Professional Documents
Culture Documents
CISSP Passport 1st Edition Bobby E. Rogers full chapter instant download
CISSP Passport 1st Edition Bobby E. Rogers full chapter instant download
CISSP Passport 1st Edition Bobby E. Rogers full chapter instant download
Rogers
Visit to download the full and correct content document:
https://ebookmass.com/product/cissp-passport-1st-edition-bobby-e-rogers/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
https://ebookmass.com/product/cissp-passport-1st-edition-bobby-e-
rogers/
https://ebookmass.com/product/comptia-cysa-cybersecurity-analyst-
certification-passport-exam-cs0-002-bobby-e-rogers/
https://ebookmass.com/product/crisc-certified-in-risk-and-
information-systems-control-all-in-one-exam-guide-second-
edition-2nd-edition-peter-h-gregory-bobby-e-rogers-dawn-
dunkerley/
https://ebookmass.com/product/understanding-urbanism-1st-ed-
edition-dallas-rogers/
Temporalities, Texts, Ideologies Bobby Xinyue
https://ebookmass.com/product/temporalities-texts-ideologies-
bobby-xinyue/
https://ebookmass.com/product/entrepreneurial-finance-4th-
edition-steven-rogers/
https://ebookmass.com/product/cissp-practice-exams-fourth-
edition-shon-harris/
https://ebookmass.com/product/the-promise-of-bitcoin-bobby-c-lee/
Mike Meyers’
A+
CISSP
CompTIA ® ®
CERTIFICATION
PASSPORT
PASSPORT SEVENTH
(Exams 220-1001 & 220-1002) EDITION
About the Author
Bobby Rogers (he/his/him) is a cybersecurity proessional with over 30 years in the inor-
mation technology and cybersecurity ields. He currently works with a major engineering
company in Huntsville, Alabama, helping to secure networks and manage cyber risk or its
customers. Bobby’s customers include the U.S. Army, NASA, the State o ennessee, and
private/commercial companies and organizations. His specialties are cybersecurity engineer-
ing, security compliance, and cyber risk management, but he has worked in almost every area
o cybersecurity, including network deense, computer orensics and incident response, and
penetration testing.
Bobby is a retired Master Sergeant rom the U.S. Air Force, having served or over 21 years.
He has built and secured networks in the United States, Chad, Uganda, South Arica, Germany,
Saudi Arabia, Pakistan, Aghanistan, and several other remote locations. His decorations
include two Meritorious Service medals, three Air Force Commendation medals, the National
Deense Service medal, and several Air Force Achievement medals. He retired rom active
duty in 2006.
Bobby has a master o science in inormation assurance and a bachelor o science in
computer inormation systems (with a dual concentration in Russian language), and two
associate o science degrees. His many certiications include CISSP-ISSEP, CRISC, CySA+,
CEH, and MCSE: Security.
Bobby has narrated and produced over 30 computer training videos or several training
companies and currently produces them or Pluralsight (https://www.pluralsight.com). He
is also the author o CompTIA Mobility+ All-in-One Exam Guide (Exam MB0-001), CRISC
Certiied in Risk and Inormation Systems Control All-in-One Exam Guide, and Mike Meyers’
CompTIA Security+ Certiication Guide (Exam SY0-401), and is the contributing author/
technical editor or the popular CISSP All-in-One Exam Guide, Ninth Edition, all o which are
published by McGraw Hill.
A+
CISSP
CompTIA ® ®
CERTIFICATION
PASSPORT
PASSPORT SEVENTH
(Exams 220-1001 & 220-1002) EDITION
Bobby E. Rogers
McGraw Hill is an independent entity rom (ISC)²® and is not afliated with (ISC)² in any manner. Tis study/training guide and/or material is not
sponsored by, endorsed by, or afliated with (ISC)2 in any manner. Tis publication and accompanying media may be used in assisting students to
prepare or the CISSP exam. Neither (ISC)² nor McGraw Hill warrants that use o this publication and accompanying media will ensure passing any
exam. (ISC)²®, CISSP®, CAP®, ISSAP®, ISSEP®, ISSMP®, SSCP®, and CBK® are trademarks or registered trademarks o (ISC)² in the United States and
certain other countries. All other trademarks are trademarks o their respective owners.
