Official (ISC)2 Guide to the CISSP CBK by Harold F. Tipton (Editor), Kevin Henry (Editor)

Information Security and Risk Management   Todd Fitzgerald, CISSP   Bonnie Goins, CISSP   Rebecca Herold, CISSP     1
Introduction     1
CISSP Expectations     2
The Business Case for Information Security Management     4
Core Information Security Principles: Confidentiality, Availability, Integrity (CIA)     5
Confidentiality     5
Integrity     6
Availability     6
Security Management Practice     7
Information Security Management Governance     7
Security Governance Defined     8
Security Policies, Procedures, Standards, Guidelines, and Baselines     9
Security Policy Best Practices     10
Types of Security Policies     12
Standards     13
Procedures     14
Baselines     15
Guidelines     16
Combination of Policies, Standards, Baselines, Procedures, and Guidelines     16
Policy Analogy     16
Audit Frameworks for Compliance     17
COSO     17
ITIL     18
COBIT     18
ISO 17799/BS 7799     18
Organizational Behavior     19
Organizational Structure Evolution     20
Today's Security Organizational Structure     21
Best Practices     22
Job Rotation     23
Separation of Duties     23
Least Privilege (Need to Know)     25
Mandatory Vacations     25
Job Position Sensitivity     25
Responsibilities of the Information Security Officer     26
Communicate Risks to Executive Management     26
Budget for Information Security Activities     27
Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines     28
Develop and Provide Security Awareness Program     28
Understand Business Objectives     28
Maintain Awareness of Emerging Threats and Vulnerabilities     29
Evaluate Security Incidents and Response     29
Develop Security Compliance Program     29
Establish Security Metrics     29
Participate in Management Meetings     30
Ensure Compliance with Government Regulations     30
Assist Internal and External Auditors     30
Stay Abreast of Emerging Technologies     30
Reporting Model     31
Business Relationships     31
Reporting to the CEO     31
Reporting to the Information Technology (IT) Department     32
Reporting to Corporate Security     32
Reporting to the Administrative Services Department     33
Reporting to the Insurance and Risk Management Department     33
Reporting to the Internal Audit Department     33
Reporting to the Legal Department     34
Determining the Best Fit     34
Enterprisewide Security Oversight Committee     34
Vision Statement     34
Mission Statement     35
Security Planning     42
Strategic Planning     43
Tactical Planning     43
Operational and Project Planning     43
Personnel Security     44
Hiring Practices     44
Security Awareness, Training, and Education     51
Why Conduct Formal Security Awareness Training?     51
Training Topics     52
What Might a Course in Security Awareness Look Like?     52
Awareness Activities and Methods     54
Job Training     55
Professional Education     56
Performance Metrics     56
Risk Management     56
Risk Management Concepts      57
Qualitative Risk Assessments     58
Quantitative Risk Assessments     60
Selecting Tools and Techniques for Risk Assessment     62
Risk Assessment Methodologies     62
Risk Management Principles     64
Risk Avoidance     64
Risk Transfer     64
Risk Mitigation     65
Risk Acceptance     65
Who Owns the Risk?     66
Risk Assessment     66
Identify Vulnerabilities     66
Identify Threats     67
Determination of Likelihood     67
Determination of Impact     68
Determination of Risk     68
Reporting Findings     69
Countermeasure Selection     69
Information Valuation     70
Ethics     71
Regulatory Requirements for Ethics Programs     73
Example Topics in Computer Ethics     74
Computers in the Workplace     74
Computer Crime     74
Privacy and Anonymity     75
Intellectual Property     75
Professional Responsibility and Globalization     75
Common Computer Ethics Fallacies     75
The Computer Game Fallacy      76
The Law-Abiding Citizen Fallacy     76
The Shatterproof Fallacy     76
The Candy-from-a-Baby Fallacy     77
The Hacker's Fallacy     77
The Free Information Fallacy     77
Hacking and Hacktivism     77
The Hacker Ethic     78
Ethics Codes of Conduct and Resources     78
The Code of Fair Information Practices     78
Internet Activities Board (IAB) (now the Internet Architecture Board) and RFC 1087     79
Computer Ethics Institute (CEI)     79
National Conference on Computing and Values     80
The Working Group on Computer Ethics     80
National Computer Ethics and Responsibilities Campaign (NCERC)     80
(ISC)[superscript 2] Code of Ethics     81
Organizational Ethics Plan of Action     82
How a Code of Ethics Applies to CISSPs     84
References     87
Other References     87
