CISSP 2015: What’s New (Part 2 of 5)

September 16, 2015 at 6:29 am | Posted in CISSP, Study hints, study tips, Vendor news | Leave a comment
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam. The topics there should at least help you get started preparing for the exam. With this post, I’ll start discussing the domains covered by the new CISSP exam.

The former version of CISSP had 10 domains:

  1. Access Control
  2. Telecommunications and Network Security
  3. Information Security Governance and Risk Management
  4. Software Development Security
  5. Cryptography
  6. Security Architecture and Design
  7. Security Operations
  8. Business Continuity and Disaster Recovery Planning
  9. Legal, Regulations, Investigations, and Compliance
  10. Physical Security

With the 2015 update, the content was rearranged into 8 domains:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

Today I will cover the first two domains, Security and Risk Management and Asset Security. First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 1: Security and Risk Management – Framework and Key Areas of Knowledge

The majority of the new Domain 1 merges topics from the old Domain 3 (Information Security Governance & Risk Management) and Domain 9 (Legal, Regulations, Investigations, & Compliance).

Domain 1 Key Areas of Knowledge:

    1. Understand and apply concepts of confidentiality, integrity, and availability. – From Domain 3, subheading C in old version.
    2. Apply security governance principles through:
      1. Alignment of security function to strategy, goals, mission, and objectives (e.g., business case, budget, and resources) – From Domain 3, subheading a and j in old version.
      2. Organizational processes (e.g., acquisitions, divertitures, governance committees) – From Domain 3, subheading b in old version.
      3. Security roles and responsibilities – From Domain 3, subheading b and Domain 9, subheading c in old version.
      4. Control frameworks – From Domain 3, subheading b in old version.
      5. Due care – From Domain 3, subheading b in old version.
      6. Due diligence – From Domain 3, subheading b in old version.
    3. Compliance
      1. Legislative and regulatory compliance – From Domain 3, subheading b and Domain 9, subheading e in old version.
      2. Privacy requirements compliance – From Domain 3, subheading b in old version.
    4. Understand legal and regulatory issues that pertain to information security in a global context.
      1. Computer crimes – From Domain 9, subheading a in old version.
      2. Licensing and intellectual property (e.g., copyright, trademark, digital-rights management) – From Domain 9, subheading a in old version.
      3. Import/export controls – From Domain 9, subheading a in old version.
      4. Trans-border data flow – From Domain 9, subheading a in old version.
      5. Privacy – From Domain 9, subheading a in old version.
      6. Data breaches – New
    5. Understand professional ethics.
      1. Exercise (ISC)2 Code of Professional Ethics. – From Domain 9, subheading b in old version.
      2. Support organization’s code of ethics. – From Domain 9, subheading b in old version.
    6. Develop and implement documented security policy, standards, procedures, and guidelines. – From Domain 3, subheading d and j in old version.
    7. Understand business continuity requirements.
      1. Develop and document project scope and plan. – From Domain 8, subheading a in old version.
      2. Conduct business impact analysis. – From Domain 8, subheading b in old version.
    8. Contribute to personnel security policies.
      1. Employment candidate screening (e.g, reference checks, education verification) – From Domain 3, subheading h in old version.
      2. Employment agreement and policies – From Domain 3, subheading h in old version.
      3. Employment termination processes – From Domain 3, subheading h in old version.
      4. Vendor, consultant, and contractor controls – From Domain 3, subheading h in old version.
      5. Compliance – New
      6. Privacy – New
    9. Understand and apply risk management concepts.
      1. Identify threats and vulnerabilities. – From Domain 3, subheading g in old version.
      2. Risk assessment/analysis (qualitative, quantitative, hybrid) – From Domain 3, subheading g in old version.
      3. Risk assignment/acceptance (e.g., system authorization) – From Domain 3, subheading g in old version.
      4. Countermeasure selection – From Domain 3, subheading g in old version.
      5. Implementation – New
      6. Types of controls (preventive, directive, corrective, etc.) – From Domain 1, subheading a in old version.
      7. Control assessment – New
      8. Monitoring and measurement – New
      9. Asset valuation – From Domain 1, subheading b and Domain 3, subheading g in old version.
      10. Reporting – New
      11. Continuous improvement – New
      12. Risk frameworks – New
    10. Understand and apply threat modeling. – Although some of this topic was covered in Domain 1, subheading b, the majority of this topic is new.
      1. Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – New
      2. Determining and diagramming potential attacks (e.g., social engineering, spoofing) – New
      3. Performing reduction analysis – New
      4. Technologies and processes to remediate threats (e.g, software architecture and operations) New
    11. Integrate security risk considerations into acquisition strategy and practice
      1. Hardware, software, and services – New
      2. Third-party assessment and monitoring (e.g. on-site assessment, document exchange and review, process/policy review) – From Domain 3, subheading f in the old version.
      3. Minimum security requirements – New
      4. Service-level requirements – New
    12. Establish and manage information security education, training, and awareness – From Domain 3, subheading 1 in old version. Although this topic is covered there, the 2015 subheadings are all new.
      1. Appropriate levels of awareness, training, and education required within organization – New
      2. Periodic reviews for content relevancy – New
Domain 1 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 1.

From Knowledge Area D. Understand legal and regulatory issues that pertain to information security in a global context:

  • Data breaches – While this is a “new” topic because it wasn’t originally in Domain 9, subheading a, most of the topics covered in this section should already be known to the security professional.

