Oreilly - Certified Information Systems Security Professional @2019
by Integrity Training | Publisher: Stone River eLearning | Release Date: June 2019 | ISBN: 300000006CA311
The Certified Information Systems Security Professional course is a preparatory course for the CISSP certification exam provided by (ISC)2, the world's leading cybersecurity and IT security professional organization. It addresses the exam topics in detail including information security concepts and industry best practices, and covers the eight domains of the official CISSP CBK (Common Body of Knowledge). The candidates are able to gain knowledge in information security that increases their ability to successfully implement and manage security programs in any organization. The course will enable the students to validate their knowledge about the information security in general and the eight domains of CISSP exam in particular. The course alumni are expected to become involved in critical security decisions and risk management. This certification course will teach students about security and risk management, asset management, security architecture and engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security. It provides a sound preparation for the CISSP certification exam provided by (ISC)2, the world's leading cybersecurity and IT security professional organization.
- Course Introduction
- Course Introduction 00:05:29
- Course Introduction A 00:02:19
- Course Introduction B 00:02:22
- Course Introduction C 00:01:29
- Instructor Introduction 00:03:40
- Domain 01 - Security and Risk Management
- Security and Risk Management 00:00:32
- Topic: Confidentiality, Integrity, and Availability 00:00:23
- Confidentiality 00:04:41
- Confidentiality (Cont.) 00:02:36
- Integrity 00:01:53
- Integrity (Cont.) 00:02:00
- Availability 00:01:52
- Availability (Cont.) 00:01:52
- References 00:00:13
- Topic: Security Governance 00:00:25
- Security Governance Principles 00:01:04
- Security Governance Principles (Cont.) 00:02:46
- Security Functions to Business Goals 00:02:02
- Security Functions to Business Goals (Cont.) 00:03:47
- Security Functions to Business Goals (cont.) 00:02:57
- Organizational Processes 00:02:17
- Organizational Processes (Cont.) 00:03:17
- Roles and Responsibilities 00:01:44
- Roles and Responsibilities (Cont.) 00:01:25
- Security Control Frameworks 00:02:47
- Security Control Frameworks (Cont.) 00:03:03
- Security Control Frameworks (cont.) 00:02:57
- Due Care / Due Diligence 00:02:18
- References 00:00:14
- Topic: Compliance Requirements 00:00:18
- Compliance Requirements 00:03:38
- Contracts, Legal, Industry Standards 00:02:45
- Contracts, Legal, Industry Standards (Cont.) 00:02:14
- Contracts, Legal, Industry Standards (cont.) 00:03:52
- Privacy Requirements 00:01:14
- Privacy Requirements (Cont.) 00:02:13
- References 00:00:10
- Topic: Legal and Regulatory - Global 00:00:30
- Legal and Regulatory - Global 00:02:18
- Legal and Regulatory - Global (Cont.) 00:01:24
- Cyber Crimes and Data Breaches 00:01:20
- Cyber Crimes and Data Breaches (Cont.) 00:01:36
- Intellectual Property 00:02:36
- Intellectual Property (Cont.) 00:01:19
- Intellectual Property (cont.) 00:01:59
- Intellectual Property cont. 00:01:47
- Import / Export Controls 00:03:05
- Trans-border Data Flows 00:01:48
- Privacy 00:01:51
- Privacy (Cont.) 00:03:26
- References 00:00:10
- Topic: Professional Ethics 00:00:31
- Professional Ethics 00:02:03
- Professional Ethics (Cont.) 00:01:15
- Topic: Security Policy, Standards, Procedures 00:00:22
- Security Policy, Standards, Procedures 00:02:15
- Security Policy, Standards, Procedures (Cont.) 00:01:30
- Security Policy, Standards, Procedures (cont.) 00:02:56
- References 00:00:09
- Topic: Business Continuity 00:00:20
- Business Continuity 00:01:23
- Business Continuity (Cont.) 00:03:21
- Document Scope and Plan 00:01:56
- Document Scope and Plan (Cont.) 00:02:58