Sample Questions     88
Access Control   James S. Tiller, CISSP     93
Introduction     93
CISSP Expectations     93
Confidentiality, Integrity, and Availability     93
Definitions and Key Concepts      94
Determining Users     95
Defining Resources     96
Specifying Use     97
Accountability     97
Access Control Principles     98
Separation of Duties     98
Least Privilege     101
Information Classification     101
Data Classification Benefits     102
Establishing a Data Classification Program     103
Labeling and Marking     107
Data Classification Assurance     107
Summary     108
Access Control Categories and Types     108
Control Categories     108
Preventative     108
Deterrent     109
Detective     109
Corrective     110
Recovery     111
Compensating     111
Types of Controls     112
Administrative     113
Physical     124
Technical     125
Access Control Threats     130
Denial of Service     130
Buffer Overflows     131
Mobile Code     132
Malicious Software     133
Password Crackers     134
Spoofing/Masquerading      136
Sniffers, Eavesdropping, and Tapping     137
Emanations     138
Shoulder Surfing     139
Object Reuse     139
Data Remanence     140
Unauthorized Targeted Data Mining     142
Dumpster Diving     143
Backdoor/Trapdoor     144
Theft     144
Social Engineering     145
E-mail Social Engineering     145
Help Desk Fraud     146
Access to Systems     147
Identification and Authentication     147
Types of Identification     148
Types of Authentication     149
Authentication Method Summary     167
Identity and Access Management     169
Identity Management     170
Identity Management Challenges     172
Identity Management Technologies     173
Access Control Technologies     179
Single Sign-On     179
Kerberos     181
Secure European System for Applications in a Multi-Vendor Environment (SESAME)     184
Security Domain     185
Section Summary     186
Access to Data     186
Discretionary and Mandatory Access Control     186
Access Control Lists     188
Access Control Matrix     188
Rule-Based Access Control     188
Role-Based Access Control     189
Content-Dependent Access Control     191
Constrained User Interface     191
Capability Tables     191
Temporal (Time-Based) Isolation     192
Centralized Access Control     192
Decentralized Access Control     192
Section Summary     192
Intrusion Detection and Prevention Systems     194
Intrusion Detection Systems     195
Network Intrusion Detection System     196
Host-Based Intrusion Detection System     197
Analysis Engine Methods     198
Pattern/Stateful Matching Engine     199
Anomaly-Based Engine     200
Intrusion Responses     201
Alarms and Signals     203
IDS Management     204
Access Control Assurance     205
Audit Trail Monitoring     205
Audit Event Types     205
Auditing Issues and Concerns     206
Information Security Activities     207
Penetration Testing     208
Types of Testing     213
Summary     215
References     215
Sample Questions     215
Cryptography   Kevin Henry, CISSP     219
Introduction     219
CISSP Expectations     219
Core Information Security Principles: Confidentiality, Integrity, and Availability     219
Key Concepts and Definitions     220
The History of Cryptography     222
The Early (Manual) Era     222
The Mechanical Era     222
The Modern Era     223
Emerging Technology     223
Quantum Cryptography     223
Protecting Information     225
Data Storage     225
Data Transmission     225
Uses of Cryptography     226
Availability     226
Confidentiality     226
Integrity     226
Additional Features of Cryptographic Systems     226
Nonrepudiation     227
Authentication     227
Access Control     227
Methods of Cryptography     227
Stream-Based Ciphers     227
Block Ciphers     229
Encryption Systems      229
Substitution Ciphers     229
Playfair Cipher     229
Transposition Ciphers     230
Monoalphabetic and Polyalphabetic Ciphers     231
Modular Mathematics and the Running Key Cipher     233
One-Time Pads     234
Steganography     235
Watermarking     235
Code words     235
Symmetric Ciphers     236
Examples of Symmetric Algorithms     237
Advantages and Disadvantages of Symmetric Algorithms     252
Asymmetric Algorithms     253
Confidential Messages     253
Open Message     254
Confidential Messages with Proof of Origin     254
RSA     254
Diffie-Hellmann Algorithm     257
El Gamal     258
Elliptic Curve Cryptography     258
Advantages and Disadvantages of Asymmetric Key Algorithms     258
Hybrid Cryptography     259
Message Integrity Controls     260
Checksums     260
Hash Function     260
Simple Hash Functions     261
MD5 Message Digest Algorithm     261
Secure Hash Algorithm (SHA) and SHA-1     262
HAVAL      262
RIPEMD-160     262
Attacks on Hashing Algorithms and Message Authentication Codes     263
