CISSPCBK主题和目标
合集下载
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
asymmetric, elliptic curves) Public key infrastructure (PKI) Key management practices Digital signatures Digital rights management (DRM) Non-repudiation Integrity (hashing and salting)
of security architectures, designs, and
of:
solution elements
Security architectures, designs, and
Client-based (e.g., applets, local
solution elements
caches)
则
Vulnerabilities in embedded devices 了解安全模型的基本概念
and cyber-physical systems (e.g.,
选择基于信息系统安全标准的控制与对
networkenabled devices)
策
Cryptography Cryptographic lifecycle Cryptographic types (e.g., symmetric,
了解信息系统的安全保障能力 评估和降低的漏洞:
安全架构,设计和解决方案元 素
基于Web的系统 移动系统 嵌入式设备和网络物理系统 应用密码学 应用安全的原则设计站点及设施
Methods of cryptanalytic attacks (e.g., 设计和实施设施安全
brute force, cipher-text only, known
CISSP CBK 4.0 系列复习资料之二
CISSP CBK 4.0 主题和目标中英文对照版
翻译 整理 樊山
Domain1 Security and Risk Management
1 安全和风险管理
TOPICS 主题 The concepts of confidentiality,
OBJECTIVES 目标 Understand and apply concepts of
2 资产安全
TOPICS
OBJECTIVES
主题
Classify information and supporting assets
Sensitivity Criticality Determine and maintain ownership Data owners System owners Business/Mission owners Protect Privacy Data owners Data processes Data remanence Ensure appropriate retention Media
standards
security standards
Security capabilities of information
Understand the security capabilities of
systems
information systems
Assess and mitigate the vulnerabilities Assess and mitigate the vulnerabilities
整合安全风险因素纳入收购策略和实践
监管问题。
安全教育,培训和意识
制定和实施、记录安全政策,标准,程
序和指导方针。
了解业务连续性要求。 促进人员的安全策略。 理解并运用风险管理的概念。 理解和应用威胁建模。 集成安全风险因素纳入收购战略和实
践。
建立和管理安全教育,培训和意识。
Domain 2 — Asset Security
Legal and regulatory issues
through compliance
Documented security policy, standards, Understand legal and regulatory issues
procedures, and guidelines
of security models
Controls and countermeasures based Select controls and countermeasures
upon information systems security
based upon information systems
目标
Classify information and supporting assets
Determine and maintain ownership Protect Privacy Ensure appropriate retention Determine data security controls Establish handling requirements 分类信息,并支持资产 确定和维护所有权 保护隐私 确保适当的保存 确定数据安全控制 建立处理要求
密码 建立处理要求 标记 标签 存储 敏感信息销毁
Domain 3 — Security Engineering
3 安全工程
TOPICS
OBJECTIVES
主题
目标
Implement and manage an engineering Understand the engineering lifecycle
Security education, training, and
requirements.
awareness
Contribute to personnel security
保密性,完整性和可用性的概念 安全治理原则 合规 法律和监管问题
policies. Understand and apply risk
点对点) 加密系统 在基于Web的系统漏洞 移动系统漏洞 在嵌入式设备和网络物理系统漏洞(如
启用网络设备) 密码学 密码生命周期 加密类型(例如,对称,不对称,椭圆
曲线) 公共密钥基础设施(PKI) 密钥管理规范 数字签名 数字版权管理(DRM) 不可抵赖性 完整性(散列和Salting(加盐)) 的密码攻击方法(例如,蛮力,唯密文,
integrity, and availability
confidentiality, integrity, and
Security governance principles
availability.
Compliance
Apply security governance principles
Cryptographic systems
Design and implement facility security
Vulnerabilities in Web-based systems 了解工程的生命周期和应用安全设计原
Vulnerabilities in mobile systems
Risk management concepts
security policy, standards, procedures,
Threat modeling
and
Integrating security risk considerations guidelines.
into acquisitions strategy and practice Understand business continuity
Hardware Personnel Determine data security controls Data at Rest Data in Transit Baselines Scoping and tailoring Standards selection Cryptography Establish handling requirements Markings Labels Storage Destruction of sensitive information 分类信息,并支持资产 敏感性 关键性 确定和维护所有权 数据所有者 系统所有者 业务/使命所有者 保护隐私 数据所有者 数据处理 数据剩磁 确保适当的保存 介质 硬件 人员 确定数据安全控制 静态数据 传输中的数据 基线 划定范围和剪裁 选择标准
Web-based systems
Server-based (e.g., data flow control) Mobile systems
Database security
Embedded devices and cyber-physical
Large scale parallel data systems
management concepts. Understand and apply threat modeling. Integrate security risk considerations
详细记录的安全政策,标准,程序和指
into acquisitions strategy and practice.
