(isc)2 Sscp Systems Security Certified Practitioner Official Study Guide, 2nd Edition

The only SSCP study guide officially approved by (ISC)²

The (ISC)² Systems Security Certified Practitioner (SSCP) certification is a well-known vendor-neutral global IT security certification. The SSCP is designed to show that holders have the technical skills to implement, monitor, and administer IT infrastructure using information security policies and procedures.

This comprehensive Official Study Guide—the only study guide officially approved by (ISC)²—covers all objectives of the seven SSCP domains.

• Access Controls
• Security Operations and Administration
• Risk Identification, Monitoring, and Analysis
• Incident Response and Recovery
• Cryptography
• Network and Communications Security
• Systems and Application Security

If you’re an information security professional or student of cybersecurity looking to tackle one or more of the seven domains of the SSCP, this guide gets you prepared to pass the exam and enter the information security workforce with confidence. 

Foreword xxi

Introduction xxiii

Self-Assessment xlv

Part I Getting Started as an SSCP 1

Chapter 1 The Business Case for Decision Assurance and Information Security 3

Information: The Lifeblood of Business 4

Data, Information, Knowledge, Wisdom… 5

Information Is Not Information Technology 8

Policy, Procedure, and Process: How Business Gets Business Done 10

Who Is the Business? 11

“What’s Your Business Plan?” 12

Purpose, Intent, Goals, Objectives 13

Business Logic and Business Processes: Transforming Assets into Opportunity, Wealth, and Success 14

The Value Chain 15

Being Accountable 17

Who Runs the Business? 19

Owners and Investors 19

Boards of Directors 20

Managing or Executive Directors and the “C-Suite” 20

Layers of Function, Structure, Management, and Responsibility 21

Plans and Budgets, Policies, and Directives 22

Summary 23

Chapter 2 Information Security Fundamentals 25

The Common Needs for Privacy, Confidentiality, Integrity, and Availability 26

Privacy 26

Confidentiality 29

Integrity 30

Availability 31

Privacy vs. Security, or Privacy and Security? 32

CIA Needs of Individuals 34

Private Business’s Need for CIA 35

Government’s Need for CIA 36

The Modern Military’s Need for CIA 36

Do Societies Need CIA? 36

Training and Educating Everybody 38

SSCPs and Professional Ethics 38

Summary 40

Exam Essentials 40

Review Questions 44

Part II Integrated Risk Management and Mitigation 51

Chapter 3 Integrated Information Risk Management 53

It’s a Dangerous World 54

What Is Risk? 55

Risk: When Surprise Becomes Disruption 59

Information Security: Delivering Decision Assurance 60

“Common Sense” and Risk Management 63

The Four Faces of Risk 65

Outcomes-Based Risk 67

Process-Based Risk 67

Asset-Based Risk 68

Threat-Based (or Vulnerability-Based) Risk 69

Getting Integrated and Proactive with Information Defense 72

Trust, but Verify 76

Due Care and Due Diligence: Whose Jobs Are These? 76

Be Prepared: First, Set Priorities 77

Risk Management: Concepts and Frameworks 78

The SSCP and Risk Management 81

Plan, Do, Check, Act 82

Risk Assessment 84

Establish Consensus about Information Risk 84

Information Risk Impact Assessment 85

The Business Impact Analysis 92

From Assessments to Information Security Requirements 92

Four Choices for Limiting or Containing Damage 94

Deter 96