Message Authentication Code (MAC)     264
HMAC     264
Digital Signatures     265
Digital Signature Standard (DSS)     265
Uses of Digital Signatures     266
Encryption Management     266
Key Management     266
Key Recovery     267
Key Distribution Centers     268
Standards for Financial Institutions     268
Public Key Infrastructure (PKI)     269
Revocation of a Certificate     271
Cross-Certification     271
Legal Issues Surrounding Cryptography     271
Cryptanalysis and Attacks     271
Ciphertext-Only Attack     271
Known Plaintext Attack     271
Chosen Plaintext Attack     272
Chosen Ciphertext Attack     272
Social Engineering     272
Brute Force     272
Differential Power Analysis     273
Frequency Analysis     273
Birthday Attack     273
Dictionary Attack     273
Replay Attack     273
Factoring Attacks      273
Reverse Engineering     273
Attacking the Random Number Generators     274
Temporary Files     274
Encryption Usage     274
E-mail Security Using Cryptography     274
Protocols and Standards     275
Pretty Good Privacy (PGP)     275
Secure/Multipurpose Internet Mail Extension (S/MIME)     275
Internet and Network Security     275
IPSec     275
SSL/TLS     276
References     276
Sample Questions     277
Physical (Environmental) Security   Paul Hansford, CISSP     281
Introduction     281
CISSP Expectations     282
Physical (Environmental) Security Challenges     282
Threats and Vulnerabilities     283
Threat Types     283
Vulnerabilities     285
Site Location     285
Site Fabric and Infrastructure     285
The Layered Defense Model     286
Physical Considerations     287
Working with Others to Achieve Physical and Procedural Security     287
Physical and Procedural Security Methods, Tools, and Techniques     288
Procedural Controls      288
Infrastructure Support Systems     290
Fire Prevention, Detection, and Suppression     290
Boundary Protection     292
Building Entry Points     293
Keys and Locking Systems     293
Walls, Doors, and Windows     295
Access Controls     296
Closed-Circuit Television (CCTV)     296
Intrusion Detection Systems     298
Portable Device Security     299
Asset and Risk Registers     299
Information Protection and Management Services     300
Managed Services     300
Audits, Drills, Exercises, and Testing     300
Vulnerability and Penetration Tests     301
Maintenance and Service Issues     301
Education, Training, and Awareness     301
Summary     302
References     302
Sample Questions     303
Security Architecture and Design   William Lipiczky, CISSP     307
Introduction     307
CISSP Expectations     307
Security Architecture and Design Components and Principles     308
Security Frameworks: ISO/IEC 17799:2005, BS 7799:2, ISO 270001     308
Design Principles      309
Diskless Workstations, Thin Clients, and Thin Processing     309
Operating System Protection     310
Hardware     311
Personal Digital Assistants (PDAs) and Smart Phones     314
Central Processing Unit (CPU)     315
Storage     316
Input/Output Devices     318
Communications Devices     319
Networks and Partitioning     319
Software     320
Operating Systems     320
Application Programs     321
Processes and Threads     322
Firmware     323
Trusted Computer Base (TCB)     323
Reference Monitor     324
Security Models and Architecture Theory     324
Lattice Models     324
State Machine Models     325
Research Models     325
Noninterference Models     325
Information Flow Models     325
Bell-LaPadula Confidentiality Model     325
Biba Integrity Model     326
Clark-Wilson Integrity Model     326
Access Control Matrix and Information Flow Models     327
Information Flow Models     328
Graham-Denning Model      328
Harrison-Ruzzo-Ullman Model     328
Brewer-Nash (Chinese Wall)     328
Security Product Evaluation Methods and Criteria     329
Rainbow Series     329
Trusted Computer Security Evaluation Criteria (TCSEC)     329
Information Technology Security Evaluation Criteria (ITSEC)     330
Common Criteria     331
Software Engineering Institute's Capability Maturity Model Integration (SEI-CMMI)     331
Certification and Accreditation     332
Sample Questions     332
Business Continuity and Disaster Recovery Planning   Carl B. Jackson, CISSP     337
Introduction     337
CISSP Expectations     338
Core Information Security Principles: Availability, Integrity, Confidentiality (AIC)     339
Why Continuity Planning?     339
Reality of Terrorist Attack     339
Natural Disasters     340
Internal and External Audit Oversight     340
Legislative and Regulatory Requirements     340
Industry and Professional Standards     341
NFPA 1600     341
ISO 17799     341
Defense Security Service (DSS)     341
National Institute of Standards and Technology (NIST)      341