- Business Impact Analysis 00:02:14
- Business Impact Analysis (Cont.) 00:02:09
- References 00:00:05
- Topic: Personal Security Policies 00:00:29
- Personal Security Policies 00:03:30
- Candidate Screening / Hiring 00:02:12
- Employment Agreements / Polices 00:03:13
- On-boarding / Termination Process 00:03:03
- On-Boarding / Termination Process (Cont.) 00:02:53
- Vendor, Consultant, Contractor 00:01:55
- Compliance Policy Requirements 00:01:40
- Privacy Policy Requirements 00:02:26
- References 00:00:09
- Topic: Apply Risk Management 00:00:12
- Apply Risk Management Part1 00:02:04
- Apply Risk Management Part2 00:03:38
- Apply Risk Management Part 3 00:01:40
- Apply Risk Management Part 4 00:01:48
- Apply Risk Management Part5 00:01:22
- References 00:00:11
- Topic: Threat Modeling 00:00:08
- Threat Modeling – Concepts / Methodology 00:03:44
- Threat Modeling – Categorizing Threats 00:02:33
- Threat Modeling – Generic Steps 00:02:50
- Threat Modeling – Analyzing Risk 00:02:20
- References 00:00:09
- Topic: Risk Management – Supply Chain 00:00:19
- Hardware, Software 00:03:40
- Hardware, Software (Cont.) 00:02:48
- 3rd Party Evaluations 00:02:27
- 3rd Party Evaluations (Cont.) 00:03:38
- Minimum Security 00:02:37
- References 00:00:30
- Topic: Security Awareness and Training 00:00:29
- Security Awareness and Training 00:04:38
- Methods and Techniques 00:01:39
- Periodic Content Reviews 00:01:46
- Effectiveness Evaluations 00:02:16
- References 00:00:13
- Domain 02 - Asset Management
- Asset Management 00:00:33
- Topic: Identify and Classify 00:00:23
- Data Classification Part1 00:02:35
- Data Classification Part 2 00:02:35
- Data Classification Part 3 00:02:30
- Asset Classification 00:02:08
- Asset Classification (Cont.) 00:01:42
- References 00:00:08
- Topic: Asset Ownership 00:00:11
- Asset Ownership Part1 00:04:24
- Asset Ownership Part2 00:03:32
- Asset Ownership Part3 00:02:44
- References 00:00:08
- Topic: Protect Privacy 00:00:14
- Data Owners 00:02:18
- Data Owners (Cont.) 00:03:55
- Data Processors 00:02:25
- Data Processors (Cont.) 00:01:16
- Data Remanence 00:01:47
- Data Remanence (Cont.) 00:02:20
- Data Collection Part1 00:01:44
- Data Collection Part2 00:01:14
- Data Collection Part3 00:01:37
- References 00:00:22
- Topic: Asset Retention 00:00:12
- Asset Retention 00:02:15
- Record Retention 00:05:08
- References 00:00:12
- Topic: Data Security Controls 00:00:19
- Data Security Controls 00:03:08
- Data Security Controls (Cont.) 00:03:52
- Data Security Controls (Last Part) 00:03:54
- Scoping and Tailoring 00:02:22
- Standards Selection 00:02:48
- Data Protection Methods 00:01:05
- Data Protection Methods (Cont.) 00:02:08
- References 00:00:21
- Topic: Information / Asset Handling 00:00:12
- Information / Asset Handling Part1 00:01:48
- Information / Asset Handling Part2 00:03:27
- Information / Asset Handling Part3 00:02:44
- Failure Examples 00:03:26
- Storage Options 00:01:52
- References 00:00:14
- Domain 03 - Security Architecture and Engineering
- Security Architecture and Engineering 00:00:47
- Topic: Engineering Processes and Secure Design 00:00:11
- Engineering Processes and Secure Design 00:02:06
- Closed / Open Systems 00:03:00
- Closed / Open Source Code 00:02:38
- Techniques / Confinement 00:02:08
- Bounds 00:01:42
- Process Isolation 00:01:36
- Controls / MAC and DAC 00:02:00
- References 00:00:12
- Topic: Concepts of Security Models 00:00:12
- Concepts of Security Models 00:03:12
- Security Perimeter 00:01:59
- Reference Monitors / Security Kernels 00:01:45
- Various Models 00:01:19
- References 00:00:10
- Topic: Controls Based on Security Requirements 00:00:09
- Controls Based on Security Requirements 00:01:20
- Rainbow Series 00:02:49
- TCSEC 00:01:17
- ITSEC / Common Criteria 00:01:33
- Common Criteria 00:01:24
- References 00:00:10
- Topic: Security Capabilities of Information Systems 00:00:14
