CISSP Fast Track - Course Content


1. Management Domain

Security management entails the identification of an organisation's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines. Management tools such as data classification and risk assessment/analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.


  • Basic Concepts - The CIA Triad
  • Administrative, Technical and Physical Controls
  • Roles & Responsibilities
  • Change Control & Change Management
  • Information Asset Management
  • Security Architecture
  • Risk Management Principles, Tools, Methodologies and Standards
  • Policies, Standards, Guidelines & Procedures
  • Data Classification
  • Employment Policies and Practices
  • Security Awareness Training
  • Security Management Planning
  • Information Security Management Systems

2. Security Architecture and Models Domain

The Security Architecture and Modelsdomain contains the concepts, principles,structures, and standards used to design,monitor, and secure operating systems,equipment, networks, applications andthose controls used to enforce various lev-els of availability, integrity, and confiden-tiality.


  • Platform Architectures
  • Computer & Network Architectures
  • Layered Models
  • Operating System Principles
  • Threats to Shared Environments
  • Trusted Systems
  • Reference Monitors & Kernels, TCB
  • Operating Modes
  • Security Models
  • State Machine Models
  • Biba Matrix
  • Bell-LaPadula Matrix
  • Clark-Wilson
  • Other Protection Technologies
  • Comparison of Security Models
  • Certification & Accreditation
  • TCSEC, ITSEC, Common Criteria

3. Applications and Systems Development Domain

This domain addresses the important security concepts that apply to application software development. It outlines the environment where software is designed and developed and explains the critical role software plays in providing information.


  • Introduction: Changes in theEnvironment
  • Threat Agents: Hackers, crackers, phreaks and virus authors
  • Vulnerabilities
    - Mobile Code: Agents, applets, ActiveX, Java
    - Buffer Overflows, Stack Smashing, etc.
  • Malicious Code & Logic: Viruses, Trojans, Worms & Logic Bombs
  • Attacks: Code alteration, flooding, salami, SQL injection, trapdoors, DoS, etc.
  • Databases, Data Warehousing & Knowledge-based Systems
  • System Development Life Cycle
    - SDLC Phases
  • Iterative Development Models
  • Programming Languages and Translators
  • Object Oriented Design and Programming
  • Mobile Code
  • Security Features of Languages
  • Safeguards, Mitigation and Controls

4. Operations Security Domain

Operations Security is used to identify the controls over hardware, media, and the operators and administrators with access privileges to any of these resources. Audit and monitoring are the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process.


  • Goals of Operations Security
  • Resources: Hardware, Software, Network, Media
  • Administrative Management
  • Principles of Privilege. Least Privilege, Rotation of Duties & Separation of Duties
  • Due Care & Due Diligence
  • Privacy and Protection
  • Sensitive Information and Media
  • Operations Controls
    - Operational Controls for Trusted Systems
    - Network & Telecomms Controls
    - Media Controls
    - Personnel Controls
    - Infrastructure Controls
  • Configuration Management and Contingency Management
  • Auditing
    - Concepts and Considerations
    - Audit Trails & Reporting
  • Violation Analysis
  • Monitoring
    - Concepts
    - Tools and Techniques
  • Intrusion Detection
    - Use & Types
    - Types of IDS
    - Intrusion Prevention Systems
  • Penetration Testing
    - Techniques
  • Inappropriate Activities
  • Threats & Countermeasures
  • Violations, Breaches and Reporting

5. Physical Security Domain

The physical security domain provides protection techniques for the entire facility, from the outside perimeter to the inside office space, including all of the information system resources.


  • Terminology & Definitions
  • Changes in the Environment
  • Characterization of Systems
  • Physical Threats
  • Site Selection, Facility Design and Configuration
  • Water & Plumbing
  • Power and HVAC
  • Boundary Protection & Lighting, Fences and Gates
  • CCTV
  • Building Materials
  • Locks, Keys and Key Control Systems
  • Fire Prevention, Protection & Detection
  • Fire Suppression
  • Computing Facility Requirements
  • Securing Storage Areas
  • Portable Device Security
  • Media Protection & Disposal
  • Personnel Access Controls
    - Cards and Badges
    - Biometrics
  • Physical Security in Distributed Processing
  • Office Area Physical Security Controls

6. Cryptography Domain

The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality and authenticity.