Good Business Practice or the Standard of Due Care     341
Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning     341
Revenue Loss     342
Extra Expense     343
Compromised Customer Service     343
Embarrassment or Loss of Confidence Impact     343
Hidden Benefits of Continuity Planning     343
Organization of the BCP/DRP Domain Chapter     344
Project Initiation Phase     344
Current State Assessment Phase     345
Design and Development Phase     345
Implementation Phase     345
Management Phase     346
Project Initiation Phase Description     346
Project Scope Development and Planning     346
Executive Management Support     348
BCP Project Scope and Authorization     348
Executive Management Leadership and Awareness     350
Continuity Planning Project Team Organization and Management     351
Disaster or Disruption Avoidance and Mitigation     353
Project Initiation Phase Activities and Tasks Work Plan     354
Current State Assessment Phase Description     354
Understanding Enterprise Strategy, Goals, and Objectives     354
Enterprise Business Processes Analysis     355
People and Organizations     355
Time Dependencies     355
Motivation, Risks, and Control Objectives     355
Budgets     355
Technical Issues and Constraints     356
Continuity Planning Process Support Assessment     356
Threat Assessment     356
Risk Management     358
Business Impact Assessment (BIA)     359
Benchmarking and Peer Review     362
Sample Current State Assessment Phase Activities and Tasks Work Plan     363
Development Phase Description     363
Recovery Strategy Development     363
Work Plan Development     366
Develop and Design Recovery Strategies     366
Data and Software Backup Approaches     369
DRP Recovery Strategies for IT     370
BCP Recovery Strategies for Enterprise Business Processes     371
Developing Continuity Plan Documents and Infrastructure Strategies     373
Developing Testing/Maintenance/Training Strategies     373
Plan Development Phase Description     374
Building Continuity Plans     375
Contrasting Crisis Management and Continuity Planning Approaches     379
Building Crisis Management Plans     379
Testing/Maintenance/Training Development Phase Description     381
Developing Continuity and Crisis Management Process Training and Awareness Strategies     386
Sample Phase Activities and Tasks Work Plan     386
Implementation Phase Description     386
Analyze CPPT Implementation Work Plans     386
Program Short- and Long-Term Testing     388
Continuity Plan Testing (Exercise) Procedure Deployment     388
Program Training, Awareness, and Education     391
Emergency Operations Center (EOC)     392
Management Phase Description     392
Program Oversight     392
Continuity Planning Manager Roles and Responsibilities     392
Terminology     395
References     398
Sample Questions     398
Addressing Legislative Compliance within Business Continuity Plans   Rebecca Herold, CISSP     401
HIPAA     401
GLB     402
Patriot Act     402
Other Issues     404
OCC Banking Circular 177     404
Telecommunications and Network Security   Alec Bass, CISSP   Peter Berlich, CISSP-ISSMP
Introduction     407
CISSP Expectations     408
Basic Concepts     408
Network Models     408
OSI Reference Model     409
TCP/IP Model     413
Network Security Architecture     414
The Role of the Network in IT Security     414
Network Security Objectives and Attack Modes     416
Methodology of an Attack     419
Network Security Tools     421
Physical Layer     423
Concepts and Architecture     423
Communication Technology     423
Network Topology     424
Technology and Implementation     427
Cable     427
Twisted Pair     428
Coaxial Cable     429
Fiber Optics     429
Patch Panels     430
Modems     430
Wireless Transmission Technologies     431
Data-Link Layer     433
Concepts and Architecture     433
Architecture     433
Transmission Technologies     434
Technology and Implementation     441
Ethernet     441
Wireless Local Area Networks     445
Address Resolution Protocol (ARP)     450
Point-to-Point Protocol (PPP)     450
Network Layer     450
Concepts and Architecture     450
Local Area Network (LAN)     450
Wide Area Network (WAN) Technologies     452
Metropolitan Area Network (MAN)     462
Global Area Network (GAN)     463
Technology and Implementation     464
Routers     464
Firewalls     464
End Systems     468
Internet Protocol (IP)     471
Virtual Private Network (VPN)     475
Tunneling     479
Dynamic Host Configuration Protocol (DHCP)     479
Internet Control Message Protocol (ICMP)     480
Internet Group Management Protocol (IGMP)     481
Transport Layer     482
Concepts and Architecture     482
Transmission Control Protocol (TCP)     483
User Datagram Protocol (UDP)     484
