CISSP®

FOR DUMmIES

‰

4TH EDITION

by Lawrence Miller and Peter H. Gregory

CISSP®

FOR DUMmIES

‰

4TH EDITION

CISSP® For Dummies®, 4th EditionPublished by John Wiley & Sons, Inc. 111 River Street Hoboken, NJ 07030-5774www.wiley.com

Copyright © 2012 by John Wiley & Sons, Inc., Hoboken, New JerseyPublished by John Wiley & Sons, Inc., Hoboken, New JerseyPublished simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.Trademarks: Wiley, the Wiley logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. CISSP is a registered trademark of International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.For technical support, please visit www.wiley.com/techsupport.Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Not all content that is available in standard print versions of this book may appear or be packaged in all book formats. If you have purchased a version of this book that did not include media that is referenced by or accompanies a standard print version, you may request this media by visiting http://booksupport.wiley.com. For more information about Wiley products, visit us www.wiley.com.Library of Congress Control Number: 2012942107ISBN 978-1-118-36239-6 (pbk); ISBN 978-1-118-41710-2 (ebk); ISBN 978-1-118-42037-9 (ebk); ISBN 978-1-118-46755-8 (ebk)Manufactured in the United States of America10 9 8 7 6 5 4 3 2 1

About the AuthorsLawrence Miller, CISSP, has worked in information security and technology management for more than 15 years. He received his MBA from Indiana University and has earned numerous technical certifications throughout his career. He is currently working as the Director of Information Technology for an e-commerce and event merchandising company. He has previously worked as the Operations Manager for a Top 100 U.S. law firm, as an internetworking security engineer and a security consultant for service providers and clients in the retail, financial, and manufacturing sectors in the U.S. and Japan; he was a Chief Petty Officer in the U.S. Navy, serving in various roles, including information systems security manager and “weather guesser.” He is the author of Home Networking Do-It-Yourself For Dummies (John Wiley & Sons, Inc.) and has also written more than 25 For Dummies Custom Edition books on numerous topics, including information security, unified communications, virtualization, and archiving.

Peter H. Gregory, C|CISO, CISA, CISSP, CRISC, DRCE, CCSK, is the author of more than thirty books on security and technology, including Solaris Security (Prentice Hall), Biometrics For Dummies (John Wiley & Sons, Inc.), IT Disaster Recovery Planning For Dummies (John Wiley & Sons, Inc.), and CISA Certified Information Systems Auditor All-In-One Study Guide (McGraw-Hill/Osborne Media Group).

Peter is a career technologist and the global manager of information security and risk management at Concur (www.concur.com), a Redmond, WA–based leading provider of integrated travel and expense management solutions. Prior to this, he held tactical and strategic security positions in large wireless telecommunications organizations. He has also held development and operations positions in casino management systems, banking, government, nonprofit organizations, and academia since the late 1970s. Peter is the lead instructor and advisory board member for the University of Washington certificate program in information systems security and a graduate of the FBI Citizens’ Academy. He is a certified RiderCoach for the Motorcycle Safety Foundation and teaches people how to ride motorcycles in the Seattle area.

Peter can be found at www.peterhgregory.com.

DedicationFrom Lawrence Miller: To Michelle.

From Peter H. Gregory: To Rebekah.

Authors’ AcknowledgmentsLawrence Miller would like to thank all the wonderful folks I have worked with on so many projects over the years. You all make writing so enjoyable and fulfilling: Amy, Barry, Chris, Dan, . . . E, F, G, . . . Heidi, I, Jen, Katie, Laura, Mike, N, O, Paul, . . . Q, Rev, Susan, . . . T, U, V, . . . W, X, Y, and Zoë! Finally, thank you Peter for working with me on yet another great book, and Kevin for helping to keep us (technically) honest and on our toes!

Peter H. Gregory would like to thank Katie Feltman, Senior Acquisitions Editor at Wiley, for her perseverance and patience. Thank you to Christopher Morris, Senior Project Editor at Wiley, for your help throughout this project, and to Barry Childs-Helton, for your really helpful copy editing. Thank you, Larry, for agreeing once again to coauthor this book. It’s great as always to work with you on security books.

There are many more people at Wiley and other organizations without whom this book could not be published and reach readers. I don’t know who you are, but I know you are out there, and I am grateful for your dedication and hard work.

My contribution to this book would not have been possible without support from my wife, business manager and best friend, Rebekah Gregory. Thanks also to Carole Jelen, my literary agent, for guidance on this and other projects over the past five years.

