant
respect or Bill’s knowledge o cybersecurity, as he’s always been able to key in on small nuances
o wonky explanations that even I didn’t catch and suggest better ways to write them. He’s the
perect person to make sure this book lows well, is understandable to a reader, and is a higher-
quality resource. hank you, Bill!
here are many other people on the production side who contributed signiicantly to the
publication o this book, including Rachel Fogelberg, ed Laux, homas Somers, and Je
Weeks, as well as others. My sincere thanks to them all or their hard work.
I also want to thank my amily or their patience and understanding as I took time away
rom them to write this book. I owe them a great deal o time I can never pay back, and I am
very grateul or their love and support.

xxvii
xxviii CISSP Passport

And last, but certainly not least, I want to thank the technical editor, Nichole O’Brien.
I’ve worked with Nichole on tons o real-world cybersecurity projects o and on or at least
ten years now. I’ve lost count o how many proposals, risk assessment reports, customer meet-
ings, and cyber-related problems she has suered through with me, yet she didn’t hesitate
to jump in and become the technical editor or this book. Nichole is absolutely one o the
smartest businesspeople I know in cybersecurity, as well as simply a really good person, and
I have an ininite amount o proessional and personal respect or her. his book is so much
better or having her there to correct my mistakes, ask critical questions, make me do more
research, and add a dierent and unique perspective to the process. hanks, Nichole!

—Bobby Rogers
 DOMAIN xxix

Introduction

Welcome to CISSP Passport! his book is ocused on helping you to pass the Certiied Inor-
mation Systems Security Proessional (CISSP) certiication examination rom the Interna-
tional Inormation System Security Certiication Consortium, or (ISC)². he idea behind
the Passport series is to give you a concise study guide or learning the key elements o the
certiication exam rom the perspective o the required objectives published by (ISC)², in their
CISSP Certiication Exam Outline. Cybersecurity proessionals can review the experience
requirements set orth by (ISC)² at https://www.isc2.org/Certiications/CISSP/experience-
requirements. he basic requirement is ive years o cumulative paid work experience in two
or more o the eight CISSP domains, or our years o such experience plus either a our-year
college degree or an additional credential rom the (ISC)² approved list. (ISC)² requires that
you document this experience beore you can be ully certiied as a CISSP. For those candidates
who do not yet meet the experience requirements, they may achieve Associate o (ISC)² status
by passing the examination. Associates o (ISC)² are then allowed up to six years to accumulate
the required ive years o experience to become ull CISSPs.
he eight domains and the approximate percentage o exam questions they represent are
as ollows:

• Security and Risk Management (15%)

• Asset Security (10%)
• Security Architecture and Engineering (13%)
• Communication and Network Security (13%)
• Identity and Access Management (IAM) (13%)
• Security Assessment and esting (12%)
• Security Operations (13%)
• Sotware Development Security (11%)

CISSP Passport assumes that you have already studied long and hard or the CISSP exam
and now just need a quick reresher beore you take the exam. his book is meant to be a
“no lu ” concise study guide with quick acts, deinitions, memory aids, charts, and brie
explanations. Because this guide gives you the key concepts and acts, and not the in-depth

xxix
xxx CISSP Passport

explanations surrounding those acts, you should not use this guide as your only study source
to prepare or the CISSP exam. here are numerous books you can use or your deep studying,
such as CISSP All-in-One Exam Guide, Ninth Edition, also rom McGraw Hill.
I recommend that you use this guide to reinorce your knowledge o key terms and con-
cepts and to review the broad scope o topics quickly in the inal ew days beore your CISSP
exam, ater you’ve done all o your “deep” studying. his guide will help you memorize ast
acts, as well as reresh your memory about topics you may not have studied or a while.
his guide is organized around the most recent CISSP exam domains and objectives
released by (ISC)², which is May 1, 2021 at the time o writing this book. Keep in mind that
(ISC)² reserves the right to change or update the exam objectives anytime at its sole discretion
and without any prior notice, so you should check the (ISC)² website or any recent changes
beore you begin reading this guide and again a week or so beore taking the exam to make sure
you are studying the most updated materials.
he structure o this study guide parallels the structure o the eight CISSP domains pub-
lished by (ISC)², presented in the same numerical order in the book, with individual domain
objectives also ordered by objective number in each domain. Each domain in this guide is
equivalent to a regular book chapter, so this guide has eight considerably large “chapters” with
individual sections devoted to the objective numbers. his organization is intended to help
you learn and master each objective in a logical way. Because some domain objectives overlap,
you will see a bit o redundancy in topics discussed throughout the book; where this is the case,
the topic is presented in its proper context within the current domain objective and you’ll see
a cross-reerence to the other objective(s) in which the same topic is discussed.
Each domain contains the ollowing useul items to call out points o interest.

EXAM TIP Indicates critical topics you’re likely to see on the actual exam

NOTE Points out ancillary but pertinent information, as well as areas for
further study

CAUTION Warns you of common pitfalls, misconceptions, and potentially

harmful or risky situations when working with the technology in the real world
 Introduction xxxi

Cross-Reference
Directs you to other places in the book where concepts are covered, for your reference

ADDITIONAL RESOURCES Identifies where you can find books, websites,

and other media for further assistance

he end o each objective gives you two handy tools. he “Review” section provides a
synopsis o the objective—a great way to quickly review the critical inormation. hen the
“Questions” and “Answers” sections enable you to test your newly acquired knowledge. For
urther study, this book includes access to online practice exams that will help to prepare you
or taking the exam itsel. All the inormation you need or accessing the exam questions is
provided in the appendix. I recommend that you take the practice exams to identiy where
you have knowledge gaps and then go back and review the relevant material as needed.
I hope this book is helpul to you not only in studying or the CISSP exam but also as a quick
reerence guide you’ll use in your proessional lie. hanks or picking this book to help you
study, and good luck on the exam!
This page intentionally left blank
 M A
O I

N
Security and 1.0
Risk Management

Domain Objectives

• 1.1 Understand, adhere to, and promote professional ethics.

• 1.2 Understand and apply security concepts.
• 1.3 Evaluate and apply security governance principles.
• 1.4 Determine compliance and other requirements.
• 1.5 Understand legal and regulatory issues that pertain to information security
in a holistic context.
• 1.6 Understand requirements for investigation types (i.e., administrative,
criminal, civil, regulatory, industry standards).
• 1.7 Develop, document, and implement security policy, standards, procedures,
and guidelines.
• 1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements.
• 1.9 Contribute to and enforce personnel security policies and procedures.
• 1.10 Understand and apply risk management concepts.
• 1.11 Understand and apply threat modeling concepts and methodologies.
• 1.12 Apply Supply Chain Risk Management (SCRM) concepts.
• 1.13 Establish and maintain a security awareness, education, and training
program.

1
2 CISSP Passport

Domain 1, “Security and Risk Management,” is one of the key domains in understanding
critical security principles that you will encounter on the CISSP exam. The majority of the
topics in this domain include the administrative or managerial security measures put in
place to manage a security program. In this domain you will learn about professional ethics
and important fundamental security concepts. We will discuss governance and compliance,
investigations, security policies, and other critical management concepts. We will also
delve into business continuity, personnel security, and the all-important risk management
processes. We’ll also discuss threat modeling, explore supply chain risk management, and
finish the domain by examining the different aspects of security training and awareness
programs. These are all very important concepts that will help you to understand the subse-
quent domains, since they provide the foundations of knowledge you need to be successful
on the exam.

Objective 1.1 Understand, adhere to, and promote

professional ethics

T he fact that (ISC)2 places professional ethics as the first objective in the first domain of
the CISSP exam requirements speaks volumes about the importance of ethics and ethi-
cal behavior in our profession. The continuing increases in network breaches, data loss, and
ransomware demonstrate the criticality of ethical conduct in this expanding information secu-
rity landscape. Our information systems security workforce is expanding at a rapid pace, and
these new recruits need to understand the professional discipline required to succeed. Some
may enter the field because they expect to make a lot of money, but ultimately competence,
integrity, and trustworthiness are the qualities necessary for success. Most professions have
published standards for ethical behavior, such as healthcare, law enforcement, accounting, and
many other professions. In fact, you would be hard-pressed to find a profession that does not
have at least some type of minimal ethical requirements for professional conduct.
While exam objective 1.1 is the only objective that explicitly covers ethics and professional
conduct, it’s important to emphasize them, since you will be expected to know them on the
exam and, more importantly, you will be expected to uphold them to maintain your CISSP sta-
tus. The first part of this exam objective covers the core ethical requirements from (ISC)2 itself.
Absent any other ethical standards that you may also be required to uphold in your profession,
from your organization, your customers, and even any other certifications you hold, the (ISC)2
Code of Ethics should be sufficient to guide you in ethical behavior and professional conduct
while you are employed as an information systems security professional for as long as you hold
the CISSP certification. The second part of the objective reviews other sources of professional
ethics that guide your conduct, such as those from industry or professional organizations.
First, let’s look at the (ISC)2 Code of Ethics.
 DOMAIN 1.0 Objective 1.1 3

The (ISC)2 Code of Ethics

The (ISC)2 Code of Ethics, located on the (ISC)2 website at https://www.isc2.org/Ethics#,
consists of a preamble and four mandatory canons. Additionally, the web page includes a
comprehensive set of ethics complaint procedures for filing ethics complaints against certified
members. The complaint procedures are designed to detail how someone might formally
accuse a certified member of violating one or more of the four canons.

