CISSP 2015: What’s New (Part 4 of 5)

November 5, 2015 at 1:19 pm | Posted in CISSP, study tips | 2 Comments
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam. In my third post, I covered Domain 3 and 4 of the new CISSP exam.

Today I will cover the next two domains, Identity and Access Management and Security Assessment and Testing. In a nutshell, Domain 5 reflects the need to integrate cloud-based access control to workflows like Office 365 and Google Drive with on-premise access control, and Domain 6 adds coverage of designing, implementing, and analyzing security testing practices.

First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 5: Identity and Access Management – Framework and Key Areas of Knowledge

CISSP 2012 covered identity management as a knowledge area in the access control domain. In CISSP 2015, identity management is elevated to the domain level and combined with access control. The majority of the old Domain 1 (Access control) has been moved to the new Domain 5 (Identity and Access Management), with the addition of new topics that cover identity, session, and credential management.

This domain also includes a few topics from the old Domain 10 (Physical (Environmental) Security).

Domain 5 Key Areas of Knowledge:

    1. Control physical and logical access to assets – From Domain 10, subheading e in the old version.
      1. Information – New
      2. Systems – From Domain 10, subheading e in the old version.
      3. Devices – From Domain 10, subheading e in the old version.
      4. Facilities – New
    2. Manage identification and authentication of people and devices – From Domain 1, subheading a in the old version.
      1. Identify management implementation (e.g., SSO, LDAP) – From Domain 1 in the old version.
      2. Single/multi-factor authentication (e.g., factors, strength, errors, biometrics) – From Domain 1 in the old version.
      3. Accountability – From Domain 1 in the old version.
      4. Session management (e.g., timeouts, screen savers) – New
      5. Registration and proofing of identity – New
      6. Federated identity management (e.g., SAML) – New
      7. Credential management systems – New
    3. Integrate identity as a service – New
    4. Integrate third-party identity services (e.g., on-premise) – New
    5. Implement and manage authorization mechanisms – From Domain 1, subheading a in the old version.
      1. Role-based access control (RBAC) methods – From Domain 1, subheading a in the old version.
      2. Rule-based access control methods – From Domain 1, subheading a in the told version.
      3. Mandatory access control (MAC) – From Domain 1, subheading a in the old version.
      4. Discretionary access control (DAC) – From Domain 1, subheading a in the old version.
    6. Prevent or mitigate access control attacks – From Domain 1, subheading b in old version.
    7. Manage the identity and access provisioning lifecycle (e.g., provisioning, review) – From Domain 1, subheading c and d in the old version.
Domain 5 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 5.

Knowledge Area A, Control physical and logical access to assets, contains both new and old topics. The definition of “assets” is now a little more granular, replacing “systems and devices” with “information, systems, devices, and facilities.” The following topics within this Domain are new:

  • Information – This is a new topic. This topic will focus on controlling physical and logical access to information.
  • Facilities – This is a new topic. This topic will focus on controlling physical and logical access to buildings and equipment.

Knowledge Area B, Manage identification and authentication of people and devices, contains both new and old topics. The following topics within this Domain are new:

  • Session management (e.g., timeouts, screen savers) – This is a new topic. This topic will focus on mechanisms that provide session management, both online and at the physical client level.
  • Registration and proofing of identity – This is a new topic. This topic will focus on providing registration and using proof of identity mechanisms before issuing authentication credentials to personnel and devices.
  • Federated identity management (e.g., SAML) – This is a new topic. This topic will focus on  enterprise-level federated identity management used for single sign-on, including Active Directory Directory Services, SAML 2.0, and third-party identity providers.
  • Credential management systems – This is a new topic. This topic will focus on using a credential management system for large enterprises.

Knowledge Area C, Integrate identity as a service, is a new knowledge area. It covers using cloud-based identity-as-a-service (IDaaS) to provide single sign-on services for both SaaS and internal applications. 

Knowledge Area D, Integrate third-party identity services (e.g., on-premise), is also a new knowledge area. This covers using third-party identity services in an enterprise to access both cloud-based and on-premise applications.

Domain 6: Security and Assessment Testing – Framework and Key Areas of Knowledge

A portion of Domain 6 consists of content formerly included in the old Domain 1 (Access Control) and Domain 9 (Business Continuity and Disaster Recovery). However, the majority of this Domain contains content that was not specifically listed in the old CISSP version. To master this domain, you should know the various types of test strategies used by organizations, and understand the strengths and weaknesses of each approach. You should also understand how an organization’s information security policies should be implemented and continually validated. This domain combines policy with practice.

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Design and validate assessment and test strategies – New
  2. Control security control testing – New
    1. Vulnerability assessment – From Domain 1, subheading b in the old version.
    2. Penetration testing – From Domain 1, subheading b in the old version.
    3. Log reviews – New
    4. Synthetic transactions – New
    5. Misuse case testing – New
    6. Test coverage analysis – New
    7. Interface testing (e.g., API, UI, physical) – New
  3. Collect security process data – New
    1. Account management (e.g., escalation, revocation) – New
    2. Management review – New
    3. Key performance and risk indicators – New
    4. Backup verification data – New
    5. Training and awareness – New
    6. Disaster recovery and business continuity – New
  4. Analyze and report test outputs (e.g., automated, manual) – New
  5. Conduct or facilitate internal and third party audits – From Domain 9, subheading e in the old version.
Domain 6 – Just the New Topics already

Here’s a closer look at the new topics in Domain 6.

Knowledge Area A, Design and validate assessment and test strategies, is a new knowledge area. It covers the different assessment and test strategies that are used to verify that a control is functioning properly, including automated and manual tests. The key word is “design” – the candidate should understand how to build an integrated strategy, from risk assessment and baselining to implementation and reporting.

From Knowledge Area B, Control security control testing:

  • Log reviews – This is a new topic. It discusses using log review as part of a thorough security control testing plan.
  • Synthetic transactions – This is a new topic. It discusses synthetic transactions as part of security control testing.
  • Misuse case testing – This is a new topic. It discusses misuse cases as part of security control testing.
  • Test coverage analysis – This is a new topic. It discusses analyzing test coverage to ensure that all security controls are tested.
  • Interface testing (e.g., API, UI, physical) – This is a new topic. It discusses testing interfaces as part of security control testing.

From Knowledge Area C, Collect security process data:

  • Account management (e.g., escalation, revocation) – This is a new topic. It covers account management as part of collecting security process data.
  • Management review – This is a new topic. It covers management review of the collected security process data.
  • Key performance and risk indicators – This is a new topic. It covers the key performance and risk indicators that should be collected as part of security process data.
  • Backup verification data – This is a new topic. It covers verifying backup as part of security and assessment testing.
  • Training and awareness – This is a new topic. It covers training and awareness for users to ensure that they understand security and assessment testing.

Knowledge Area D, Analyze and report test outputs (e.g., automated, manual), is a new topic. It covers interpreting and recording the results of your own testing, as well as the results from third-party audits, and developing new mitigations based on test results.

Recap

In the coming weeks, I will be posting the other 2 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domain 1 and 2.
      • Part 3 covered new domain 3 and 4.
      • Part 4 (this post ) covers new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The last post will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. […] 1 and 2 of the new CISSP exam. In my third post, I covered Domain 3 and 4 of the new CISSP exam. In my fourth post, I covered Domain 5 and 6 of the new CISSP exam. In this, my FINAL post, I will conclude […]

  2. There’s certainly a great deal to find out about this subject.

    I lkke all of the points you have made.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: