資訊安全 >> 課程介紹
Certified in Information Systems Security Professional
CISSP 資訊安全認證課程
課程代碼
SP-CISSP
課程天數
5 天​
​課程概要
課程基於 (ISC)² CISSP CBK 包含的數種資訊安全議題如下八大領域:
  • 安全與風險管理 (安全、風險、合規、法律、法規、業務連續性)
  • 資產安全 (保護資產的安全性)
  • 安全工程 (安全工程與管理)
  • 通訊與網絡安全 (設計和保護網絡安全)
  • 身份與訪問管理 (訪問控制和身份管理)
  • 安全評估與測試 (設計、執行和分析安全測試)
  • 安全運營 (基本概念、調查、事件管理、災難恢復)
  • 軟體開發安全 (理解、應用、和實施軟體安全)
學習目標和取得技能
完成本課程後,您將能夠:
習得CISSP CBK®八大知識領域所需具備的相關知識,涵蓋風險管理、雲計算、移動安全、應用開發安全等關鍵安全議題。
教學方式
中文講師指導課程
教材與實驗
講師自編英文教材
課程適合對象
  • 資訊安全經理
  • 資訊技術經理
  • 安全經理
  • 安全顧問
  • 安全審計師
  • 安全架構師
  • 安全分析師
  • 安全系統工程師
  • 網絡架構師
前備知識
課前與考前建議先備之知識與技能
  • 欲參加CISSP考生必須在 (ISC)² CISSP CBK 八大知識域中的至少兩個或兩個以上領域,擁有至少5年全職工作經驗。
  • 擁有4年大學本科學歷或同等學歷,以及 (ISC)² 認可的其它證書可以抵免一年的工作經驗。所有教育學位最多只能抵免一年工作經驗。
  • 沒有滿足CISSP所需工作經驗的考生,如果能夠通過CISSP考試則可以成為 (ISC)² 的準會員(Associate)。 (ISC)² 的準會員可以用接下來的6年時間積累所需工作經驗。
課程大綱
The CISSP Exam Preparation Course comprises ten primary sections, covering the following topics:
  • General Examination Information
  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering Communication and Network Security
  • Identity and Access Management (IAM) Security Assessment and Testing
  • Security Operations
  • Software Development Security
  • Examination Practice
Typically, each day of the course will cover a 1 - 2 CISSP domain, using lecture, group activities and practice questions.
1. Introduction
  • Students & Trainer Introduction
  • Who Should Take This Course?
  • About (ISC)2
  • CISSP Certification
  • CISSP Examination
  • CBK Review, Domain and Function Areas
2. Security & Risk Management
  • Understand and apply concepts of confidentiality, integrity, and availability
  • Evaluate and apply security governance principles
  • Alignment of security function to business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Organizational roles and responsibilities
  • Security control frameworks
  • Due care/due diligence
  • Determine compliance requirements
  • Contractual, legal, industry standards, and regulatory requirements
  • Privacy requirements
  • Understand legal and regulatory issues that pertain to information security in a global context
  • Cyber crimes and data breaches
  • Licensing and intellectual property requirements
  • Import/export controls
  • Trans-border data flow
  • Privacy
  • Understand, adhere to, and promote professional ethics
  • (ISC)² Code of Professional Ethics
  • Organizational code of ethics
  • Develop, document, and implement security policy, standards, procedures, and guidelines
  • Identify, analyze, and prioritize Business Continuity (BC) requirements
  • Develop and document scope and plan
  • Business Impact Analysis (BIA)
  • Contribute to and enforce personnel security policies and procedures
  • Candidate screening and hiring
  • Employment agreements and policies
  • Onboarding and termination processes
  • Vendor, consultant, and contractor agreements and controls
  • Compliance policy requirements
  • Privacy policy requirements
  • Understand and apply risk management concepts
  • Identify threats and vulnerabilities
  • Risk assessment/analysis
  • Risk response
  • Countermeasure selection and implementation
  • Applicable types of controls (e.g., preventive, detective, corrective)
  • Security Control Assessment (SCA)
  • Monitoring and measurement
  • Asset valuation
  • Reporting
  • Continuous improvement
  • Risk frameworks
  • Understand and apply threat modeling concepts and methodologies
  • Threat modeling methodologies
  • Threat modeling concepts
  • Apply risk-based management concepts to the supply chain
  • Risks associated with hardware, software, and services
  • Third-party assessment and monitoring
  • Minimum security requirements
  • Service-level requirements
  • Establish and maintain a security awareness, education, and training program
  • Methods and techniques to present awareness and training
  • Periodic content reviews
  • Program effectiveness evaluation
3. Asset Security
  • Identify and classify information and assets
  • Data classification
  • Asset Classification
  • Determine and maintain information and asset ownership
  • Protect privacy
  • Data owners
  • Data processors
  • Data remanence
  • Collection limitation
  • Ensure appropriate asset retention
  • Determine data security controls
  • Understand data states
  • Scoping and tailoring
  • Standards selection
  • Data protection methods
  • Establish information and asset handling requirements
4. Security Architecture and Engineering
  • Implement and manage engineering processes using secure design principles
  • Understand the fundamental concepts of security models
  • Select controls based upon systems security requirements
  • Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
  • Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
  • Client-based systems
  • Server-based systems
  • Database systems
  • Cryptographic systems
  • Industrial Control Systems (ICS)
  • Cloud-based systems
  • Distributed systems
  • Internet of Things (IoT)
  • Assess and mitigate vulnerabilities in web-based systems
  • Assess and mitigate vulnerabilities in mobile systems
  • Assess and mitigate vulnerabilities in embedded devices
  • Apply cryptography
  • Cryptographic life cycle (e.g., key management, algorithm selection)
  • Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
  • Public Key Infrastructure (PKI)
  • Key management practices
  • Digital signatures
  • Non-repudiation
  • Integrity (e.g., hashing)
  • Understand methods of cryptanalytic attacks
  • Digital Rights Management (DRM)
  • Apply security principles to site and facility design
  • Implement site and facility security controls
  • Wiring closets/intermediate distribution facilities
  • Server rooms/data centers
  • Media storage facilities