- Security Capabilities of Information Systems 00:01:50
- Virtualization 00:02:39
- Trusted Platform Module 00:01:57
- References 00:00:10
- Topic: Assess / Mitigate Vulnerabilities 00:00:26
- Assess / Mitigate Vulnerabilities 00:02:30
- Local Caches 00:01:52
- Server-Based Systems 00:02:14
- Database Systems 00:02:46
- Database Systems (Cont.) 00:02:41
- Industrial Control Systems 00:04:04
- Cloud-Based Systems 00:04:17
- Cloud-Based Systems (Cont.) 00:02:53
- Distributed Systems 00:02:13
- Internet of Things 00:02:46
- References 00:00:12
- Topic: Assess / Mitigate Vulnerabilities (Web) 00:00:13
- Assess / Mitigate Vulnerabilities (Web) 00:03:37
- Assess / Mitigate Vulnerabilities (Web) - Cont. 00:03:01
- Assess / Mitigate Vulnerabilities (Web) - Cont. 00:03:28
- References 00:00:25
- Topic: Assess / Mitigate Vulnerabilities (Mobile) 00:00:08
- Assess / Mitigate Vulnerabilities (Mobile) 00:03:17
- Device Security 00:05:54
- Application Security 00:04:11
- Application Security (Cont.) 00:01:41
- References 00:00:11
- Topic: Assess / Mitigate Vulnerabilities (Embedded) 00:00:14
- Assess / Mitigate Vulnerabilities (Embedded) 00:02:18
- Embedded / Static Systems 00:02:26
- Securing Embedded / Static Systems 00:04:11
- References 00:00:12
- Topic: Apply Cryptography 00:00:41
- Apply Cryptography 00:04:20
- Cryptographic Life Cycle 00:01:40
- Cryptographic Methods 00:01:54
- Symmetric Key 00:02:42
- Asymmetric Key 00:03:55
- Asymmetric Key (Cont.) 00:02:06
- Elliptic Curve 00:01:51
- Public Key Infrastructure 00:01:29
- Certificates 00:02:10
- Certificates (Cont.) 00:01:57
- Key Management 00:03:20
- Digital Signatures 00:01:58
- Integrity - Hashing 00:01:35
- Integrity - Hashing (Cont.) 00:01:57
- Cryptanalytic Attacks 00:02:47
- Digital Rights Management (DRM) 00:03:38
- References 00:00:10
- Topic: Site / Facility Security Principles 00:00:09
- Site / Facility Security Principles 00:03:09
- Site / Facility Security Principles (Cont.) 00:03:03
- References 00:00:10
- Topic: Site / Facility Security Controls 00:03:41
- Site / Facility Security Controls 00:02:20
- Server Rooms / Data Centers 00:02:16
- Server Rooms / Data Centers (Cont.) 00:02:17
- Media Storage Facilities 00:01:31
- Evidence Storage 00:02:52
- Restricted and Work Area Security 00:01:43
- Utilities and HVAC 00:02:33
- Environmental Issues 00:02:10
- Fire Prevention, Detection, and Suppression 00:00:56
- Fire Extinguishers / Detection 00:01:28
- Water Suppression / Gas Discharge 00:01:40
- References 00:00:12
- Domain 04 - Communication and Network Security
- Communication and Network Security 00:00:27
- Topic: Secure Design and Network Architecture 00:00:23
- Secure Design and Network Architecture 00:01:29
- OSI Model 00:00:35
- Encapsulation / Decapsulation 00:01:36
- Physical / Data Link Layers 00:02:15
- Network Layer 00:00:55
- Transport Layer 00:00:56
- Session Layer 00:00:58
- Presentation Layer 00:01:04
- Application Layer 00:00:37
- IP Networking 00:00:44
- TCP/IP 00:04:32
- SYN / ACK / TCP 00:00:58
- IP Classes 00:02:37
- Multilayer Protocols 00:01:14
- Converged Protocols 00:01:47
- Wireless Networks 00:01:38
- Secure SSID 00:01:26
- Secure Encryption Protocols 00:01:05
- Secure Encryption Protocols (Cont.) 00:01:19
- References 00:00:21
- Topic: Secure Network Components 00:00:18
- Operation of Hardware 00:02:49
- Firewalls 00:02:10
- Firewall Inspection 00:01:44
- Transmission Media 00:01:58
- Baseband / Broadband 00:00:50
- Twisted Pair 00:01:54
- Network Access Controls 00:00:31
- Network Access Controls - Concepts 00:01:09
- Endpoint Security 00:02:02
- Distribution Networks 00:01:26
- References 00:00:12
- Topic: Secure Communication Design 00:00:13
- Voice 00:01:57
- PBX Fraud 00:01:06
- Multimedia Collaboration 00:01:20
- Remote Meeting 00:01:38
- Securing Email 00:01:30
- Remote Access 00:01:54
- Remote Access (Cont.) 00:01:52
- Remote Authentication 00:01:24
- Virtualized Networks 00:01:46