Publisher’s AcknowledgmentsWe’re proud of this book; please send us your comments at http://dummies.custhelp.com. For other comments, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.Some of the people who helped bring this book to market include the following:

Acquisitions, Editorial, and Vertical Websites

Senior Project Editor: Christopher MorrisSenior Acquisitions Editor: Katie FeltmanSenior Copy Editor: Barry Childs-HeltonTechnical Editor: Kevin BeaverEditorial Manager: Kevin KirschnerVertical Websites Project Manager:

Laura Moss-HollisterVertical Websites Assistant Project Manager:

Jenny SwisherVertical Websites Associate Producers:

Josh Frank, Marilyn Hummel, Douglas Kuhn, Shawn Patrick

Editorial Assistant: Leslie SaxmanSr. Editorial Assistant: Cherie CaseCover Photos:

© Victor Habbick/iStockphoto.comCartoons: Rich Tennant

(www.the5thwave.com)

Composition Services

Project Coordinator: Patrick RedmondLayout and Graphics: Jennifer Creasey,

Joyce Haughey, Corrie Niehaus Proofreaders:

BIM Indexing & Proofreading ServicesIndexer: BIM Indexing & Proofreading Services

Publishing and Editorial for Technology Dummies

Richard Swadley, Vice President and Executive Group PublisherAndy Cummings, Vice President and PublisherMary Bednarek, Executive Acquisitions DirectorMary C. Corder, Editorial Director

Publishing for Consumer Dummies

Kathleen Nebenhaus, Vice President and Executive PublisherComposition Services

Debbie Stailey, Director of Composition Services

Contents at a GlanceIntroduction ................................................................ 1

Part I: Certification Basics ........................................... 7Chapter 1: (ISC)2 and the CISSP Certification ................................................................. 9Chapter 2: The Common Body of Knowledge (CBK) ................................................... 19Chapter 3: Putting Your Certification to Good Use ..................................................... 27

Part II: Domains ........................................................ 45Chapter 4: Access Control .............................................................................................. 47Chapter 5: Telecommunications and Network Security ............................................. 89Chapter 6: Information Security Governance and Risk Management ..................... 153Chapter 7: Software Development Security ............................................................... 181Chapter 8: Cryptography .............................................................................................. 233Chapter 9: Security Architecture and Design ............................................................. 269Chapter 10: Security Operations .................................................................................. 301Chapter 11: Business Continuity and Disaster Recovery Planning ......................... 333Chapter 12: Legal, Regulations, Investigations, and Compliance ............................ 371Chapter 13: Physical (Environmental) Security ......................................................... 413

Part III: The Part of Tens .......................................... 439Chapter 14: Ten (Okay, Eight) Test Preparation Tips ............................................... 441Chapter 15: Ten Test-Day Tips ..................................................................................... 445Chapter 16: Ten More Sources for Security Certifications ....................................... 449Chapter 17: Ten Security Websites ............................................................................. 461Chapter 18: Ten Essential Reference Books ............................................................... 465

Part IV: Appendixes ................................................. 467Appendix A: Practice CISSP Exam................................................................................ 469Appendix B: Glossary .................................................................................................... 529

Index ...................................................................... 563

Table of ContentsIntroduction ................................................................. 1

About This Book .............................................................................................. 1How This Book Is Organized .......................................................................... 2

Part I: Certification Basics .................................................................... 2Part II: Domains ...................................................................................... 2Part III: The Part of Tens ....................................................................... 3Part IV: Appendixes ............................................................................... 3

How the Chapters Are Organized .................................................................. 3Chapter introductions ........................................................................... 3Study subjects ........................................................................................ 4Tables and illustrations ........................................................................ 4Prep Tests ............................................................................................... 4

Icons Used in This Book ................................................................................. 4Where to Go from Here ................................................................................... 5

Part I: Certification Basics............................................ 7

Chapter 1: (ISC)2 and the CISSP Certification . . . . . . . . . . . . . . . . . . . . . .9About (ISC)2 and the CISSP Certification ...................................................... 9You Must Be This Tall to Ride (and Other Requirements) ...................... 10Registering for the Exam .............................................................................. 11Preparing for the Exam ................................................................................. 12

Studying on your own ......................................................................... 12Getting hands-on experience .............................................................. 13Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar ... 14Attending other training courses or study groups .......................... 14Take the testing tutorial and practice exam .................................... 15Are you ready for the exam? .............................................................. 15

About the CISSP Examination ...................................................................... 16After the Examination ................................................................................... 17

Chapter 2: The Common Body of Knowledge (CBK) . . . . . . . . . . . . . . . .19Access Control ............................................................................................... 19Telecommunications and Network Security .............................................. 20Information Security Governance and Risk Management ........................ 21Software Development Security .................................................................. 22Cryptography ................................................................................................. 22Security Architecture and Design ................................................................ 23