Copyright © 2023 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no
part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.
ISBN: 978-1-26-427798-8
MHID: 1-26-427798-9
The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-427797-1,
MHID: 1-26-427797-0.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade-
marked name, we use names in an editorial fashion only, and to the benet of the trademark owner, with no intention of infringe-
ment of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw Hill eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate
training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of hu-
man or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such
information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work
is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You
may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to
use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES
OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA
HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will
meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors
shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work.
Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of
the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or
cause arises in contract, tort or otherwise.
I’d like to dedicate this book to the cybersecurity proessionals who
tirelessly, and sometimes, thanklessly, protect our inormation and
systems rom all who would do them harm.
I also dedicate this book to the people who serve in uniorm as
military personnel, public saety proessionals, police, frefghters,
and medical proessionals, sacrifcing sometimes all that they are
and have so that we may all live in peace, security, and saety.
—Bobby Rogers
This page intentionally left blank
DOMAIN vii
Contents at a Glance
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
vii
This page intentionally left blank
DOMAIN ix
Contents
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
ix
x CISSP Passport
REVIEW 14
12 QUESTIONS 14
12 ANSWERS 15
Objective 1.3 Evaluate and apply security governance principles . . . 16
Security Governance 16
External Governance 16
Internal Governance 16
Alignment of Security Functions to Business Requirements 17
Business Strategy and Security Strategy 17
Organizational Processes 18
Organizational Roles and Responsibilities 18
Security Control Frameworks 19
Due Care/Due Diligence 20
REVIEW 21
13 QUESTIONS 21
13 ANSWERS 22
Objective 1.4 Determine compliance and other requirements . . . . . . 23
Compliance 23
Legal and Regulatory Compliance 24
Contractual Compliance 25
Compliance with Industry Standards 25
Privacy Requirements 25
REVIEW 26
14 QUESTIONS 27
14 ANSWERS 28
Objective 1.5 Understand legal and regulatory issues that pertain to
information security in a holistic context. . . . . . . . . . . . . . . . . . . . 29
Legal and Regulatory Requirements 29
Cybercrimes 29
Licensing and Intellectual Property Requirements 30
Import/Export Controls 31
Transborder Data Flow 32
Privacy Issues 32
REVIEW 33
15 QUESTIONS 33
15 ANSWERS 34
Objective 1.6 Understand requirements for investigation types (i.e.,
administrative, criminal, civil, regulatory, industry standards) . . . 35
Investigations 35
Administrative Investigations 35
Civil Investigations 35
Contents xi
Criminal Investigations 36
Regulatory Investigations 36
Industry Standards for Investigations 37
REVIEW 37
16 QUESTIONS 38
16 ANSWERS 39
Objective 1.7 Develop, document, and implement security policy,
standards, procedures, and guidelines . . . . . . . . . . . . . . . . . . . . . 39
Internal Governance 40
Policy 40
Procedures 40
Standards 41
Guidelines 41
Baselines 42
REVIEW 42
17 QUESTIONS 43
17 ANSWERS 44
Objective 1.8 Identify, analyze, and prioritize Business Continuity (BC)
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Business Continuity 45
Business Impact Analysis 46
Developing the BIA 46
REVIEW 47
18 QUESTIONS 47
18 ANSWERS 48
Objective 1.9 Contribute to and enforce personnel security policies
and procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Personnel Security 49
Candidate Screening and Hiring 49
Employment Agreements and Policies 50
Onboarding, Transfers, and Termination Processes 50
Vendor, Consultant, and Contractor Agreements and Controls 52