From Knowledge Area H. Contribute to personnel security policies:

  • Compliance – This is a new topic. While compliance is covered in other areas, the CISSP exam has never specifically covered compliance as related to personnel security policies. This topic will focus on the ways an organization can ensure that personnel complies with any security policies that are in place.
  • Privacy – This is a new topic. While privacy is covered in other areas, the CISSP exam has never specifically covered privacy as related to personnel. This topic will focus on the organization’s responsibility to ensure that personnel’s information remains private, and also on how to ensure that personnel understand the importance of privacy for any data the organization owns.

From Knowledge Area I. Understand and apply risk management concepts:

  • Implementation – This is a new topic. It focuses on following implementation guidelines when implementing a risk management process at an organization.
  • Control assessment – This is a new topic. It covers how to assess the controls that you have implemented.
  • Monitoring and measurement – This is a new topic. It covers monitoring and measuring risk and the controls that are implemented to protect against the risks.
  • Reporting – This is a new topic. It explains the process for reporting on risk management.
  • Continuous improvement – This is a new topic. It covers how to improve the risk management process over time.
  • Risk frameworks – While technically a new topic, risk frameworks were generally covered as part of the risk management process, just not as an individual topic. This topic is about any international and industry risk frameworks that may be available to help guide your organization.

From Knowledge Area J. Understand and apply threat modeling:

  • Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – This is a new topic. It discusses the different threats to organizational security.
  • Determining and diagramming potential attacks (e.g., social engineering, spoofing) – This is a new topic. It focuses on the potential attacks that the threats can carry out.
  • Performing reduction analysis – This is a new topic. It discusses how to determine if threats and the attacks they carried out can be reduced.
  • Technologies and processes to remediate threats (e.g, software architecture and operations) – This is a new topic. It focuses on how to remediate the threats that you identified.

From Knowledge Area K. Integrate security risk considerations into acquisition strategy and practice:

  • Hardware, software, and services – This is a new topic. It analyzes the security risks when integrating hardware, software, and services when acquisitions occur.
  • Minimum security requirements – This is a new topic. It focuses on determining the minimum security requirements when an acquisition occurs.
  • Service-level requirements – This is a new topic. It discusses all facets of service-level requirements when acquisitions occur.

From Knowledge Area L. Establish and manage information security education, training, and awareness:

  • Appropriate levels of awareness, training, and education required within organization – This is a new topic. It covers levels of security awareness, training, and education that should be provided to personnel.
  • Periodic reviews for content relevancy – This is a new topic. It focuses on reviewing the security education, training, and awareness program to ensure that new security topics are covered.
Domain 2: Asset Security – Framework and Key Areas of Knowledge

The majority of Domain 2 consists of new knowledge areas and topics, though it also pulls in a bit of content formerly included in the old Domains 5 (Cryptopgraphy) and Domain 7 (Operations Security). Why is there so much new content to cover here? Big data is a big asset, and as ISC(2) points, privacy considerations have increased due to “the rapid expansion in the collection and storage of digitized personal information.”

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Classify information and supporting assets (e.g., sensitivity, criticality) – New
  2. Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – New
  3. Protect privacy – New
    1. Data owners – New
    2. Data processors – New
    3. Data remanence – New
    4. Collection limitation – New
  4. Ensure appropriate retention (e.g., media, hardware, personnel) – From Domain 7, subheading a in the old version.
  5. Determine data security controls (e.g., data at rest, data in transit) – From Domain 5, subheading a in old version. Although this topic is covered there, the 2015 subheadings are all new.
    1. Baselines – New
    2. Scoping and tailoring – New
    3. Standards selection – New
    4. Cryptography – New
  6. Establish handling requirements (markings, labels, storage, destruction of sensitive information) – From Domain 7, subheading a in the old version.
Domain 2 – Just the New Topics already

Here’s a closer look at the new topics in Domain 2.

Knowledge Area A, Classify information and supporting assets (e.g., sensitivity, criticality) – Although this is a new knowledge area, it was covered (though briefly) as part of the former CISSP. It covers the procedures for classifying information and assets as part of securing them.

Knowledge Area B, Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – This is a new knowledge area. It focuses on determining which organizational entity or personnel owns the assets you have identified.

Knowledge Area C, Protect privacy – This is another new knowledge area. It discusses protecting the privacy of information and assets. All of the subheadings in this category are also new.

  • Data owners – This is a new topic. It covers the responsibilities of data owners to ensure the privacy of information and assets.
  • Data processors – This is a new topic. It focuses on ensuring that all data processors (including personnel and other assets) understand the importance of information and asset privacy.
  • Data remanence – This is a new topic. It discusses data remanence and its effects on information and asset privacy.
  • Collection limitation – This is a new topic. It focuses on the collection limitations regarding asset privacy.

From Knowledge Area E, Determine data security controls (e.g., data at rest, data in transit):

  • Baselines – This is a new topic. It covers how to obtain data security control baselines.
  • Scoping and tailoring – This is a new topic. It analyzes how to scope and tailor the data security controls to meet the organization’s needs.
  • Standards selection – This is a new topic. It focuses on how the select the security control standards that your organization will use.
  • Cryptography – While technically a new topic, knowledge of cryptography and its effect on data security were covered in Domain 5 in the old version.
Recap

In the coming weeks, I will be posting the other 3 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 (this post) covers new domain 1 and 2.
      • Part 3 will cover new domain 3 and 4.
      • Part 4 will cover new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The next three posts will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin


Entries and comments feeds.