NOTE (ISC)2 updates the Code of Ethics from time to time, so it is best to
occasionally go to the (ISC)2 website and review it for any changes. This allows you
to keep up with current requirements and serves to remind you of your ethical and
professional responsibilities.

Code of Ethics Preamble

The Code of Ethics Preamble simply states that people who are bound to the code must adhere
to the highest ethical standards of behavior, and that the code is a condition of certification.
Per the (ISC)2 site (https://www.isc2.org/Ethics#), the preamble states (at the time of writing):

“The safety and welfare of society and the common good, duty to our principals, and to
each other, requires that we adhere, and be seen to adhere, to the highest ethical stand-
ards of behavior. Therefore, strict adherence to this Code is a condition of certification.”

Code of Ethics Canons

The Code of Ethics Canons dictate the more specific requirements that certification holders
must obey. According to the ethics complaint procedures detailed by (ISC)2, violation of any of
these canons is grounds for the certificate holder have their certification revoked. The canons
are as follows:

I. Protect society, the common good, necessary public trust and confidence, and the
infrastructure.
II. Act honorably, honestly, justly, responsibly, and legally.
III. Provide diligent and competent service to principals.
IV. Advance and protect the profession.

Obviously, these canons are intentionally broad and, unfortunately, someone could con-
strue them to fit almost any type of act by a CISSP, accidental or malicious, into one these
categories. However, the ethics complaint procedures specify a burden of proof involved with
making a complaint against the certification holder for violation of these canons. The com-
plaint procedures, set forth in the “Standing of Complainant” section, specify that “complaints
4 CISSP Passport

will be accepted only from those who claim to be injured by the alleged behavior.” Anyone
with knowledge of a breach of Canons I or II may file a complaint against someone, but only
principals, which are employers or customers of the certificate holder, can lodge a complaint
about any violation of Canon III, and only other certified professionals may register com-
plaints about violations of Canon IV.
Also according to the ethics complaint procedures, the complaint goes before an ethics
committee, which hears complaints of breaches of the Code of Ethics Canons, and makes a
recommendation to the board. But the board ultimately makes decisions regarding the validity
of complaints, as well as levees the final disciplinary action against the member, if warranted.
A person who has had an ethics complaint lodged against them under these four canons has a
right to respond and comment on the allegations, as there are sound due process procedures
built into this process.

EXAM TIP You should be familiar with the preamble and the four canons of
the (ISC)2 Code of Ethics for the exam. It’s a good idea to go to the (ISC)2 website and
review the most current Code of Ethics shortly before you take the exam.

Organizational Code of Ethics

The second part of exam objective 1.1 encompasses organizational standards and codes of
ethics. Most organizations today have some minimal form of a code of ethics, professional
standards, or behavioral requirements that you must obey to be a member of that organization.
“Organization” in this context means professional organizations, your workplace, your cus-
tomer organization, or any other formal, organized body to which you belong or are employed
by. Whether you are a government employee or a private contractor, whether you work for a
volunteer agency or work in a commercial setting, you’re likely required to adhere to some type
of organizational code of ethics. Let’s examine some of the core requirements most organiza-
tional codes of ethics have in common.

Workplace Ethics Statements and Policies

Codes of ethics in the workplace may or may not be documented. Often there is no formalized,
explicit code of ethics document published by the organization, although that may not be the
case, especially in large or publicly traded corporations. More often than not, the requirements
for ethical or professional behavior are stated as a policy or group of policies that apply not
only to the security professionals in the organization but to every employee. For example, there
are usually policies that cover the topics of acceptable use of organizational IT assets, personal
behavior toward others, sexual harassment and bullying, bribery, gifts from external parties,
and so on. Combined, these policies cover the wide range of professional behavior expecta-
tions. These policies may be sponsored and monitored by the human resources department
and are likely found in the organization’s employee handbook. For the organizations that have
 DOMAIN 1.0 Objective 1.1 5
explicit professional ethics documents, these usually describe general statements that are not
specific to IT or cybersecurity professionals and direct the employee to behave ethically and
professionally in all matters.

Other Sources for Ethics Requirements

Although not directly testable by the CISSP exam, it’s worth noting that there are other sources
for ethics requirements for technology professionals in general and cybersecurity professionals
in particular. All of these sources contain similar requirements to act in a professional, hon-
est manner while protecting the interests of customers, employers, and other stakeholders, as
well as maintain professional integrity and work toward the good of society. The following
subsections describe several sources of professional ethics standards to give you an idea of how
important ethics and professional behavior are across the wide spectrum of not only cyberse-
curity but technology in general.

The Computer Ethics Institute

The Computer Ethics Institute (CEI) is a nonprofit policy, education, and research group
founded to promote the study of technology ethics. Its membership includes several tech-
nology-related organizations and prominent technologists and it is positioned as a forum for
public discussion on a variety of topics affecting the integration of technology and society. The
most well-known of its efforts is the development of the Ten Commandments of Computer
Ethics, which has been used as the basis of several professional codes of ethics and behavior
documents, among them the (ISC)2 Code of Ethics.
The Ten Commandments of Computer Ethics, presented here from the CEI website, are
as follows:

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper
compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the
system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for
your fellow humans.
6 CISSP Passport

Institute of Electrical and Electronics

Engineers – Computer Society
The Institute of Electrical and Electronics Engineers (IEEE) published a professional Code of
Ethics designed to promulgate ethical behaviors among technology professionals. Although
the IEEE Code of Ethics does not specifically target cybersecurity professionals, its principles
similarly promote the professional and ethical behaviors of other technology professionals and
is similar in requirements to the (ISC)2 Code of Ethics. The more important points of the IEEE
Code of Ethics are summarized as follows:

• Uphold high standards of integrity, responsible behavior, and ethical conduct in

professional activities
• Hold paramount the safety, health, and welfare of the public
• Avoid real or perceived conflicts of interest
• Avoid unlawful conduct
• Treat all persons fairly and with respect
• Ensure the code is upheld by colleagues and coworkers

As you can see, these points are directly aligned with the (ISC)2 Code of Ethics and, as with
many codes of conduct, offer no conflict with other codes that members may be subject to. In
fact, since codes of ethics and professional behavior are often similar, they support and serve
to strengthen the requirements levied on various individuals.

ADDITIONAL RESOURCES In addition to the example of the IEEE Code of

Ethics, numerous other professional organizations that are closely related to or aligned
with cybersecurity professionals also have comparable codes that are worth mentioning.
Another noteworthy example is the Project Management Institute (PMI) Code of Ethics
and Professional Conduct, available at https://www.pmi.org/about/ethics/code.

Governance Ethics Requirements

There also are standards that are imposed as part of regulatory requirements that cover how
technology professionals will comport themselves. Some of these standards don’t specifically
target cybersecurity professionals per se, but they do prescribe ethical behaviors with regard
to data protection, for example, and apply to organizations and personnel alike. Almost all
data protection regulations, such as the EU’s General Data Protection Regulation (GDPR), the
U.S. Health Insurance Portability and Accountability Act (HIPAA), the National Institute of
Standards and Technology (NIST) publications, the Code of Ethics requirements spelled out
in Section 406 of the Sarbanes-Oxley Act of 2002, and countless other laws and regulations,
describe the actions that users and personnel with privileged access to sensitive data must take
to protect that data from a legal and ethical perspective in order to comply with security, pri-
vacy, and other governance requirements.
 DOMAIN 1.0 Objective 1.1 7

REVIEW
Objective 1.1: Understand, adhere to, and promote professional ethics In this objective
we focused on one of the more important objectives for the CISSP exam—one that’s often
overlooked in exam prep. We discussed codes of ethics, which are requirements intended
to guide our professional behavior. We specifically examined the (ISC)2 Code of Ethics,
as that is the most relevant to the exam. The Code of Ethics consists of a preamble and
four mandatory canons. (ISC)2 also has a comprehensive set of complaint procedures for
ethics complaints against certified members. The complaint procedures detail the process
for formally accusing a certified member of violating one or more of the four canons, while
ensuring a fair and impartial due process for the accused.
We also examined organizational ethics and discussed how some organizations may not
have a formalized code of ethics document, but their ethical or professional behavior expec-
tations may be contained in their policies. These are usually found in policies such as accept-
able use, acceptance of gifts, bribery, and other types of policies. Most of the policies that
affect professional behavior for employees are typically found in the employee handbook.
Finally, we discussed other sources of professional ethics, from professional organi-
zations and governance requirements that may define how to protect certain sensitive
data classifications. Absent any other core ethics document that prescribes professional
behavior, the (ISC)2 Code of Ethics is mandatory for CISSP certification holders and
should be used to guide their behavior.