  • Evidence storage
  • Restricted and work area security
  • Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
  • Environmental issues
  • Fire prevention, detection, and suppression
5. Communication & Network Security
  • Implement secure design principles in network architectures
  • Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
  • Internet Protocol (IP) networking
  • Implications of multilayer protocols
  • Converged protocols
  • Software-defined networks
  • Wireless networks
  • Secure network components
  • Operation of hardware
  • Transmission media
  • Network Access Control (NAC) devices
  • Endpoint security
  • Content-distribution networks
  • Implement secure communication channels according to design
  • Voice
  • Multimedia collaboration
  • Remote access
  • Data communications
  • Virtualized networks
6. Identity & Access Management
  • Control physical and logical access to assets
   1. Information
   2. Systems
   3. Devices
   4. Facilities
  • Manage identification and authentication of people, devices, and services
  • Identity management implementation
  • Single/multi-factor authentication
  • Accountability
  • Session management
  • Registration and proofing of identity
  • Federated Identity Management (FIM)
  • Credential management systems
  • Integrate identity as a third-party service
  • On-premise
  • Cloud
  • Federated
  • Implement and manage authorization mechanisms
  • Role Based Access Control (RBAC)
  • Rule-based access control
  • Mandatory Access Control (MAC)
  • Discretionary Access Control (DAC)
  • Attribute Based Access Control (ABAC)
  • Manage the identity and access provisioning lifecycle
  • User access review
  • System account access review
  • Provisioning and deprovisioning
7. Security Assessment & Testing
  • Design and validate assessment, test, and audit strategies
  • Internal
  • External
  • Third-party
  • Conduct security control testing
  • Vulnerability assessment
  • Penetration testing
  • Log reviews
  • Synthetic transactions
  • Code review and testing
  • Misuse case testing
  • Test coverage analysis
  • Interface testing
  • Collect security process data (e.g., technical and administrative)
  • Account management
  • Management review and approval
  • Key performance and risk indicators
  • Backup verification data
  • Training and awareness
  • Disaster Recovery (DR) and Business Continuity (BC)
  • Analyze test output and generate report
  • Conduct or facilitate security audits
  • Internal
  • External
  • Third-party
8. Security Operations
  • Understand and support investigations
  • Evidence collection and handling
  • Reporting and documentation
  • Investigative techniques
  • Digital forensics tools, tactics, and procedures
  • Understand requirements for investigation types
  • Administrative
  • Criminal
  • Civil
  • Regulatory
  • Industry standards
  • Conduct logging and monitoring activities
  • Intrusion detection and prevention
  • Security Information and Event Management (SIEM)
  • Continuous monitoring
  • Egress monitoring
  • Securely provisioning resources
  • Asset inventory
  • Asset management
  • Configuration management
  • Understand and apply foundational security operations concepts
  • Need-to-know/least privileges
  • Separation of duties and responsibilities
  • Privileged account management
  • Job rotation
  • Information lifecycle
  • Service Level Agreements (SLA)
  • Apply resource protection techniques
  • Media management
  • Hardware and software asset management
  • Conduct incident management
  • Detection
  • Response
  • Mitigation
  • Reporting
  • Recovery
  • Remediation
  • Lessons learned
  • Operate and maintain detective and preventative measures
  • Firewalls
  • Intrusion detection and prevention systems
  • Whitelisting/blacklisting
  • Third-party provided security services
  • Sandboxing
  • Honeypots/honeynets
  • Anti-malware
  • Implement and support patch and vulnerability management
  • Understand and participate in change management processes
  • Implement recovery strategies
  • Backup storage strategies
  • Recovery site strategies
  • Multiple processing sites
  • System resilience, high availability, Quality of Service (QoS), and fault tolerance
  • Implement Disaster Recovery (DR) processes
  • Response
  • Personnel
  • Communications
  • Assessment
  • Restoration
  • Training and awareness
  • Test Disaster Recovery Plans (DRP)
  • Read-through/tabletop
  • Walkthrough
  • Simulation
  • Parallel
  • Full interruption
  • Participate in Business Continuity (BC) planning and exercises
  • Implement and manage physical security
  • Perimeter security controls
  • Internal security controls
  • Address personnel safety and security concerns
  • Travel
  • Security training and awareness
  • Emergency management
  • Duress
9. Software Development Security
  • Understand and integrate security in the Software Development Life Cycle (SDLC)
  • Development methodologies
  • Maturity models
  • Operation and maintenance
  • Change management
  • Integrated product team
  • Identify and apply security controls in development environments
  • Security of the software environments
  • Configuration management as an aspect of secure coding
  • Security of code repositories
  • Assess the effectiveness of software security
  • Auditing and logging of changes
  • Risk analysis and mitigation
  • Assess security impact of acquired software
  • Define and apply secure coding guidelines and standards
  • Security weaknesses and vulnerabilities at the source-code level
  • Security of application programming interfaces
  • Secure coding practices
推薦課程
   
© 2018-2020 TRAINOCATE or its affiliates. All rights reserved.
創能資訊有限公司 | Trainocate Taiwan Co. Ltd. 台北市中山區復興南路一段2號9樓