CCISO Certified Chief Information Security Officer All-in-One Exam Guide
400
CCISO Certified Chief Information Security Officer All-in-One Exam Guide
400Paperback
-
PICK UP IN STORECheck Availability at Nearby Stores
Available within 2 business hours
Related collections and offers
Overview
CCISO Certified Chief Information Security Officer All-in-One Exam Guide provides 100% coverage of all five CCISO domains. For each domain, the information presented includes clear explanations, examples, background information, and technical information explaining the core concepts. The book also contains stories, advice, and experiences from CISOs that help describe the challenges of the CISO in the real world. Written by information security engineers with over 50 years of combined experience helping organizations manage their risk by protecting their assets from cyber threats.
CCISO Certified Chief Information Security Officer All-in-One Exam Guide covers all CCISO domains, including:
• Governance and Risk Management
• Information Security Controls, Compliance, and Audit Management
• Security Program Management and Operations
• Information Security Core Competencies
• Strategic Planning, Finance, Procurement and Vendor Management
Online content includes:
- • 300 practice questions in the customizable Total Tester exam engine
Product Details
| ISBN-13: | 9781260463927 |
|---|---|
| Publisher: | McGraw Hill LLC |
| Publication date: | 12/02/2020 |
| Pages: | 400 |
| Sales rank: | 1,100,332 |
| Product dimensions: | 7.20(w) x 9.00(h) x 0.80(d) |
About the Author
Jordan Genung, CCISO, CISSP, CISM, CISA serves as an Information Security Officer and security advisor for public and private sector organizations. His experience includes security consulting for Fortune 100 companies and government agencies, building information security programs, and developing information security curriculum. Jordan holds a degree in Computer Science and Information Security from the University of Texas at San Antonio, an NSA and DHS National Center of Academic Excellence in Cyber Operations, Cyber Defense, and Research.
Table of Contents
Acknowledgments xv
Introduction xvii
Chapter 1 Governance and Risk Management 1
Governance 2
Information Security Governance 4
Information Security Management Structure 9
Sizing 9
Management Structure 10
Principles of Information Security 12
The CIA Triad 12
Security Vulnerabilities, Threats, Risks, and Exposures 13
Cyberattack Elements 14
Defense-In-Depth 15
Risk Management 16
Risk Management Program 17
Best Practice Frameworks for Risk Management 25
Management and Technical Information Security Elements 26
Security Program Plan 26
Security Policies, Standards, and Guidelines 28
Asset Security 29
Identity and Access Management 30
Security Engineering 30
Physical Security 31
Security Operations 31
Software Development Security 33
Security Assessments and Testing 33
Security Training and Awareness 33
Business Continuity and Disaster Recovery 34
Compliance 34
Compliance Team 36
Compliance Management 36
Privacy 39
Privacy Impact Assessment 40
Privacy and Security 40
Laws and Regulatory Drivers 40
Federal Information Security Modernization Act 41
Defense Federal Acquisition Regulation Supplement 252.204-7012 42
Clinger-Cohen Act 43
Payment Card Industry Data Security Standard 43
Privacy Act of 1974 44
Gramm-Leach-Bliley Act 45
Health Insurance Portability and Accountability Act 46
Family Educational Rights and Privacy Act 47
Sarbanes-Oxley Act 47
General Data Protection Regulation 48
North American Electric Reliability Corporation Critical Infrastructure Protection 49
Summary of Laws and Regulatory Drivers 50
Standards and Frameworks 50
ISO/IEC 27000 Series 51
ISO/IEC 27001 52
NIST Cybersecurity Framework 53
Federal Information Processing Standards 54
NIST Special Publications 55
Privacy Shield 56
COBIT 57
Information Security Trends and Best Practices 58
Open Web Application Security Project 58
Cloud Security Alliance 58
Center for Internet Security 58
Information Security Training and Certifications 59
International Information System Security Certification Consortium 59
ISACA 59
International Council of E-Commerce Consultants 60
SANS Institute 60
Computing Technology Industry Association 62
International Association of Privacy Professionals 62
Offensive Security 62
Ethics 63
Chapter Review 64
Quick Review 65
Questions 67
Answers 69
Chapter 2 Information Security Controls, Compliance, and Audit Management 71
Information Security Controls 72
Control Fundamentals 72
Control Frameworks 75
Information Security Control Life Cycle Frameworks 76
NIST Risk Management Framework 76
NIST Cybersecurity Framework 77