Fire prevention, detection, and
suppression
实现和使用安全的设计原则管理工程生
命周期
基本安全模型的概念
基于信息系统安全标准的控制和对策
安全信息系统能力
评估和降低安全漏洞
评估和降低安全体系结构,设计和解决 方案元素的漏洞
基于客户端(例如,小程序,本地缓存) 基于服务器(例如,数据流控制) 数据库安全 大规模并行数据系统 分布式系统(例如云计算,网格计算,
that pertain to information security in a
Business continuity requirements
global context.
Personnel security policies
Develop and implement documented
导方针 业务连续性要求
Establish and manage security education, training, and awareness.
理解和应用的机密性,完整性和可用性
人员的安全策略
的概念。
风险管理概念
通过遵守适用的安全管理原则
威胁建模
明白在全球范围内涉及信息安全法律和
plaintext)
Apply secure princห้องสมุดไป่ตู้ples to site and
facility design
Facility security
Wiring closets
Server room
Media and storage facilities
Evidence storage
systems
Distributed systems (e.g., cloud
Apply cryptography
computing, grid computing, peer to Apply secure principles to site and
peer)
facility design
Restricted and work area security (e.g.,
operations center)
Data center security
Utilities and HVAC considerations
Water issues (e.g., leakage, flooding)
lifecycle using security design principles
and apply security design principles
Fundamental concepts of security
Understand the fundamental concepts
models
已知明文) 使用安全的原则设计站点及设施 设施安全 配线间 服务器机房 介质和储存设施 证据存储 受限和工作区安全(例如,运营中心) 数据中心安全 公用事业和HVAC考虑
of security architectures, designs, and
of:
solution elements
Security architectures, designs, and
Client-based (e.g., applets, local
solution elements
caches)
则
Vulnerabilities in embedded devices 了解安全模型的基本概念
and cyber-physical systems (e.g.,
选择基于信息系统安全标准的控制与对
networkenabled devices)
策
Cryptography Cryptographic lifecycle Cryptographic types (e.g., symmetric,
了解信息系统的安全保障能力 评估和降低的漏洞:
安全架构,设计和解决方案元 素
基于Web的系统 移动系统 嵌入式设备和网络物理系统 应用密码学 应用安全的原则设计站点及设施
Methods of cryptanalytic attacks (e.g., 设计和实施设施安全
brute force, cipher-text only, known
CISSP CBK 4.0 系列复习资料之二
CISSP CBK 4.0 主题和目标中英文对照版
翻译 整理 樊山
Domain1 Security and Risk Management
1 安全和风险管理
TOPICS 主题 The concepts of confidentiality,
OBJECTIVES 目标 Understand and apply concepts of
2 资产安全
TOPICS
OBJECTIVES
主题
Classify information and supporting assets
Sensitivity Criticality Determine and maintain ownership Data owners System owners Business/Mission owners Protect Privacy Data owners Data processes Data remanence Ensure appropriate retention Media
standards
security standards
Security capabilities of information
Understand the security capabilities of
systems
information systems
Assess and mitigate the vulnerabilities Assess and mitigate the vulnerabilities
整合安全风险因素纳入收购策略和实践
监管问题。
安全教育,培训和意识
制定和实施、记录安全政策,标准,程
序和指导方针。
了解业务连续性要求。 促进人员的安全策略。 理解并运用风险管理的概念。 理解和应用威胁建模。 集成安全风险因素纳入收购战略和实
践。
建立和管理安全教育,培训和意识。
Domain 2 — Asset Security
Legal and regulatory issues
through compliance
Documented security policy, standards, Understand legal and regulatory issues
procedures, and guidelines
of security models
Controls and countermeasures based Select controls and countermeasures
upon information systems security
based upon information systems
目标
Classify information and supporting assets
Determine and maintain ownership Protect Privacy Ensure appropriate retention Determine data security controls Establish handling requirements 分类信息,并支持资产 确定和维护所有权 保护隐私 确保适当的保存 确定数据安全控制 建立处理要求
密码 建立处理要求 标记 标签 存储 敏感信息销毁
Domain 3 — Security Engineering
3 安全工程
TOPICS
OBJECTIVES
主题
目标
Implement and manage an engineering Understand the engineering lifecycle
Security education, training, and
requirements.