1.1 QUESTIONS
1. You’re a CISSP who works for a small business. Your workplace has no formalized
code of professional ethics. Your manager recently asked you to fudge the results of
a vulnerability assessment on a group of production servers to make it appear as if
the security posture is improving. Absent a workplace code of ethics, which of the
following should guide your behavior regarding this request?
A. Your own professional conscience
B. (ISC)2 Code of Ethics
C. Workplace Acceptable Use Policy
D. The Computer Ethics Institute policies
2. Nichole is a security operations center (SOC) supervisor who has observed one of her
CISSP-certified subordinates in repeated violation of both the company’s requirements
for professional behavior and the (ISC)2 Code of Ethics. Which of the following
actions should she take?
A. Report the violation to the company’s HR department only
B. Report the violation to (ISC)2 and the HR department
C. Ignore a one-time violation and counsel the individual
D. Report the violation to (ISC)2 only
8 CISSP Passport

3. Which of the following is a legal, ethical, or professional requirement levied upon an

individual to protect data based upon the specific industry, data type, and sensitivity?
A. (ISC)2 Code of Ethics
B. IEEE Code of Ethics
C. The Sarbanes-Oxley Code of Ethics requirements
D. The Computer Ethics Institute’s Ten Commandments of Computer Ethics
4. Bobby has been accused of violating one of the four canons of the (ISC)2 Code of Ethics.
A fellow cybersecurity professional has made the complaint that Bobby intentionally
wrote a cybersecurity audit report to reflect favorably on a company in which he is also
applying for a job in order to gain favor with its managers. Which of the following four
canons has Bobby likely violated?
A. Provide diligent and competent service to principals
B. Act honorably, honestly, justly, responsibly, and legally
C. Advance and protect the profession
D. Protect society, the common good, necessary public trust and confidence, and
the infrastructure

1.1 ANSWERS
1. B Absent any other binding code of professional ethics from the workplace, the
(ISC)2 Code of Ethics binds certified professionals to a higher standard of behavior.
While using your own professional judgment is admirable, not everyone’s professional
standards are at the same level. Workplace policies do not always cover professional
conduct by cybersecurity personnel specifically. The Computer Ethics Institute policies
are not binding to cybersecurity professionals.
2. B Since the employee has violated both the company’s professional behavior
requirements and the (ISC)2 Code of Ethics, Nichole should report the actions to
both entities. Had the violation been only that of the (ISC)2 Code of Ethics, she would
not have necessarily needed to report it to the company. One-time violations may be
accidental and should be handled at the supervisor’s discretion; however, repeated
violations may warrant further action depending upon the nature of the violation
and the situation.
3. C The Sarbanes-Oxley (SOX) Code of Ethics requirements are part of the regulation
(Section 406 of the Act) enacted to prevent securities and financial fraud and require
organizations to enact codes of ethics to protect financial and personal data. The
other choices are not focused on data sensitivity or regulations, but rather apply to
technology and cybersecurity professionals.
4. A Although the argument can be made that falsifying an audit report could violate any
or all of the four (ISC)2 Code of Ethics Canons, the scenario specifically affects the canon
that requires professionals to perform diligent and competent service to principals.
 DOMAIN 1.0 Objective 1.2 9

Objective 1.2 Understand and apply security concepts

I n this objective we will examine some of the more fundamental concepts of security.
Although fundamental, they are critical in understanding everything that follows, since
everything we will discuss in future objectives throughout all CISSP domains relates to the
goals of security and their supporting tenets.

Security Concepts
To become certified as a CISSP, you must have knowledge and experience that covers a
wide variety of topics. However, regardless of the experience you may have in the different
domains, such as networking, digital forensics, compliance, or penetration testing, you need
to comprehend some fundamental concepts that are the basis of all the other security knowl-
edge you will need in your career. This core knowledge includes the goals of security and its
supporting principles.
In this objective we’re going to discuss this core knowledge, which serves as a reminder for
the experience you likely already have before attempting the exam. We’ll cover the goals of
security as well as the supporting tenets, such as identification, authentication, authorization,
and nonrepudiation. We will also discuss key supporting concepts such as principles of least
privilege and separation of duties. You’ll find that no matter what expertise you have in the
CISSP domains, these core principles are the basis for all of them. As we discuss each of these
core subjects we’ll talk about how different topics within the CISSP domains articulate to these
areas. First, it’s useful to establish common ground with some terms you’ll likely see through-
out this book and your studies for the exam.

Data, Information, Systems, and Entities

There are terms that we commonly use in cybersecurity that can cause confusion if every-
one in the field does not have a mutual understanding of what the terms mean. Our field is
rich with acronyms, such as MAC, DAC, RBAC, IdM, and many more. Often the same acro-
nym can stand for different terms. For example, in information technology and cybersecurity
parlance, MAC can stand for media access control, message authentication code, mandatory
access control, and memory access controller, not to mention that it’s also a slang term for a
Macintosh computer. That’s an example of why it’s important to define a few terms up front
before we get into our discussion of security concepts. These terms include data, information,
system, and entity (and its related terms subject and object).
Two terms often used interchangeably by technology people in everyday conversation are
data and information. In nontechnical discussion, the difference really doesn’t matter, but
as cybersecurity professionals, we need to be more precise in our speech and differentiate
10 CISSP Passport

between the two. For purposes of this book, and studying for the exam, data are raw, singular
pieces of fact or knowledge that have no immediate context or meaning. An example might be
an IP address, or domain name, or even an audit log entry, which by itself may not have any
meaning. Information is data organized into context and given meaning. An example might be
several pieces of data that are correlated to show an event that occurred on host at a specific
time by a specific individual.

EXAM TIP The CISSP exam objectives do not distinguish the differences
between the terms “information” and “data,” as they are often used interchangeably
in the profession as well. For the purposes of this book, we also will sometimes not
distinguish the difference and use the term interchangeably, depending on the context
and the exam objectives presented.

A system consists of multiple components such as hardware, software, network protocols,

and even processes. A system could also consist of multiple smaller systems, sometimes called
a system of systems but most frequently just referred to as a system, regardless of the type or
quantity of subsystems.
An entity, for our purposes, is a general, abstract term that includes any combination of
organizations, persons, hardware, software, processes, and so on, that may interact with peo-
ple, systems, information, or data. Frequently we talk about users accessing data, but in real-
ity, software programs, hardware, and processes can also independently access data and other
resources on a network, regardless of user action. So it’s probably more correct to say that an
entity or entities access these resources. We can assign accounts and permissions to almost
any type of entity, not just humans. It’s also worth noting that entities are also referred to as
subjects, which perform actions (read, write, create, delete, etc.) on objects, which are resources
such as computers, systems, and information.
Now that we have those terms defined, let’s discuss the three goals of security—confidentiality,
integrity, and availability.

Confidentiality
Of the three primary goals of information security, confidentiality is likely the one that most
people associate with cybersecurity. Certainly, it’s important to make sure that systems and data
are kept confidential and only accessed by entities that have a valid reason, but the other goals
of security, which we will discuss shortly, are also of equal importance. Confidentiality is about
keeping information secret and, in some cases, private. It requires protecting information that
is not generally accessible to everyone, but rather only to a select few. Whether it’s personal
privacy or health data, proprietary company information, classified government data, or just
simply data of a sensitive nature, confidential information is meant to be kept secret. In later
objectives we will discuss different access controls, such as file permissions, encryption, authen-
tication schemes, and other measures, that are designed to keep data and systems confidential.
 DOMAIN 1.0 Objective 1.2 11
Integrity
Integrity is the goal of security to ensure that data and systems are not modified or destroyed
without authorization. To maintain integrity, data should be altered only by an entity that has
the appropriate access and a valid reason to modify. Obviously, data may be altered purpose-
fully for malicious reasons, but accidental or unintentional changes may be caused by a well-
intentioned user or even by a bad network connection that degrades the integrity of a file or
data transmission. Integrity is assured through several means, including identification and
authentication mechanisms (discussed shortly), cryptographic methods (e.g., file hashing),
and checksums.

