CISSP Objectives
CISSP Objectives
Domain 2:
Asset Security
2.1
Identify and classify information and assets
o Data classification
o Asset Classification
2.2
Establish information and asset handling requirements
2.3
Provision resources securely
o Asset management
2.4
Manage data lifecycle
o Data collection
o Data location
o Data maintenance
o Data retention
o Data remanence
o Data destruction
2.5
Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-
of-Support (EOS))
2.6
Determine data security controls and compliance requirements
o Standards selection
Domain 3:
Security Architecture and Engineering
3.1
Research, implement and manage engineering processes using secure
design principles
Threat modeling
Least privilege
Defense in depth
Secure defaults
Fail securely
Separation of Duties (SoD)
Keep it simple
Zero Trust
Privacy by design
Trust but verify
Shared responsibility
3.2
Understand the fundamental concepts of security models (e.g., Biba, Star
Model, Bell-LaPadula)
3.3
Select controls based upon systems security requirements
3.4
Understand security capabilities of Information Systems (IS) (e.g.,
memory protection, Trusted Platform Module (TPM),
encryption/decryption)
3.5
Assess and mitigate the vulnerabilities of security architectures, designs,
and solution elements
Client-based systems
Server-based systems
Database systems
Cryptographic systems
Industrial Control Systems (ICS)
Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a
Service (IaaS), Platform as a Service (PaaS))
Distributed systems
Brute force
Ciphertext only
Known plaintext
Frequency analysis
Chosen ciphertext
Implementation attacks
Side-channel
Fault injection
Timing
Man-in-the-Middle (MITM)
Pass the hash
Kerberos exploitation
Ransomware
3.8
Apply security principles to site and facility design
3.9
Design site and facility security controls
Domain 4:
Communication and Network Security
4.1
Assess and implement secure design principles in network architectures
Voice
Multimedia collaboration
Remote access
Data communications
Virtualized networks
Third-party connectivity
Domain 5:
Identity and Access Management (IAM)
5.1
Control physical and logical access to assets
Information
Systems
Devices
Facilities
Applications
5.2
Manage identification and authentication of people, devices, and services
On-premise
Cloud
Hybrid
5.4
Implement and manage authorization mechanisms
Domain 6:
Security Assessment and Testing
6.1
Design and validate assessment, test, and audit strategies
Internal
External
Third-party
6.2
Conduct security control testing
Vulnerability assessment
Penetration testing
Log reviews
Synthetic transactions
Code review and testing
Account management
Management review and approval
Key performance and risk indicators
Backup verification data
Remediation
Exception handling
Ethical disclosure
6.5
Conduct or facilitate security audits
Internal
External
Third-party
Domain 7:
Security Operations
7.1
Understand and comply with investigations
Log management
Threat intelligence (e.g., threat feeds, threat hunting)
User and Entity Behavior Analytics (UEBA)
7.3
Perform Configuration Management (CM) (e.g., provisioning,
baselining, automation)
7.4
Apply foundational security operations concepts
Need-to-know/least privilege
Separation of Duties (SoD) and responsibilities
Privileged account management
Job rotation
Service Level Agreements (SLAs)
7.5
Apply resource protection
Media management
Media protection techniques
7.6
Conduct incident management
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons learned
7.7
Operate and maintain detective and preventative measures
Sandboxing
Honeypots/honeynets
Anti-malware
Machine learning and Artificial Intelligence (AI) based tools
7.8
Implement and support patch and vulnerability management
7.9
Understand and participate in change management processes
7.10
Implement recovery strategies
System resilience, High Availability (HA), Quality of Service (QoS), and fault
tolerance
7.11
Implement Disaster Recovery (DR) processes
Response
Personnel
Communications
Assessment
Restoration
Training and awareness
Lessons learned
7.12
Test Disaster Recovery Plans (DRP)
Read-through/tabletop
Walkthrough
Simulation
Parallel
Full interruption
7.13
Participate in Business Continuity (BC) planning and exercises
7.14
Implement and manage physical security
Travel
Security training and awareness
Emergency management
Duress
Domain 8:
Software Development Security
8.1
Understand and integrate security in the Software Development Life
Cycle (SDLC)
Programming languages
Libraries
Tool sets
Integrated Development Environment (IDE)
Runtime
Continuous Integration and Continuous Delivery (CI/CD)
Commercial-off-the-shelf (COTS)
Open source
Third-party
Security weaknesses and vulnerabilities at the source-code level
Security of Application Programming Interfaces (APIs)
Secure coding practices
Software-defined security