Compliance Policy Requirements 53
Privacy Policy Requirements 53
REVIEW 54
19 QUESTIONS 55
19 ANSWERS 56
Objective 1.10 Understand and apply risk management concepts . . . 57
Risk Management 57
Elements of Risk 57
Identify Threats and Vulnerabilities 59
xii CISSP Passport
Risk Assessment/Analysis 60
Risk Response 63
Risk Frameworks 64
Countermeasure Selection and Implementation 64
Applicable Types of Controls 65
Control Assessments (Security and Privacy) 66
Monitoring and Measurement 67
Reporting 67
Continuous Improvement 68
REVIEW 68
110 QUESTIONS 69
110 ANSWERS 69
Objective 1.11 Understand and apply threat modeling concepts and
methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Threat Modeling 70
Threat Components 70
Threat Modeling Methodologies 72
REVIEW 73
111 QUESTIONS 73
111 ANSWERS 73
Objective 1.12 Apply Supply Chain Risk Management
(SCRM) concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Supply Chain Risk Management 74
Risks Associated with Hardware, Software, and Services 74
Third-Party Assessment and Monitoring 76
Minimum Security Requirements 77
Service Level Requirements 77
REVIEW 77
112 QUESTIONS 78
112 ANSWERS 79
Objective 1.13 Establish and maintain a security awareness, education,
and training program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Security Awareness, Education, and Training Program 80
Methods and Techniques to Present Awareness and Training 80
Periodic Content Reviews 82
Program Effectiveness Evaluation 82
REVIEW 82
113 QUESTIONS 83
113 ANSWERS 84
Contents xiii
REVIEW 108
25 QUESTIONS 108
25 ANSWERS 108
Objective 2.6 Determine data security controls and compliance
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Data Security and Compliance 109
Data States 109
Control Standards Selection 110
Scoping and Tailoring Data Security Controls 111
Data Protection Methods 111
REVIEW 113
26 QUESTIONS 113
26 ANSWERS 114
3.0 Security Architecture and Engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Objective 3.1 Research, implement, and manage engineering
processes using secure design principles . . . . . . . . . . . . . . . . . . . 116
Threat Modeling 116
Least Privilege 116
Defense in Depth 117
Secure Defaults 117
Fail Securely 117
Separation of Duties 118
Keep It Simple 119
Zero Trust 119
Privacy by Design 119
Trust But Verify 119
Shared Responsibility 120
REVIEW 120
31 QUESTIONS 121
31 ANSWERS 122
Objective 3.2 Understand the fundamental concepts of security
models (e.g., Biba, Star Model, Bell-LaPadula) . . . . . . . . . . . . . . . 122
Security Models 122
Terms and Concepts 123
System States and Processing Modes 124
Confidentiality Models 126
Integrity Models 127
Other Access Control Models 128
REVIEW 128
32 QUESTIONS 129
32 ANSWERS 130
Contents xv
Objective 3.3 Select controls based upon systems security
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Selecting Security Controls 130
Performance and Functional Requirements 131
Data Protection Requirements 131
Governance Requirements 132
Interface Requirements 132
Risk Response Requirements 133
REVIEW 133
33 QUESTIONS 134
33 ANSWERS 134
Objective 3.4 Understand security capabilities of Information Systems
(IS) (e.g., memory protection, Trusted Platform Module (TPM),
encryption/decryption) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Information System Security Capabilities 135
Hardware and Firmware System Security 135
Secure Processing 137
REVIEW 138
34 QUESTIONS 139
34 ANSWERS 139
Objective 3.5 Assess and mitigate the vulnerabilities of security
architectures, designs, and solution elements . . . . . . . . . . . . . . . 139
Vulnerabilities of Security Architectures, Designs, and Solutions 140
Client-Based Systems 140
Server-Based Systems 140
Distributed Systems 141
Database Systems 141
Cryptographic Systems 142
Industrial Control Systems 142
Internet of Things 143
Embedded Systems 143
Cloud-Based Systems 144
Virtualized Systems 145
Containerization 146
Microservices 146
Serverless 146
High-Performance Computing Systems 146
Edge Computing Systems 146
REVIEW 147
35 QUESTIONS 148
35 ANSWERS 148
xvi CISSP Passport
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.F.
1.F.4. Except for the limited right of replacement or refund set forth in
paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.