Availability
Availability means having information and the systems that process it readily accessible by
authorized users any time and in any manner they require. Systems and information do users
little good if they can’t get to and use those resources when needed, and simply preventing
their authorized use contradicts the availability goal. Availability can be denied accidentally
by a network or device outage, or intentionally by a malicious entity that destroys systems and
data or prevents use via denial-of-service attacks. Availability can be ensured through various
means including equipment redundancy, data backups, access control, and so on.

Supporting Tenets of Information Security

Security tenets are processes that support the three goals of security. The security tenets are
identification, authentication, authorization, auditing, accountability, and nonrepudiation.
Note that these may be listed differently or include other principles, depending on the source
of knowledge or the organization.

Identification
Identification is the act of presenting credentials that state (assert) the identity of an individ-
ual or entity. A credential is a piece of information (physical or electronic) that confirms the
identity of the credential holder and is issued by an authoritative source. Examples of creden-
tials used to identify an entity include a driver’s license, passport, username and password
combination, smart card, and so forth.

Authentication
Authentication occurs after identification and is the process of verifying that the credential
presented matches the actual identity of the entity presenting it. Authentication typically
occurs when an entity presents an identification and credential, and the system or network
verifies that credential against a database of known identities and characteristics. If the iden-
tity and credential asserted matches an entry in the database, the entity is authenticated.
12 CISSP Passport

Once this occurs, an entity is considered authenticated to the system, but that does not mean
that they have the ability to perform any actions with any resources. This is where the next
step, authorization, comes in.

Authenticity
Authenticity goes hand-in-hand with authentication, in that it is the validation of a user, an
action, a document, or other entity through verified means. User authenticity is established
with strong authentication mechanisms, for example; an action’s authenticity is established
through auditing and accountability mechanisms, and a document’s authenticity might be
established through integrity checks such as hashing.

Authorization
Authorization occurs only after an entity has been authenticated. Authorization determines
what actions the entity can take with a given resource, such as a computer, application, or
network. Note that it is possible for an entity to be authenticated but have no authorization
to take any action with a resource. Authorization is typically determined by considering an
individual’s job position, clearance level, and need-to-know status for a particular resource.
Authorization can be granted by a system administrator, a resource owner, or another entity
in authority. Authorization is often implemented in the form of permissions, rights, and privi-
leges used to interact with resources, such as systems and information.

EXAM TIP Remember that authorization consists of the actions an individual can
perform, and is based on their job duties, security clearance, and need-to-know,

Auditing and Accountability

Accountability is the ability to trace and hold an entity responsible for any actions that entity
has taken with a resource. Accountability is typically achieved through auditing. Auditing is
the process of reviewing all interactions between an entity and an object to evaluate the effec-
tiveness of security controls. An example is auditing access to a network folder and being able
to conclusively determine that user Gary deleted a particular document in that folder. Audit-
ing would rule out that another user performed this action on that resource. Most resources,
such as computers, data, and information, can be audited for a variety of actions, such as
access, creation, deletion, and so forth. The most frequent manifestation of auditing is through
audit trails or logs, which are generated by the system or object being audited and record all
actions that any user takes with that system or object.

Nonrepudiation
To hold entities, such as users, accountable for the actions they perform on objects, we must
be able to conclusively connect their identity to an event. Auditing is useful for recording
Another random document with
no related content on Scribd:
He had always been very respectable under the eyes of the world; to be
sure, he was quite respectable now; there was no fault to be found with the
party—his beautiful companion, indeed, was something quite new, and not
very much used to her present position; but there was nothing wrong in that.
Nevertheless Frederick felt that there was something to pay for the strange
confusion of blessedness in which he seemed to have lost himself. He felt
this by intervals, and he kept as much as he could behind the curtains,
behind her. She was perfectly willing to occupy the centre of the box, to
rain down influence, to be seen and admired. “Mr. Eastwood, I wish you
would not keep behind me. Do let people see that I have some one to take
care of me. Papa has gone to sleep, of course,” said the beauty, and she
turned round upon Frederick with such a look that he remembered nothing
any more but her loveliness, and the delight of being near her. She chattered
through all the play, and he listened. She said a great deal that was silly, and
some things that were slightly vulgar, and he noted them, yet was not less
subjugated by a spell which was beyond resistance. I cannot be supposed to
understand this, nor to explain it. In such matters I can only record facts. He
was not under the delusion that she was a lofty, or noble, or refined being,
though she was Batty’s daughter. He presumed that she was Batty’s
daughter heart and soul; made of the same pâte, full of the same thoughts.
She was “not a lady,” beautiful, splendid, and well-dressed as she was; the
humble, little snub-nosed girl in the stalls below who looked up at this
vision of loveliness with a girl’s admiration had something which all the
wealth of the Indies could not have given to Miss Amanda. And Frederick
Eastwood saw this quite plainly, yet fell in love, or in madness, exactly as if
he had not seen it. The feeling, such as it was, was too genuine to make him
capable of many words; but he did his best to amuse her, and he listened to
all she said, which was a very good way of pleasing this young woman.
“I hope you mean to stay in town for some time,” he said, in one of the
pauses of her abundant talk.
“Not very long,” said Miss ’Manda. “Papa likes to live well, and to do
things in the best sort of way; so he spends a deal of money, and that can’t
last long. Our hotel isn’t like Mivart’s, and that sort of thing: but it is
dreadfully dear. We spend as much as—oh, I couldn’t venture to tell you
how much we spend a day. Papa likes to have everything of the best, and so
do I.”
 “And so you ought,” said Frederick, adoring. “Pardon me if I am saying
too much.”
“Oh, you are not saying very much, Mr. Eastwood. It is I that am
talking,” said Amanda, “and as for our staying long here, that does not
much matter, for papa wants you to come to Sterborne. He has been talking
of it ever since he came back from Paris. What did you do to him to make
him take such a fancy to you? We don’t think the other Eastwoods behaved
vary nicely to us, and ever since he met with you papa has been telling me
of all your good qualities. You have put a spell upon him, I think.”
“He is very good, I am sure,” said Frederick, stiffening in spite of
himself.
“Oh, I know,” said Amanda, with a toss of her head. “We are not so fine
as you are, we don’t visit with county people, nor that sort of thing. But we
have plenty of people come to see us who are better off than the Eastwoods,
and better blood, too, so you need not be afraid. Papa has dealings with the
very best. We don’t like to be slighted,” said the beauty, with a gleam of
that red light from her beautiful eyes; “and when people put on airs, like
your cousin has done, it sets papa’s back up. That was why we went against
Sir Geoffrey at the election. But I hope you will come, Mr. Eastwood; papa
took such a fancy to you.”
“I have just been away from the office for a month. I fear I shall not have
leisure again for some time,” said Frederick, feeling that an invitation from
Batty was to be resisted, even when conveyed by such lovely lips.
“How hideous it must be not to be one’s own master; to have to ask for
‘leave’ like a servant,” cried ’Manda with a laugh; which speech set all
Frederick’s nerves ajar, and almost released him from the syren. He
withdrew into the shade of the curtains, and drew to him all the succour of
his pride.
“Yes, it is a pitiful position,” he said, with an angry laugh; “but I may
comfort myself that a great many people share it with me. Do you know I
am afraid I must leave you. This performance is endless, and rather dull.”
“Upon my word!” cried Miss Batty, “you are free-spoken, Mr. Frederick.
To tell a lady you are dull when she is doing her best to amuse you!”
“Pardon me, I spoke of the performance.”
“Oh, I don’t care much for the performance,” said Amanda, with a
beaming smile. “I like the lights and the music, and the feeling of being out
in the world. But you wouldn’t go off, and leave me—with papa asleep, and
no one to talk to?”
“I have an engagement—at my club.”
“Oh, if you wish to go away, Mr. Eastwood——” The beauty turned
away pouting, turning her lovely shoulders upon him, and tossing her
beautiful head. Frederick had risen partly in the liveliness of personal
offence, partly with an impulse of prudence, to escape while he might. But
his heart failed him when he saw the averted head, the resentful movement.
Batty dozed peacefully in his chair, interfering with no one. And something
tugged at the unfortunate young man, who stood undecided whether to fly
or to stay. To leave a lovely creature like this, the most beautiful woman he
had ever seen, alone, without any one to amuse her: to leave the place
vacant which a hundred no doubt would give their ears for! What harm
could it do him to stay? It was pleasant to spend an hour or two by the side
of anything so pretty. Come of it—what could come of it? It was an
accidental delight entirely, without connexion with the rest of his life; an
isolated event, without either origin or issue. Why should not he like others
enjoy himself for the moment? While he was thus hesitating Amanda turned
her head round with a sudden provoking glance. “Oh, have you not gone
yet?” she asked. Frederick felt, as it were, on his knees before her.
“Must I go? have I proved so unworthy of my privilege?” he cried
humbly, taking his seat with deprecating looks. Miss Batty did not wish him
to go, and said so freely, with unflattering plainness of speech.
“I should be left to listen to papa’s snores, which I can hear at home,”
she said. “I always prefer some one to talk to. I daresay, however, I should
not have been left long by myself, for there is Lord Hunterston down below
in those horrid stalls looking up. He is trying to catch my eye. No; I don’t
care to have too many. I shan’t see him as long as you stay.”
“Then I shall stay for ever,” said Frederick, inspired by that touch of
rivalship. Lord Hunterston, however, did manage to find his way up to the
box, whether by Miss ’Manda’s permission or not, and Frederick grew stiff
and resentful while the other foolish youth paid his homage. Lord
Hunterston pricked him into double eagerness, and sent all the suggestions
of prudence to the winds. Amanda proved herself thoroughly equal to the
occasion. She kept the two young men in hand with perfect skill, though she
allowed herself to be slightly insolent to Frederick, referring again to the
“leave” without which he could not budge. This time, however, the
reference did not make him angry, but only impressed him with the fact that
his admiration was nothing to her, and that every step of vantage-ground
would have to be fought for, and held with the exercise of all his powers.
He felt himself pitted against not Lord Hunterston only, but all the world. It
seemed impossible to imagine that this syren, who had conquered himself
by a glance, should not attract everybody that had the happiness of
approaching her. Terror, jealousy, and pride, all came in to aid the strongest
passion of all, which had already taken possession of him—terror of losing
her, jealousy of everybody who looked at her, and all the amour propre and
determination to elevate himself over the heads of his rivals that could lend
warmth to a young man’s determination. No prize is fully estimated until
the sense that it will be hotly contested bursts upon the competitor’s mind.
Frederick grew half wild when the time came for him to leave the theatre.
He secured her arm to lead her down-stairs, but only by dint of having all
his wits about him, and taking his rival unawares. And then he was
dismissed at the cab door, with all his nerves tingling, his heart beating, his
whole frame in a ferment. He walked home all the way, following the path
which her vehicle, so ignoble, and unfit for her to enter, must have taken; he
passed under the windows he supposed to be hers. In short, he did
everything that a foolish young man, mad with sudden excitement, and
what is called passion, is expected to do, and worked himself into a higher
and higher strain of excitement, as with his head full of thoughts of her he
made his way home, longing impatiently for the morning, when he might
see her again.
 CHAPTER XX.