- VPN Protocols 00:00:58
- References 00:00:16
- Domain 05 - Identity and Access Management
- Identity and Access Management 00:00:32
- Topic: Physical and Logical Access 00:00:13
- Information 00:01:57
- Access Control Process 00:02:34
- Logical and Technical Access Controls 00:02:55
- Logical and Technical Access Controls (Cont.) 00:02:05
- Systems 00:01:53
- Devices 00:02:13
- Facilities 00:02:23
- References 00:00:44
- Topic: Manage Identification / Authentication 00:00:25
- Identity Implementation 00:01:47
- Single / Multi-factor Authentication 00:03:51
- Service Authentication 00:02:38
- Accountability 00:02:56
- Session Management 00:02:16
- Registration / Proofing Identity 00:02:34
- Federated Identity Management 00:02:34
- Common Language 00:02:17
- Credential Management Systems 00:03:45
- CyberArk 00:01:38
- References 00:00:17
- Topic: Integrate Identity as a Third-Party Service 00:00:12
- On-Premise 00:02:38
- Cloud 00:02:31
- Federated 00:01:00
- References 00:00:12
- Topic: Implement and Manage Authorization 00:00:30
- Role-Based Access 00:01:52
- Upsides / Downsides 00:01:28
- Rule-Based Access 00:01:40
- Mandatory Access 00:01:43
- Discretionary Access 00:02:09
- Attribute-based Access 00:00:55
- References 00:00:12
- Topic: Manage Identity / Access Lifecycle 00:00:13
- Account Review 00:04:38
- System Access Review 00:03:58
- Provisioning 00:02:13
- Provisioning (Cont.) 00:01:05
- References 00:00:12
- Domain 06 - Security Assessment and Testing
- Security Assessment and Testing 00:00:28
- Topic: Assessment, Test, and Audit Strategies 00:00:09
- Assessment, Test, and Audit Strategies 00:02:56
- Security Assessment / Testing 00:03:13
- Security Assessments 00:01:32
- External / Third Party 00:02:38
- Auditing Standards 00:01:12
- References 00:00:11
- Topic: Security Control Testing 00:00:22
- Vulnerability Assessment 00:04:22
- Vulnerability Scans 00:03:49
- Network Vulnerability Scans 00:02:30
- Web Vulnerability Scans 00:04:39
- Penetration Testing 00:03:43
- Testing Options 00:01:00
- Log Reviews 00:04:14
- Synthetic Transaction 00:01:02
- Code Review / Testing 00:01:47
- Testing Options (cont.) 00:02:13
- Misuse Case Testing 00:01:38
- Test Coverage Analysis 00:01:08
- Interface Testing 00:02:07
- References 00:00:27
- Topic: Security Process Data 00:00:17
- Account Management 00:06:40
- Management Review 00:02:41
- Performance and Risk Indicators 00:01:16
- Backup Verification 00:01:54
- Training and Awareness 00:01:04
- References 00:00:08
- Topic: Analyze Test Output / Generate Reports 00:00:14
- Analyze Test Output / Generate Reports 00:03:49
- External Scan Report 00:03:23
- References 00:00:05
- Topic: Conduct / Facilitate Security Audit 00:00:08
- Internal Aspects 00:03:06
- External / 3rd Party Aspect 00:01:51
- References 00:00:12
- Domain 07 - Security Operations
- Security Operations 00:00:19
- Topic: Investigations 00:00:16
- Evidence Collection 00:02:52
- Network / Software / Hardware Analysis 00:03:12
- Reporting and Documentation 00:03:36
- Investigative Techniques 00:01:11
- Gathering Evidence 00:01:07
- Digital Forensics 00:01:48
- Chain of Custody 00:01:39
- References 00:00:10
- Topic: Investigation Team 00:00:11
- Administrative Aspects 00:02:51
- Criminal Investigations 00:02:33
- Civil Investigations 00:02:54
- Regulatory Investigations 00:02:21
- References 00:00:09
- Topic: Logging and Monitoring Activities 00:00:15
- SIEM 00:03:07
- Deployment 00:02:21
- Continuous Monitoring 00:02:39
- Egress Monitoring 00:02:06
- Tools to Assist 00:04:04
- References 00:00:11
- Topic: Provisioning Resources 00:00:13
- Asset Inventory 00:02:03
- Asset Management 00:02:30
- Cloud-Based Management 00:04:00
- Configuration Management 00:02:17
- References 00:00:16
- Topic: Security Operations Concepts 00:00:21
- Separation of Duties 00:03:01
- Need to Know / Least Privilege 00:01:43
- Separation of Privilege 00:01:17
