With a legacy that runs decades, the CISSP certification has earned its place as a requirement for mid to senior information security professionals. This is a much needed certification to unlock the highest paying jobs in the industry. See below for CISSP 2018 Update exam details.
What is it worth? If you’ve been a hands-on admin for most of your career, you’ll find this certification process frustrating. It becomes worth it on the other side when it starts opening doors for you. Don’t be surprised if you get hits from recruiters after getting this certification. Part of this reason is you need 5 years of experience and meet their endorsement requirements to finally hold the certification in your hand.
Table of Contents
Exam Structure
- Number of Questions: 100 questions (150 max)
- Duration: 180 minute duration, a little under 2 minutes to a little over a minute per question, depending on length of exam
- Score Range: 100-1000
- Passing Score: 700 (70%, not including experimental questions)
- Types of Questions:
- Multiple Choice – can have more than one answer
- Ordering – place blocks of text in order
- Matching – match text on left to text on right
Exam Domains
The examination covers a broad range of security domains to help you to learn more about the management of effective cybersecurity programs.
- Security and Risk Management 15%
- Asset Security 10%
- Security Architecture and Engineering 13%
- Communication and Network Security 14%
- Identity and Access Management (IAM) 13%
- Security Assessment and Testing 12%
- Security Operations 13%
- Software Development Security 10%
Exam History
The CISSP was first created in 1994. Since its release, over 130,000 professionals have earned their CISSP certification in over 170 countries.
In June 2004, the certification was accredited under ISO/IEC 17024:2003. This is the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard for personnel certification.
The CISSP is also an approved certification by the Department of Defense (DoD) to satisfy the DoD 8570 and DoD 8140 directives.
Additional History Links
Study Notes
A current overview of ISC2 CISSP 2018 Update exam.
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
Additional Official CISSP Exam Resources
- Here’s ISC2’s official CISSP Exam Outline.
- Here’s ISC2’s official Acronym Glossary.
- Here’s ISC2’s official Term Glossary.
Exam Tips
This exam mainly evaluates your comprehension of theories and concepts, but you occasionally need to know technical information. This is not a technical certification, though. Don’t expect any hands on lab style questions about implementing enterprise solutions. You aren’t the tech or engineer.
Similarly to CompTIA exams, this exam is vendor neutral but specific products may be mentioned. Unlike CompTIA exams, you must answer questions before moving on since you can’t return to flagged questions.
Take your time and read the question thoroughly, as the correct selection may not be the right answer but the best choice out of the 4 listed multiple choice possibilities.
After the Exam
- Requires endorsement from an existing CISSP holder in good standing. Visit the Endorsement Application page after getting notified via email that you passed.
- If you’re not sure if you have the required 5 years of experience, check out their Experience Requirements page for more details. You’ll be surprised at everything that can waive a year of experience.
- Requires 40 Continued Professional Education (CPEs) every year after passing the exam.
- Annual Maintenance Fee (AMF) starts applying right after passing.
Likely Jobs
- Security Analyst
- Security Auditor
- Security Systems Engineer or Architect
- Network Engineer or Architect
- Security Consultant
- IT and Security Manager
- IT and Security Officer (ISO)
- IT and Security Director
- Chief Information Officer
- Chief Security Officer
- Chief Information Security Officer
If you barely get the certification with 5 years of experience, you won’t be first in line to get some of the director or executive positions. But you can at least identify and forge a path.
Your best bet may be to look for architecture, network team lead, or security analyst roles, as experience and certifications would scale well and allow the CISSP to be a strong differentiator. Strong sectors include funded startups, government contracting, and bank contracting.