WHAT IT IS TO BE “IN LOVE.”

The story of such sudden passions as this, which had come upon Frederick
Eastwood, are common enough and well known. Love is a subject which
concerns and interests the whole world, and though there is not much that is
novel to be said about it, it is the event or accident in life of which the
gentle reader never tires. Let not that kind listener be shocked if I call it an
accident. Sometimes it is the influence which shapes our lives, but
sometimes, also, it is so slight an episode that we are disposed to smile or to
sneer at the prevailing human prejudice which makes it the chief centre of
existence in all song and story. A pure and genuine love, however, has
something of attraction in it for every creature. It recalls the most delicious
moments of life, those in which the dream of perfect happiness, never to be
fully realized, is forming in the youthful imagination, and all heaven and
earth thrills and quickens with visionary hopes and aspirations; or it
suggests, more sweetly and more vaguely even than those dreams
themselves, the visions that are to come. The ignoble love which it is my
evil fortune to have now in hand, would, no doubt, could I enter into it,
recall its own ignoble yet exciting memories to the minds which are capable
of such feelings. Frederick Eastwood scarcely slept all night, and when he
did drop into a feverish doze, the image of Miss ’Manda, her golden hair
dropping warm and bright upon her beautiful shoulders, the soft rose-white
of her hand supporting the milky rose of her cheek, the curves of her face,
the splendour and glow of beauty about her, haunted his dreams. Better
visions, I hope, haunt the pillows of most lovers, but this was how
Frederick loved, or rather how he fell into passion and frenzy, suddenly,
without warning or thought, over the attractions of Mr. Batty’s daughter,
whom the day before he would have thought quite beneath his lightest
thought. Thus Love, even when of the least worthy kind, laughs at prejudice
and class distinctions, and at all those conventional restraints which are
stronger than the suggestions of wisdom. I do not think that any generous or
exalted emotion would have led Frederick Eastwood to commit himself, to
depart from what he thought becoming to his own elevated position and
character; and this being the case, there may be a certain human satisfaction
in the thought that something does exist which is capable of plucking the
intellectualist from his eminence, and the man of social pretence from his
position, as well as the prince from his throne. Love, that conquers all
things, conquers in this way even the predominant influence of self.
Frederick for once was superior to that determined adherence to his own
will and pleasure which had accompanied him through his whole life. His
first thought in the morning was for her. He got up earlier than usual,
though he had been late on the previous night. He had no wish to sleep; it
was sweeter to wander about the garden in the morning sunshine and think
of her, which was a proceeding which filled the family with consternation.
When he was discovered at the breakfast-table making himself very
pleasant and friendly, the surprise of Nelly and Dick came to a height. As
for Mrs. Eastwood, she had a mother’s natural certainty that her son’s
manners were always agreeable, except when something had disturbed him.
Nothing, it was evident, had disturbed him this morning, and he could show
himself in his true colours. He was very communicative and conciliatory,
and told them how he had been persuaded to accompany some people
whom he met to the play, and that the piece was very stupid, like so many
pieces now-a-days.
“That’s all very well for you who were there,” said Dick; “I should like
to find out for myself. All pieces are stupid to a fellow that can see them
whenever he likes.”
“You might have had my share and welcome, old fellow,” said
Frederick, with undiminished amiability. “I didn’t pay much attention, to
tell the truth. There was the loveliest girl in the box—a Miss Batty. Her
father is a—country doctor, I think; but such a beautiful creature!”
I don’t know what tempted him to make this confidence; probably the
desire to be talking of her. And then he described her, which raised a
discussion round the table.
“I am sick of golden hair,” said Dick, who was moved by a spirit of
contradiction. “There are so many of ’em in novels, great, sleek, indolent,
cat-like——”
“And rather improper,” said Mrs. Eastwood; “doing things that one
cannot approve of girls doing. In my day what you call golden hair was
known as red. Raven locks were the right thing for a heroine, very smooth
and glossy——”
 “Well plastered down with pomade, and not safe to touch,” said Nelly,
shaking her own brown locks. “But I agree with you, Frederick, there is no
hair so lovely as golden hair. Is your beauty going to stay long in town? Do
we know any one who knows her? Has she come for the season?”
“They are staying at an hotel,” said Frederick, very seriously. “I met the
father in Paris, quite by chance, when I was getting better. That is how I
came to know them. They are not quite in your set, I suppose. But she is
simply the most radiant, dazzling creature——”
“All red and white and green and blue,” said the irrepressible Dick,
“with her hair growing down to her eyes—oh, I know! seven feet high, and
weighing twelve stone.”
“Yes, that is odd too,” said Mrs. Eastwood; “people like that kind of
huge woman. In my days, now, a light, elastic figure——”
“They all died of consumption,” said Nelly. She was herself exactly the
kind of being whom her mother described; but she took up the cause of the
other with natural perverseness. A curious sense of possible help gleamed
across Frederick’s mind as he listened. He would not allow himself to
realize under what possible circumstances Nelly’s championship might be
useful to him; but his mind jumped at the thought, with a sudden perception
of possibilities which he by no means wished to follow out at once to their
full length and breadth. When he went to the office he congratulated
himself secretly on his skill in having thus introduced the subject so as to
awaken no suspicion—and he went into the conservatory, and cut a lovely
little white camellia bud, which Nelly had been saving up for quite another
button-hole. It was just after the exciting moment of Nelly’s betrothal, and
the house was full of a certain suggestion of love-making, which, perhaps,
helped to stimulate Frederick’s thoughts; but his blaze of sudden passion
was very different from the sentiments of the others. He went to the office
first, feeling it too early to be admitted to Amanda’s beautiful presence.
Happily, there was not very much to do at the Sealing Wax Office. He spent
an hour or two there, in a feverish flutter, disturbing the others (who,
fortunately, were not very hard at work), and throwing all his own
occupations into confusion. At twelve he went out, and made his way to the
hotel. He found Batty there, but not his daughter.
“ ’Manda? Oh, she’s all right,” said the father; “but the laziest girl in
Christendom. Pretty women are all lazy. I haven’t seen her yet, and don’t
expect to for an hour or more. Have a glass of something, Eastwood, to fill
up the time?”
Frederick winced at this free-and-easy address, and hastened to explain
that he was on his way to keep a pressing engagement, and would return in
the afternoon, to pay his respects to Miss Batty. At three o’clock he went
back, and found her indeed; but found also Lord Hunterston and another
visitor, with whom Miss Amanda kept up a very lively conversation. Batty
himself filled up the centre of the scene, and made a variety with talk of
horses and feats in the hunting field. Frederick was left in the background,
to his intense misery. He heard one of the other visitors asked in easy terms
to dinner that evening, with again the thrilling prospect of the play after it.
He himself, it would seem, had had his day. The only crumb of comfort he
procured from the visit was the name of the theatre they were going to. He
rushed to Covent Garden after this, poor wretch, and bought the costliest
bouquet he could find and sent it to her. Then he dined, miserable and
solitary, at his club, speaking no word to any man, and went afterwards to
the blessed theatre in which she was to exhibit her beauty to the world. He
saw her from the first moment of her arrival, and watched with horrible
sensations from his stall the comfortable arrangement of Lord Hunterston in
his corner beside her, and the large figure of the father behind dropping into
a gentle doze. He sat and gazed at them in tortures of adoration and
jealousy, wondering if she was saying the same things to his successor as
she had said to him; wondering if Hunterston, too, was being invited to
Sterborne, and ridiculed about the necessity of getting “leave”—for,
Frederick reflected with some satisfaction, “leave” was necessary also to
that distinguished guardsman. As soon as it was practicable he made his
way up to the box; but gained little by it, since Mr. Batty insisted upon
waking up, and entertaining him, which he did chiefly by chuckling
references to their previous meeting in Paris, and the amusements of that
gay place. Frederick went home half wild to the calm house where his
mother and sister were sleeping quietly; and where poor little Innocent
alone heard his step coming up-stairs, and longed to get up and say good-
night to him, though he had “scolded” her. Had she known it, Innocent was
deeply avenged. Amanda Batty had not spared the rash adorer. She had
“made fun” of him in a hundred refined and elegant ways, joking about his
gravity and serious looks, about his fondness for the theatre, and his
kindness in coming to speak to herself. “When I am sure you might have
gone behind the scenes if you liked,” she said, with a laugh that showed all
her pearly teeth. “You, who know so much about the theatres: how I should
like to go behind the scenes!”
Frederick, who had made so many sacrifices to appearances, and who
was distinguished in society for the stateliness of his demeanour, would
have been infinitely insulted had any one else said this—all the more
insulted for his own consciousness of those moments of aberration in which
he had been behind a great many scenes—- though never, so far as he was
aware, where he could be found out. But a man in love is compelled, when
the lady of his affections is like Miss Amanda, to put up with insults, and
does so in scores of cases with a meekness which is nowhere apparent in his
domestic character. Frederick felt himself punctured by shafts of ridicule
not too finely pointed. He was laughed at, he was rallied, jokes were made
upon him. He was even treated with absolute rudeness, Amanda turning her
beautiful shoulders upon him, and addressing Lord Hunterston, in the very
midst of something Frederick was saying to her. A thrill of momentary fury
went through him, but next moment he was abject in his endeavours to get a
glance from her—a word of reply.
“Don’t you mind her—it’s ’Manda’s way,” said Batty, laughing as he