awareness
Contribute to personnel security
保密性,完整性和可用性的概念 安全治理原则 合规 法律和监管问题
policies. Understand and apply risk
点对点) 加密系统 在基于Web的系统漏洞 移动系统漏洞 在嵌入式设备和网络物理系统漏洞(如
启用网络设备) 密码学 密码生命周期 加密类型(例如,对称,不对称,椭圆
曲线) 公共密钥基础设施(PKI) 密钥管理规范 数字签名 数字版权管理(DRM) 不可抵赖性 完整性(散列和Salting(加盐)) 的密码攻击方法(例如,蛮力,唯密文,
integrity, and availability
confidentiality, integrity, and
Security governance principles
availability.
Compliance
Apply security governance principles
Cryptographic systems
Design and implement facility security
Vulnerabilities in Web-based systems 了解工程的生命周期和应用安全设计原
Vulnerabilities in mobile systems
Risk management concepts
security policy, standards, procedures,
Threat modeling
and
Integrating security risk considerations guidelines.
into acquisitions strategy and practice Understand business continuity
Hardware Personnel Determine data security controls Data at Rest Data in Transit Baselines Scoping and tailoring Standards selection Cryptography Establish handling requirements Markings Labels Storage Destruction of sensitive information 分类信息,并支持资产 敏感性 关键性 确定和维护所有权 数据所有者 系统所有者 业务/使命所有者 保护隐私 数据所有者 数据处理 数据剩磁 确保适当的保存 介质 硬件 人员 确定数据安全控制 静态数据 传输中的数据 基线 划定范围和剪裁 选择标准
Web-based systems
Server-based (e.g., data flow control) Mobile systems
Database security
Embedded devices and cyber-physical
Large scale parallel data systems
management concepts. Understand and apply threat modeling. Integrate security risk considerations
详细记录的安全政策,标准,程序和指
into acquisitions strategy and practice.
Fire prevention, detection, and
suppression
实现和使用安全的设计原则管理工程生
命周期
基本安全模型的概念
基于信息系统安全标准的控制和对策
安全信息系统能力
评估和降低安全漏洞
评估和降低安全体系结构,设计和解决 方案元素的漏洞
基于客户端(例如,小程序,本地缓存) 基于服务器(例如,数据流控制) 数据库安全 大规模并行数据系统 分布式系统(例如云计算,网格计算,
that pertain to information security in a
Business continuity requirements
global context.
Personnel security policies
Develop and implement documented
导方针 业务连续性要求
Establish and manage security education, training, and awareness.
理解和应用的机密性,完整性和可用性
人员的安全策略
的概念。
风险管理概念
通过遵守适用的安全管理原则
威胁建模
明白在全球范围内涉及信息安全法律和
plaintext)
Apply secure princห้องสมุดไป่ตู้ples to site and
facility design
Facility security
Wiring closets
Server room
Media and storage facilities
Evidence storage
systems
Distributed systems (e.g., cloud
Apply cryptography
computing, grid computing, peer to Apply secure principles to site and
peer)
facility design
Restricted and work area security (e.g.,
operations center)
Data center security
Utilities and HVAC considerations
Water issues (e.g., leakage, flooding)
lifecycle using security design principles
and apply security design principles
Fundamental concepts of security
Understand the fundamental concepts
models
已知明文) 使用安全的原则设计站点及设施 设施安全 配线间 服务器机房 介质和储存设施 证据存储 受限和工作区安全(例如,运营中心) 数据中心安全 公用事业和HVAC考虑