Technology and Implementation     484
Scanning Techniques     484
Denial of Service     486
Session Layer     486
Concepts and Architecture     486
Technology and Implementation     486
Remote Procedure Calls     486
Directory Services     487
Access Services     493
Presentation Layer     495
Concepts and Architecture     495
Technology and Implementation     496
Transport Layer Security (TLS)     496
Application Layer     497
Concepts and Architecture     497
Technology and Implementation     497
Asynchronous Messaging (E-mail and News)     497
Instant Messaging     502
Data Exchange (World Wide Web)     506
Peer-to-Peer Applications and Protocols     512
Administrative Services     512
Remote-Access Services     514
Information Services     517
Voice-over-IP (VoIP)     518
General References     520
Sample Questions     521
Endnotes     525
Application Security   Robert M. Slade, CISSP     537
Domain Description and Introduction     537
Current Threats and Levels     537
Application Development Security Outline     538
Expectation of the CISSP in This Domain     539
Applications Development and Programming Concepts and Protection      540
Current Software Environment     541
Open Source     542
Full Disclosure     543
Programming     543
Process and Elements     544
The Programming Procedure     545
The Software Environment     547
Threats in the Software Environment     549
Buffer Overflow     549
Citizen Programmers     550
Covert Channel     550
Malicious Software (Malware)     551
Malformed Input Attacks     551
Memory Reuse (Object Reuse)     551
Executable Content/Mobile Code     551
Social Engineering     552
Time of Check/Time of Use (TOC/TOU)     553
Trapdoor/Backdoor     553
Application Development Security Protections and Controls     554
System Life Cycle and Systems Development     554
Systems Development Life Cycle (SDLC)     555
Software Development Methods     561
Java Security     564
Object-Oriented Technology and Programming     566
Object-Oriented Security     568
Distributed Object-Oriented Systems     569
Software Protection Mechanisms     571
Security Kernels     571
Processor Privilege States     571
Security Controls for Buffer Overflows     573
Controls for Incomplete Parameter Check and Enforcement     573
Memory Protection     574
Covert Channel Controls     575
Cryptography     575
Password Protection Techniques     575
Inadequate Granularity of Controls     576
Control and Separation of Environments     576
Time of Check/Time of Use (TOC/TOU)     577
Social Engineering     577
Backup Controls     577
Software Forensics     578
Mobile Code Controls     580
Programming Language Support     582
Audit and Assurance Mechanisms     582
Information Integrity     583
Information Accuracy     583
Information Auditing     583
Certification and Accreditation     584
Information Protection Management     584
Change Management     585
Configuration Management     586
Malicious Software (Malware)     586
Malware Types     589
Viruses     589
Worms     592
Hoaxes      593
Trojans     593
Remote-Access Trojans (RATs)     595
DDoS Zombies     596
Logic Bombs     596
Spyware and Adware     597
Pranks     597
Malware Protection     598
Scanners     599
Activity Monitors     599
Change Detection     599
Antimalware Policies     600
Malware Assurance     601
The Database and Data Warehousing Environment     602
DBMS Architecture     602
Hierarchical Database Management Model     604
Network Database Management Model     605
Relational Database Management Model     605
Object-Oriented Database Model     609
Database Interface Languages     609
Open Database Connectivity (ODBC)     609
Java Database Connectivity (JDBC)     610
eXtensible Markup Language (XML)     610
Object Linking and Embedding Database (OLE DB)     611
Accessing Databases through the Internet     612
Data Warehousing     613
Metadata     614
Online Analytical Processing (OLAP)     616
Data Mining     616
Database Vulnerabilities and Threats     617
DBMS Controls     620
Lock Controls     621
Other DBMS Access Controls     622
View-Based Access Controls     622
Grant and Revoke Access Controls     622
Security for Object-Oriented (OO) Databases     623
Metadata Controls     623
Data Contamination Controls     623
Online Transaction Processing (OLTP)     623
Knowledge Management     624
Web Application Environment     626
Web Application Threats and Protection     627
Summary     628
References     629
Sample Questions     629
Operations Security   Sean M. Price, CISSP     633
Introduction     633
Privileged Entity Controls     633
Operators     633
Ordinary Users     634
System Administrators     635
Security Administrators     637
File Sensitivity Labels     637