saw the gloom on Frederick’s face. “The more insulting she is one evening,
the nicer she’ll be the next. Don’t you pay any attention: it’s his turn to-
night, and yours to-morrow. Don’t take it too serious, Eastwood; if you’ll be
guided by me——”
“I fear I don’t quite understand you, Mr. Batty,” said poor Frederick,
writhing in impotent pride at the liberties taken with him. Upon which Batty
laughed again, more insolently good-humoured than ever.
“As you like—as you like,” he said; “you are more likely to want me, I
can tell you, than I am to want you.”
Frederick answered nothing: his mind was torn in pieces. Could he have
had strength to go away, to break those fatal chains which in a day—in a
moment—had been thrown over him, he would have done it. A sudden
impulse to fly came over him; but a hundred past yieldings to temptation
had sapped the strength of his nature, and taken away from him all power to
make such a strenuous resistance to his own wishes. The self-willed, proud
young man put down his head and licked the dust before the coarse beauty
who had stolen away his wits, and the coarse man whose familiarity was so
odious to him. He turned from the father, and addressed himself with eager
adoration to the daughter; and, perhaps because Amanda was a thorough
coquette, and enjoyed her own cleverness in pitting one admirer against
another—perhaps because the misery and earnestness in the eyes of her new
slave softened her, she was friendly to him for the rest of the evening, and
wrapped his foolish soul in happiness. Before they parted he was made
happy by another invitation. They were but to be two nights more in town,
and one of these evenings Frederick was to spend with them.
“Be sure and find out for me the very nicest thing that is to be played in
London,” she said, turning round to him as she left the theatre, though the
rival had her hand on his arm. The sweetness of this preference, the sign she
made to him as the carriage drove away, contented, and more than
contented, Frederick. He went home happy; he got through—he did not
know how—the intervening time. Next afternoon he went to call on her, at
one moment gaining a few words, which made him blessed, at another
turning away with his pride lacerated and his heart bleeding. The succession
of ups and downs was enough to have given variety to months of ordinary
love-making. Frederick was tossed from delight to despair, and back again.
He was jibed at, flattered, made use of, tormented, and consoled. Had he
been a man of finer mind, he might possibly have been disgusted; but it is
astonishing what even men of the finest minds will submit to under the
force of such an imperious passion. They console themselves by the
conclusion that all women are the same, and that theirs is the common fate.
If Frederick had any time to think in the hurry of emotion and excitement
which swept him as into the vortex of a whirlpool, he excused Miss
’Manda’s cruelties and caprices by this explanation. All women who
possessed, as she did, those glorious gifts of beauty—all the Cleopatras of
existence—were like her; they had to be worshipped blindly, not considered
as reasonable creatures. Reason! what had reason to do with those
shoulders, those cheeks, those eyes?
The evening came at last—the evening of rapture and misery which he
was to spend by her side, but which was to be the last. He counted how
many hours it could be lengthened out to, and gave himself up to the
enjoyment, not daring to forecast to himself what he might say or do before
that cycle of happiness was ended. He dressed himself with so much care
that Mrs. Eastwood, who had never forgotten that enthusiastic description
of Miss Batty, felt an uneasiness for which she could give no very distinct
reason. This time the roses in the conservatory were not enough for
Frederick. He had brought one from Covent Garden, carefully wrapped up
in cotton wool; and he spoiled half-a-dozen ties before he could tie one to
his satisfaction. His mother peeped at him from the door of her room as he
went down-stairs. In consequence of their play-going propensities, the
Battys had to dine early. It was but half-past six when Frederick left The
Elms in his hansom, which he had taken the trouble to order beforehand.
Mrs. Eastwood opened her window, with a faint hope that perhaps the wind
might convey his instructions to the driver to her anxious ear. She withdrew
blushing, poor soul, when this attempt proved unsuccessful. It was almost
dishonourable—like listening at a door. When one does not succeed in a
little wile of this description, one realizes how ignoble was the attempt.
“Of course, if I had asked him where he was going, he would have told
me,” she said to herself.
But the truth was that Frederick had so often returned disagreeable
answers to such questions, and had made so many remarks upon the
curiosity of women, &c., that the household had ceased to inquire into his
movements. He was the only one of the family whose comings and goings
were not open as daylight to whomsoever cared to see.
His heart beat higher and higher as he threaded the streets and
approached the second-rate London inn which was to him the centre of the
world. When he was shown into the room, however, in which dinner was
prepared as usual, he went in upon a scene for which he was totally
unprepared. Seated by the fire, which had suddenly become unnecessary by
a change in the weather, and which made the little room very stuffy and hot,
was Amanda, wrapped in a great shawl. Her usual sublime evening toilette
had been exchanged for a white dressing-gown, all frills and bows of
ribbon. High up on her cheeks, just under her eyes, were two blazing spots
of pink. Her face, except for these, was pale and drawn. The sound of her
voice, fretful and impatient, was the first thing Frederick heard. By her sat a
middle-aged woman in an elaborate cap with flowers. There was a medicine
bottle on the mantelpiece. Frederick rushed forward, in wonder and dismay.
“Miss Batty—Good God, you are ill——!”
“You may see that, I think, without asking,” said Amanda; “when one is
well one does not show like this, I hope. The last night, too—the last time
for ages I shall have the least chance of enjoying myself, or having a little
fun. Oh, it is too shocking! When one is at home, with nothing going on,
one does not mind; it is always something to occupy one. Oh, go away
please. Dine somewhere with papa. He is waiting for you outside; never
mind me. Oh, aunty, can’t you be still—rustling and rustling for ever and
ever, and setting all my nerves on edge.”
A sudden blackness came over Frederick’s soul. “Dine somewhere with
papa.” Good heavens! was that the entertainment offered to him after all his
hopes? He stood transfixed as it were, immovable in a blank and horrible
pause of disappointment. The close room and the sudden revulsion of
feeling made him sick and faint. His perfect and faultless costume, the
delicate rosebud in his coat, his tie which it had taken him so much trouble
to bring to perfection, his boots upon which he had been so careful not to
have a speck—all struck Amanda with relenting as she looked at him, and
finally roused her a little out of her absorption in her own troubles. He
looked such a gentleman! Miss Batty belonged to that class which is given
to describe its heroes as “looking like gentlemen,” with often an uneasy
sense that the looks are the only things gentlemanlike about them. Frederick
impressed her profoundly and suddenly by this means. She relented as she
looked at him.
“Dinner was laid here,” she said, “as you see—but I don’t think I could
stand it,—and then when one is not dressed or anything—it would not be
nice for you——”
“It is perfectly nice for me,” said Frederick, coming to life again—“a
thousand times more nice than anything else. Your dress is always perfect,
whatever it may be. Let me stay! What do I care for dining or anything
else? Let me be with you. Let me read to you. Don’t send me into outer
darkness——”
“Oh, how you do talk, Mr. Eastwood,” said Amanda, though with a
smile. “No, of course you must dine. We must all dine. No, now go away. I
could not have it. Let some one call papa, and you can go with him——”
she paused for a moment, enjoying the blank misery that once more fell
upon Frederick’s face; then added suddenly,—“On second thoughts, after
all, it might amuse me. Aunty, ring the bell. If you are sure you don’t mind
my dressing gown—and the room being so warm—and aunty being here,—
and the medicine bottle, and the big fire,—well, perhaps,” she said, pausing
to laugh in a breathless way,—“you may stay.”
 If the Queen had created him Earl of Eastwood with corresponding
revenues, it would have been nothing to the bliss of this moment. He drew a
footstool to her feet and sat down on it, half kneeling, and made his
inquiries.—What was it? How was it? was she suffering? did she feel ill?
had she a doctor, the best doctor that London could produce, Jenner, Gull,
somebody that could be trusted? Amanda informed him that it was heart
disease from which she was suffering, an intimation which she made not
without complacency, but which Frederick felt to pierce him like a horrible,
sudden arrow—and that “Aunty” here present, whom she introduced with a
careless wave of her hand, knew exactly what to do.
“It is dreadful, isn’t it, to think I might die any moment?” she said with a
smile.
“Good God!” Frederick said, with unaffected horror, “it cannot be true!”
and he sat, stricken dumb, gazing at her, the tears forcing themselves to his
eyes. Mr. Batty entered at this moment, and the man, who was human and a
father, was touched by this evidence of emotion. He wrung Frederick’s hand
and whispered him aside.
“It ain’t as bad as it seems,” he said. “We daren’t cross her. If she wanted
the moon I’d have to tell her we’d get it somehow. We’ve known for years
that she wasn’t to be crossed; but barring that, I hope all’s pretty safe. It’s
bad for her temper, poor girl, but I’m not afraid of her life.”
Frederick spent such an evening as he had never spent in his life. He sat
at Amanda’s feet and read to her, and talked to her, and listened to her
chatter, which was soft and subdued, for she was languid after her spasms.
Mr. Batty sat by most part of the evening admiring, and so did the person
called Aunty, who kept in constant attendance. Frederick could not throw
himself at Miss ’Manda’s feet according to conventional form; he could not
declare his love and entreat her to marry him, as he was burning to do, for
he was not permitted a minute alone with her. But short of that, he said
everything that a man in love could do. He told his adoration by a hundred
signs and inferences. And he went home in such a whirl of sentiment and
emotion as I cannot attempt to describe. His love was frantic, yet so tinged
and imbued with a sense of the virtuous and domestic character of this
evening of complete happiness, that he felt as good as he was blessed. She
was going away; that was the only drawback to his rapture; and even that
impressed a certain intense and ecstatic character upon it, as of a flower
snatched from the edge of a precipice of despair.
 CHAPTER XXI.

A FAMILY DINNER.
While this wild love-fever of Frederick’s had run its course, Nelly’s little
drama had also enacted itself, and the interview between Mrs. Eastwood
and Mr. Molyneux, Q.C., had taken place, so that the moment had been an
exciting one in the family story. The young people were absorbed in their
different adventures, and it was only the mother who felt, even though she
did not know, all that was going on, on either hand. She did not know what
it was which had moved Frederick so much out of his usual composure,
which had made him “engaged” and inaccessible to all family invitations or
arrangements during one entire week. He had never mentioned Miss Batty
or her beauty again, but he had been engaged every evening, going out early
and staying late, and making no allusion to where he had been. Indeed
during that period he had scarcely seen any of the family, except his mother
herself, who had waited to pour out his coffee for him at breakfast, and who
saw by his hurried manner and self-absorbed looks that something more
than ordinary must be going on. But he had offered no confidences, and
Mrs. Eastwood had not gone so far as to ask for any, partly from pride, and
partly from a compassionate unwillingness to disturb him any more than he
was already disturbed. The time when she could inquire into his troubles
and set them right was over. But she was uneasy about him, not knowing
what to think, anxious and unhappy; and she was still more distinctly
disturbed about the Molyneux business, and the engagements which she
might be forced into, against her will and her judgment, on Nelly’s account.
The shadow which thus had come upon her overshadowed the whole house,
as I have already said. It irritated Ernest Molyneux, and it made Nelly
unhappy. Nelly, poor child, had never known what it was to have any cross
influences in her life before. She had never been pulled two ways, never
divided in her affections or her allegiance. Few people appreciate the
difference this makes in a girl’s life. She is taken suddenly in the midst of
an existence which is all tender, filial duty, or that sweet counterfeit of filial
duty which animates the child’s mind who has a large part in deciding the
will of the parent who guides her, and is unconsciously the inspiration of
the very laws she obeys. This had been Nelly’s case. She and her mother
had been as one soul—the one ruling, the other obeying, but neither able to
discriminate from which came the original impulse; and now she felt herself
suddenly placed in a position, if not of antagonism to her mother, yet at
least of tenderest sympathy and union with one who declared himself so far
her mother’s antagonist. This curious turn and twist of circumstances made
the girl giddy,—it gave an uncertainty to all things, it confused her old
ideas, the ideas which she had held as unchangeable till the day before
yesterday, when they were suddenly undermined, and all her old gods made
to totter in their shrines.
“Your mother does not like me,” Molyneux said to her one day, when
Mrs. Eastwood, disturbed and worried by a communication from his father,
had been cold and distant to him. “It is always the way. She was nice
enough as long as I was only a young fellow dangling about the house; but
as soon as everything is settled, and you are ready to have me, Nelly, she
turns off at a tangent. Clearly, your mother does not like me——”
“How can you say so?” cried Nelly. “Oh, Ernest, as if it were possible
——”
“Quite possible,—indeed, quite common,” he said, shaking his head.
“You don’t know the world, darling, and I don’t wish you to; but when
people have to make sacrifices to establish their children, they don’t like it.
Nobody likes to have a sacrifice to make. I suppose I thought your mother
different, because she was your mother; but human nature is the same
everywhere,—though you, Nelly, Heaven be praised, have no knowledge of
the world——”
“Is it mamma you mean by the world?” said Nelly, disengaging herself
almost unconsciously from her lover’s arm.
“Don’t be vexed dear. Mothers are just like other people. When our
interests come to be in opposition to those of our nearest and dearest——”
“How can mamma’s interests be in opposition to ours?” said Nelly, with
open eyes.
“Well, I suppose our parents have got to provide for us,” said Molyneux.
“They have got to part with so much, on one side and the other, to set us up
—and they don’t like it—naturally. When it comes to be our turn we shall
not like it either. There is always a struggle going on, though your dear,
innocent eyes don’t see it; we trying to get as much as we can, they to give
us as little as they can;—that is what makes your mother look so glum at
me.”
“We trying to get as much as we can,—they to give us as little as they
can?” repeated Nelly, with a dreamy wonder in her tone. She dwelt on the
words as if she were counting them, like beads. She had withdrawn, quite
involuntarily and unawares, from his side.
“I don’t want to vex you about it,” he said, drawing closer to her. “It
can’t be helped, and after it is settled, things will come right again. You
don’t know anything about business, and I don’t want you to know about it
——”
“I know all about mamma’s business,” said Nelly. She withdrew again
with a little impatience from his close approach. She fell amusing and
thinking, and made some excuse, soon after, to get away from him. She was
startled beyond measure in the straight-forwardness of a soul unacquainted
with business. Very strange to her was this unexpected distinction and
separation. Was it really possible that her mother’s interests were opposite
to her own, for the first time in her life? “We trying to get as much as we
can,—they to give us as little as they can,” she said to herself, in the
solitude of her room, putting the fingers of one hand against those of the
other, as if to count the words. Nelly was bewildered,—her head was dizzy
through this strange whirlabout of heaven and earth,—the firm ground
seemed failing beneath her feet.
It was about this time that another person appeared on the family scene,
a man about whom none of the Eastwoods felt any particular interest, or
rather, against whom they had all a decided prejudice. This was John Vane,
a distant cousin of Innocent’s father, a squire in the north country, with
considerable, but poor estates, who had lived a wandering life for some
years, and who was considered by all who knew him “eccentric,” to say the
least. His true name was Reginald or Roland, or something of a sentimental
and ornamental description represented by the letter R; but Society, which
has a way of identifying character by this simple means, called him John.
He was a man of three or four and thirty, with a brown complexion tanned
by much exposure to wind and weather, and a golden brown beard, which
was the chief feature about him to a stranger. His hair had worn off his
temples, and he had a threatening of baldness, as if the forest on his chin
had drawn all his locks downwards. His forehead was clear and open and
white, in contrast with the tanned and much-lined surface of the more
exposed parts of his face. He was by no means the nearest or even a near
relation of Innocent, but he had lost no time in seeking her out. He arrived
on the very day when this first touch of doubt and pain came into Nelly’s
belief in her lover; and it was by no means a happy household in which the
new comer appeared one bright spring morning shortly after the events we
have been telling. His mission was to ask what had become of his cousin’s