ISO/IEC 27000 77
Information Security Control Life Cycle 78
Step 1 : Risk Assessment 78
Step 2: Design 80
Step 3: Implementation 81
Step 4: Assessment 82
Step 5: Monitoring 84
Exploring Information Security Control Frameworks 86
NIST SP 800-53 87
NIST Cybersecurity Framework 88
ISO/IEC 27002 90
CIS Critical Security Controls 92
CSA Cloud Controls Matrix 94
Auditing for the CISO 96
Audit Management 96
Audit Process 100
Control Self-Assessments 108
Continuous Auditing 110
Specific Types of Audits and Assessments 111
Chapter Review 114
Quick Review 114
Questions 117
Answers 119
Chapter 3 Security Program Management and Operations 121
Security Program Management 121
Security Areas of Focus 122
Security Streams of Work 125
Asset Security Management 129
Security Projects 131
Security Program Budgets, Finance, and Cost Control 132
Establishing the Budget 133
Managing and Monitoring Spending 136
Security Program Resource Management: Building the Security Team 136
Project Management 139
Project Management Fundamentals 139
Project Management Training and Certifications 140
Phases of Project Management 142
Initiating 143
Planning 145
Executing 153
Monitoring and Controlling 154
Closing 156
Chapter Review 157
Quick Review 158
Questions 159
Answers 161
Chapter 4 Information Security Core Competencies 163
Malicious Software and Attacks 164
Malware 164
Scripting and Vulnerability-Specific Attacks 170
Social Engineering 172
Types of Social Engineering Attacks 172
Why Employees Are Susceptible to Social Engineering 174
Social Engineering Defenses 174
Asset Security 179
Asset Inventory and Configuration Management 180
Secure Configuration Baselines 180
Vulnerability Management 181
Asset Security Techniques 182
Data Security 186
Data at Rest 187
Data in Transit 187
Data in Use 187
Data Life Cycle 187
Identity and Access Management 192
Identity and Access Management Fundamentals 193
Identity Management Technologies 194
Authentication Factors and Mechanisms 195
Access Control Principles 195
Access Control Models 196
Access Control Administration 197
Identity and Access Management Life Cycle 198
Communication and Network Security 199
WANs and LANs 199
IP Addressing 204
Network Address Translation 205
Network Protocols and Communications 206
Wireless 211
Network Technologies and Defenses 212
Cryptography 216
Cryptographic Definitions 217
Cryptographic Services 218
Symmetric, Asymmetric, and Hybrid Cryptosystems 218
Hash Algorithms 223
Message Authentication Codes 225
Digital Signatures 226
Public Key Infrastructure 227
Cloud Security 229
Cloud Computing Characteristics 229
Cloud Deployment Models 230
Cloud Service Models 230
Cloud Security Risks and Assurance Levels 231
Cloud Security Resources 232
Physical Security 232
Physical Security Threats 233
Physical Security Program Planning 234
Physical Security Resources 234
Physical Security Controls 235
Physical Security Auditing and Measurement 240
Personnel Security 241
Software Development Security 243
Integrating Security into the SDLC 245
Security SDLC Roles and Responsibilities 246
Software Vulnerabilities 247
Secure Coding Practices 252
Software Vulnerability Analysis and Assessments 253
Forensics, Incident Handling, and Investigations 255
Relevant Law 255
Logging and Monitoring 257
Incident Response and Investigations 259
Forensics and Digital Evidence 263
Security Assessment and Testing 265
Vulnerability Assessments 267
Penetration Testing 270
Regulatory Compliance Assessments 271
Security Program Assessments 272
Business Continuity and Disaster Recovery 272
Continuity Planning Initiation 274
Business Impact Analysis 275
Identify Preventive Controls 279
Develop Recovery Strategies and Solutions 279
Develop the Plan 284
Test the Plan 285
Maintain the Plan 287
Chapter Review 288
Quick Review 289
Questions 291
Answers 294
Chapter 5 Strategic Planning, Finance, Procurement, and Vendor Management 297
Strategic Planning 297
Organizational Strategic Planning 298
Organizational Strategic Planning Teams 303
Strategic Planning Process 305
Security Strategic Plan Example 305
Making Security Decisions 307
Enterprise Architecture 308
Financial Management 314
Accounting and Finance Basics 314
Information Security Annual Budget 323
Procurement and Vendor Management 326
Procurement Core Principles and Processes 326
Types of Contracts 331
Scope Agreements 332
Third-Party Vendor Risk Management 333
Chapter Review 338
Quick Review 338
Questions 339
Answers 340
Appendix About the Online Content 341
System Requirements 341
Your Total Seminars Training Hub Account 341
Privacy Notice 341
Single User License Terms and Conditions 341
Total Tester Online 343
Technical Support 343
Glossary 345
Index 357