System Security Characteristics     637
Clearances     637
Passwords     637
Account Characteristics     638
Security Profiles      638
Audit Data Analysis and Management     639
System Accounts     640
Account Management     640
Resource Protection     642
Facilities     642
Hardware     642
Software     644
Documentation     644
Threats to Operations     645
Disclosure     645
Destruction     645
Interruption and Nonavailability     645
Corruption and Modification     645
Theft     645
Espionage     646
Hackers and Crackers     646
Malicious Code     646
Control Types     646
Preventative Controls     646
Detective Controls     646
Corrective Controls     647
Directive Controls     647
Recovery Controls     647
Deterrent Controls     647
Compensating Controls     647
Control Methods     648
Separation of Responsibilities     648
Least Privilege     648
Job Rotation     648
Need to Know     648
Security Audits and Reviews     649
Supervision      649
Input/Output Controls     650
Antivirus Management     650
Media Types and Protection Methods     650
Object Reuse     651
Sensitive Media Handling     653
Marking     653
Handling     653
Storing     653
Destruction     653
Declassification     654
Misuse Prevention     654
Record Retention     655
Continuity of Operations     655
Fault Tolerance     656
Data Protection     657
Software     659
Hardware     660
Communications     660
Facilities     661
Problem Management     663
System Component Failure     664
Power Failure     664
Telecommunications Failure     664
Physical Break-In     664
Tampering     664
Production Delay     665
Input/Output Errors     665
System Recovery     667
Intrusion Detection System     668
Vulnerability Scanning     668
Business Continuity Planning     669
Change Control Management      669
Configuration Management     670
Production Software     671
Software Access Control     671
Change Control Process     672
Requests     672
Impact Assessment     672
Approval/Disapproval     672
Build and Test     672
Notification     673
Implementation     673
Validation     673
Documentation     673
Library Maintenance     673
Patch Management     673
Summary     677
References     677
Sample Questions     678
Legal, Regulations, Compliance and Investigations   Marcus K. Rogers, Ph.D., CISSP     683
Introduction     683
CISSP Expectations     684
Major Legal Systems     685
Common Law     686
Criminal Law     687
Tort Law     687
Administrative Law     687
Civil Law     688
Customary Law     688
Religious Law     689
Mixed Law     689
Information Technology Laws and Regulations     690
Intellectual Property Laws      690
Patent     690
Trademark     690
Copyright     691
Trade Secret     691
Licensing Issues     691
Privacy     692
Liability     694
Computer Crime     695
International Cooperation     697
Incident Response     698
Response Capability     699
Incident Response and Handling     700
Triage     700
Investigative Phase     701
Containment     701
Analysis and Tracking     702
Recovery Phase     703
Recovery and Repair     704
Debriefieng/Feedback     704
Computer Forensics     705
Crime Scene     707
Digital/Electronic Evidence     708
General Guidelines     709
Conclusions     710
References     712
Sample Questions     715
Answers to Sample Questions     719
Information Security and Risk Management     719
Access Control     724
Cryptography     728
Physical (Environmental) Security     731
Security Architecture and Design      734
Business Continuity and Disaster Recovery Planning     737
Telecommunications and Network Security     740
Application Security     746
Operations Security     748
Legal, Regulations, Compliance and Investigation     752
Certified Information Systems Security Professional (CISSP) Candidate Information Bulletin     757
Information Security and Risk Management     758
Overview     758
Key Areas of Knowledge     759
Access Control     759
Overview     759
Key Areas of Knowledge     760
Cryptography     760
Overview     760
Key Areas of Knowledge     760
Physical (Environmental) Security     760
Overview     760
Key Areas of Knowledge     761
Security Architecture and Design     761
Overview     761
Key Areas of Knowledge     761
Business Continuity and Disaster Recovery Planning     762
Overview     762
Key Areas of Knowledge     762
Telecommunications and Network Security     763
Overview     763
Key Areas of Knowledge     763
Application Security     764
Overview     764
Key Areas of Knowledge     764
Operations Security     764
Overview     764
Key Areas of Knowledge     764
Legal, Regulations, Compliance and Investigations     765
Overview     765
Key Areas of Knowledge     765
References     766
General Examination Information     770
Glossary     775
Index     1023