child, to ascertain in the most delicate way possible what was her position
in her aunt’s house, and to offer her, should that prove necessary, a refuge in
his own. He made this offer with so much grace and natural kindness that
Mrs. Eastwood’s prejudices against him fled like the morning dew. She was
prejudiced against everything (except poor Innocent) that bore the name of
Vane, and against this John Vane in particular, whose father had been a man
of very unsettled opinions, and who was understood to have been badly
brought up. Innocent, too, poor child, had been very badly brought up, and
Mrs. Eastwood shuddered at the idea of what might follow if the one
uninstructed nature was put into the hands of the other. But Mr. John Vane
had that sure passport to a woman’s favour—a frank and open countenance,
and a pair of smiling eyes which met your gaze frankly. He made so
pleasant an impression that Mrs. Eastwood ended by inviting him to a very
solemn dinner party which was to take place at her house that evening—a
dinner at which “the Molyneuxes” were to be present, though the
negotiations between Ernest’s side and Nelly’s side were yet far from being
completed. Major Railton, who had been one of the invited guests, had felt
his courage fail him at the last moment, and had sent an excuse on account
of his health. “Mr. Vane is a kind of a connexion,” Mrs. Eastwood said,
doubtfully, when she explained the change to her son. Frederick, who was
full of other thoughts, made no objection, and Mr. Vane, who was not less
pleased with his new acquaintances than they were with him, accepted
frankly. This dinner-party was a very great event in the family; and though
dinner-parties are not generally exciting occurrences, I may perhaps be
pardoned, for the sake of the issues, if I dwell upon it a little. The chief
guests were the Molyneuxes—Mr. and Mrs. and Miss, the latter of whom
we may drop out of the present history, having already enough people on
our hands. They were both of opinion that Mrs. Eastwood had “kept her eye
upon” Ernest for years, and that Nelly had made “a dead set” at him; and
they were accordingly dignified and a little condescending in their
cordiality. Mr. and Mrs. Brotherton also formed part of the company, along
with two other of Mrs. Eastwood’s advisers—Mr. Parchemin and Mrs.
Everard; and the party was made up to the number of sixteen (which was all
that could be comfortably accommodated at the Elms dinner table) by the
presence of Sir Alexis Longueville and his sister. In opposition to the
selection of this guest, Nelly had put forth the moral objections to him
which her lover had on a certain evening pressed so warmly upon her, but
had found, to her great amazement, that Ernest laughed at the whole matter,
and declared Longueville one of the best fellows going; while Mrs.
Eastwood silenced her with some indignation, declaring that she had known
him for twenty years, and would not have any old scandals raked up. Poor
Nelly, who knew nothing about the old scandals, but who felt the whole
responsibility thrown upon her, withdrew, hot with angry blushes, from the
discussion, feeling as if she had shown a shameful knowledge of the evil
reports of the past, which the poor child was, in fact, as ignorant of as a
baby. “We must forgive and forget,” even Ernest said to her. “Don’t be such
a terrible moralist, Nelly.” This, too, wounded poor Nelly, in the ignorance
and innocence of her youth.
The dinner went off as such dinners do everywhere. There was a great
display of all the Eastwood plate, and the meal itself lasted two hours and a
half, and included everything that was out of season, and all that was most
costly in the way of eating and drinking. Mrs. Eastwood, at the head of her
own table, with Sir Alexis on one side of her and Mr. Molyneux on the
other, tried her very best to feel no sort of opposition to the latter, and to
look as if nothing but family love and union was symbolized by their
meeting. Frederick, at the other end, with his head full of Amanda Batty,
endeavoured to give his best attention to the gorgeous Mrs. Barclay and the
dignified Mrs. Molyneux. He had his Charles the First look upon him, and
he was not judged severely by these ladies, who thought him superior to the
rest of the family, and very probably worried by his mother, whom Mrs.
Molyneux considered a scheming and worldly person. The other members
of the party had, no doubt, their own cares; but their cares do not concern us
greatly, except in so far as Nelly was concerned, whose poor little heart was
wounded and her mind confused, and who, in her position of fiancée, felt
this sort of formal reception of her by her lover’s parents to suggest all
kinds of strange doubts and miseries, and to throw uncertainty instead of
security upon the bond which had been tied so tightly, yet so happily, in the
cold, half-frozen garden but a little while before. No doubt that she loved
Ernest Molyneux, or that his love made her perfectly happy, had crossed her
mind then. She had been as full of gentle bliss as a girl could be, when she
had stolen in with him into the drawing-room in the firelight, frightened lest
any one should see how he held her hand, and yet unable to conceive how
anything or any one in the world could be ignorant of the new great flood of
light and joy which had flooded earth and heaven. In that beatific moment,
however, no idea of settlements or negotiations, or the suggestion that
Ernest might have done better, or that it was his business and hers to try to
get as much as they could, had entered into her mind. There are well-
seasoned and justly-regulated minds, even of twenty, which understand all
these accessories as well as the oldest of us, and have no nonsense about
them, and are robust enough to enter into the whole question “as a matter of
business.” But Nelly was not one of these. She had a great deal of nonsense
about her. She was shocked, chilled, brought to a stand suddenly, in the first
outset of her independent career. Her love seemed to have ceased to be real,
now that it was being talked about and struggled over, and Ernest, Ernest
himself——. She would not say, even in the depths of her own heart, any
more than this; but her poor little heart gave an inarticulate cry when he
opened up his philosophy to her with so much confidence, and
congratulated himself that she knew nothing of business. Nelly did not
know whether, perhaps, among the strange confusions of this world, he
might not be right. She saw no way out of the maze. She did not know how
she herself, if left to herself, could have bettered it; but her instinctive sense
of what was noble and ignoble, lovely and unlovely, was deeply wounded.
She was put out of harmony with herself and every one. If life was so—if
such gulfs were ready to open under your feet at your very first step in it,
was it worth living? Such was the painful question, not yet put into words,
that breathed through poor Nelly’s heart.
Mr. John Vane was on one side of her, and Ernest on the other; but Mrs.
Everard, who was a great conversationalist, had taken possession of young
Molyneux, and was putting him through a catechism. Nelly did not feel
herself capable of talk, but the kind looks of her next neighbour were
comforting, and he was touched by her downcast, yet bright, face.
“Miss Eastwood,” he said, “may I guess at something? I am a stranger,
but I am a connexion. You know your mother admitted my claims. This is a
solemn family assembly to celebrate something that is to make your