  • Basic Concepts and Definitions
  • Goals of Cryptography
  • Stream vs Block Ciphers
  • Hash Functions
  • Message Digests & Message Authentication Codes
  • Symmetric Ciphers
  • Public-Key Ciphers
  • Digital Signatures
  • Hybrid Cryptosystems
  • Applications of Cryptography
    - Digital Certificates & PKI
    - Email Security
    - SSL
    - SSH
  • Methods of Attack
  • Import/Export Regulations

7. Access Control Systems and Methodology Domain

Access controls are mechanisms that work together to create a security architecture to protect the assets of the information system.


  • Information Protection Requirements, Basic Concepts and Threats
  • Security Technologies and Tools, Types of Controls
  • Identification and Authentication Techniques
  • Passwords, One-Time Passwords, Tokens, SmartCards, Biometrics
  • Access Control Techniques
  • Centralised vs Remote Authentication Access Controls, RADIUS, TACACS, etc.
  • 802.1x Port-based Authentication
  • Decentralised Access Control, Single Signon, Kerberos, SESAME
  • Controls
    - Discretionary vs Mandatory Access Controls
    - Rule-Based Access Control, Role-Based Access Control, Lattice-Based
  • Access Control, Access Control Lists, Capabilities
    - Data Ownership and Custodianship
    - Types of Attacks
    - Intrusion Detection and Auditing
    - Management Activities

8. Business Continuity Planning / Disaster Recovery Planning Domain

The Business Continuity Planning/Disaster Recovery Planning (BCP/DRP) domain addresses the preservation and recovery of business operations in the event of outages.


  • Key Terms & References
  • Definitions of BCP & DRP
  • Other Incident Response Plans
  • BCP Responsibilities
  • BCP Process
    - Overview
    - Critical Function Identification
    - Supporting Resources
    - Business Impact Analysis
    - Plan Development
    - Plan Content
    - Off-site Storage
    - Alternative Sites
    - Backup Processing
    - Other Elements
    - Recovery Organisation & Team Structure
    - Other Items
  • Testing and Plan Maintenance
    - Considerations for Testing
    - Types of Testing
  • Stages in an Incident
  • Disaster Recovery Time Line
  • Software Escrow

9. Telecommunications and Network Security Domain

The telecommunications, network, and Internet security domain discusses the: Network Structures, Transmission methods, Transport formats, Security measures used to provide availability, integrity, and confidentiality, and finally Authentication for transmissions over private and public communications networks.


  • Key Terminology
  • LANs & WANs
  • ISO/OSI Layers & Characteristics
  • TCP/IP Layers & Characteristics
  • Physical Media Characteristics and Devices
  • Physical Layer Attacks and Controls
  • Network Layer Principles
    - Addresses and Routing
    - Attacks and Controls
  • Transport Layer Principles
    - Attacks and Controls: Port Scanning, IDS
  • Application Layer Protocols
  • Types of Protection
    - Firewalls & IPS
    - Virtual Private Networks
  • Honeypots and Honeynets
  • Network Security Assessment
  • Penetration Testing

10. Law Investigation and Ethics Domain

The Law, Investigations, and Ethicsdomain addresses:


  • The Legal and Ethical Environment
  • Types & Categories of Computer Crime Laws
  • Corporate Governance and Audit Requirements
  • Privacy Requirements
  • Intellectual Property: Trade Secrets, Patents and Copyright
  • Records Retention
  • Industrial Relations
  • Legal Liability
  • Privacy & Other Personal Rights
  • Computer Crime
  • Legal Aspects of Cryptography
  • Computer Crime Investigation
    - Incident Response
    - Investigation Process
    - Computer Forensics
    - Rules of Evidence & Legal Proceedings
  • Computer Ethics
    - The Ten Commandments
    - Ethics & The Internet
    - (ISC)2 Code of Ethics

 

 

Description |Content |Dates |FAQ |Brochure (PDF) |Presenter | Fees