- Privileged Account Management 00:04:58
- Job Rotation 00:03:05
- Information Lifecycle 00:01:49
- Key Phases of Data 00:02:51
- Service Level Agreements 00:01:49
- References 00:00:13
- Topic: Protection Techniques 00:00:10
- Media Management 00:02:46
- Hardware / Software Asset Management 00:01:45
- Software 00:02:15
- References 00:00:10
- Topic: Incident Management 00:00:14
- Detection 00:02:38
- Responsive 00:02:37
- Reporting 00:02:37
- Legal / Compliance 00:01:47
- Recovery 00:02:05
- Remediation 00:01:29
- Lessons Learned 00:01:17
- References 00:00:15
- Topic: Detective / Preventative Measures 00:00:23
- Firewalls 00:04:07
- Intrusion Detection / Prevention 00:02:06
- Knowledge / Behavior-Based 00:01:59
- Network / Host-Based 00:01:49
- Whitelisting / Blacklisting 00:02:01
- Third-Party Security Services 00:01:41
- Sandboxing 00:01:23
- Honeypots/Honeynets 00:02:53
- Anti-Malware 00:01:56
- References 00:00:14
- Topic: Patch and Vulnerability Management 00:00:09
- Patch / Vulnerability Management 00:02:43
- Patch Management 00:02:26
- References 00:00:16
- Topic: Change Management Processes 00:00:10
- Change Management 00:02:28
- Security Impact Analysis 00:02:56
- References 00:00:09
- Topic: Implement Recovery Strategies 00:00:22
- Backup Storage 00:02:38
- Recovery Site Strategies 00:03:20
- Business / Functional Unit Priorities 00:02:04
- Crisis Management 00:04:09
- Multiple Processing Sites 00:02:29
- Options 00:02:03
- Cloud Computing 00:01:18
- High Availability / QoS 00:01:08
- Hard Drives / Power Sources 00:03:18
- QoS 00:00:57
- References 00:00:09
- Topic: Implement Disaster Recovery 00:00:16
- Response 00:02:11
- Personnel 00:02:18
- Communications 00:03:09
- Assessment 00:01:01
- Restoration 00:01:37
- Training and Awareness 00:02:10
- References 00:00:07
- Topic: Test Disaster Recovery 00:00:23
- Overview 00:04:23
- Read-Through Checklists 00:01:21
- Walk-Through (Table-Top) 00:01:15
- Simulation Test 00:01:42
- Parallel Test 00:01:09
- Full Interruption 00:01:49
- References 00:00:08
- Topic: Implement / Manage Physical Security 00:00:15
- Perimeter Security 00:03:24
- Fences, Gates and Lighting 00:02:45
- Security Dogs 00:02:25
- Internal Security Controls 00:01:56
- Badges / Regulatory Requirements 00:01:53
- References 00:00:06
- Topic: Personnel Safety / Security 00:00:12
- Travel 00:02:32
- Travel (Cont.) 00:02:49
- Security Training and Awareness 00:02:00
- Emergency Management 00:01:28
- Duress 00:02:23
- References 00:00:16
- Domain 08 - Software Development Security
- Software Development Security 00:00:30
- Topic: Software Development Life Cycle 00:00:10
- Development Methodologies 00:02:08
- Functional Requirements / Control Specifications 00:03:23
- Design / Code Review 00:01:14
- User Acceptance Testing / Change Management 00:02:20
- Maturity Models 00:02:09
- Agile / SW-CMM 00:02:09
- Change Management 00:02:14
- Integrated Product Team 00:01:39
- References 00:00:18
- Topic: Security Controls in Development 00:00:16
- Security of Software Environments 00:02:24
- Development Security 00:03:35
- Secure Coding Configuration Management 00:04:39
- Code Repositories 00:01:47
- Best Practices 00:01:34
- References 00:00:17
- Topic: Assess Software Security Effectiveness 00:00:18
- Auditing and Logging 00:02:00
- ODBC / NoSQL 00:03:03
- Risk Analysis / Mitigation 00:02:39
- Development Methodology 00:02:35
- Tracking Progress / Repeat 00:01:03
- References 00:00:14
- Topic: Security Impact of Acquired Software 00:00:10
- Security Impact of Acquired Software 00:03:14
- OWASP Key Considerations 00:03:05
- References 00:00:11
- Topic: Secure Coding Guidelines and Standards 00:00:11
- Security Weaknesses / Vulnerabilities 00:03:22
- Reconnaissance Attacks 00:01:34
- Masquerading Attacks 00:02:12
- API Security 00:01:47
- Secure Coding Practices 00:00:57
- Testing Options 00:00:44
- References 00:00:12
- Course Closure 00:02:58