CISSP Term Definitions Addendum
| Term | Definition |
|---|---|
| AAA | Authentication, Authorization, Accounting is used to refer to a family of protocols that mediate network access. Two network protocols providing this functionality are particularly popular RADIUS protocol and Diameter. |
| ABAC | Attribute Based Access Control also known as Policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. |
| Accountability | In ethics and governance, accountability is answerability, blameworthiness, liability, and the expectation of account-giving. In IT, it can be achieved by a strong identification and authentication system, a non-modifiable log system to obtain non-repudiation. |
| ACM | Access Control Matrix is a way of representing the right a set of subjects have on a set of objects. It’s represented in an table. |
| AES | Advanced Encryption Standard, is a specification for the encryption of electronic data established by the NIST in 2001. Discussed in domain 3. |
| AFH | Adapting Frequency Hoping is the FHSS method used in Bluetooth. |
| ALE | Annualized Loss Expectancy is third and final step of the quantitative assessment seeks to combine the potential loss and rate per year to determine the magnitude of the risk. |
| AV | Asset Value, is the cost in dollar of an asset. Discussed in Chapter 1. |
| AH | Authentication Header is a member of the IPsec protocol suite. |
| APIPA | Automatic Private IP Addressing is protocol to get an IP when there is no DHCP. It automatically choose an IP in the range 169.254.1.0 to 169.254.254.255. |
| ARO | Annualized Rate of Occurrence is an estimate of how often a threat would be successful in exploiting a vulnerability. |
| ARP | Address Resolution Protocol is used to resolve IP addresses to MAC addresses. |
| ASLR | Address Space Layout Randomization increase security of an OS or a software by randomizing the address space positions of key data areas of a process. |
| ATM | Asynchronous Transfer Mode is a standard for carriage of traffic. It use fixed-size packets. |
| BCP | Business Continuity Planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. |
| BIA | Business Impact Analysis differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. |
| BRP | Business Recovery Planning, a subset of DRP, focus on returning to normal business after recovering from a disaster. |
| BYOD | Bring Your Own Device is a policy that allow users to connect their own device to the company’s network. |
| CALEA | Communications Assistance for Law Enforcement Act, under B.Clinton, 1994. CALEA’s purpose is to enhance the ability of law enforcement agencies to conduct lawful interception of communication by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in capabilities for targeted surveillance . |
| CAPTCHA | Completely Automated Turing test to tell Computer and Human Apart. |
| CBC | Cipher Block Chaining mode employs an IV and chaining to destroy cipher text patterns. Because CBC works in block mode, it decrypt message one block at a time. |
| CCTA | Central Computer and Telecommunication Agency, the UK’s agency that created ITIL. |
| CC | Common Criteria is an international standard (ISO/IEC 15408) for computer security certification. |
| CCMP | Counter Mode Cipher Block Chaining Message Authentication Code Protocol is an encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is a cryptographic encapsulation mechanism based upon the Counter Mode with CBC-MAC of the Advanced Encryption Standard (AES) standard. It was created to address the vulnerabilities presented by Wired Equivalent Privacy (WEP), a dated, insecure protocol. |
| CCTV | Closed Circuit Television. |
| CER | Crossover Error Rate is where the ratio of the FRR and the FAR are equal. |
| CFAA | Computer Fraud and Abuse Act is a bill enacted in 1984. The CFAA prohibits the access to a system without authorization. Before this law, the computer or network related crime was prosecuted as mails and wire fraud. |
| CFCE | Certified Forensic Computer Examiner is a certification in computer forensic. |
| CFB | Cipher FeedBack, is a block cipher mode, using a memory buffer to have same size block. It’s retired due to the wait in encoding each block. The Cipher Feedback (CFB) mode, a close relative of CBC, makes a block cipher into a self-synchronizing stream cipher. |
| CFTT | Computer Forensics Tool Testing is a project at the NIST is to establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. NIST |
| CHAP | Challenge Handshake Authentication Protocol is used to authenticate a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. |
| CISSP | Certified Information System Security Professional. |
| CMDB | Configuration Management DataBase |
| CMM | Capability Maturity Model |
| CMS | Configuration Management System is a systems engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. |
| Cognitive Password | is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. Typical questions are something like “What the name of your first pet”, etc. |
| COOP | Continuity Of Operation Plan focus on maintenance the business during a disaster. |
| COPPA | Children’s Online Privacy Protection Act of 1998 is a law about the privacy of children under the age of 13. |
| COBIT | Control Objectives for Information and Related Technologies is a good-practice framework created by international professional association ISACA for information technology management and IT governance. |
| Covert Channel | In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. |
| CPA | Critical Path Analysis (or sometimes Critical Path Method (CPM)) is an algorithm for scheduling a set of project activities. It is commonly used in conjunction with the program evaluation and review technique (PERT). |
| CPPT | Continuity Planning Project Team should represent all the stakeholders in the organization, such as HR, the IT department, the physical security department, public relations, and all other personnel responsible for effective business. |
| CRL | Certificate Revocation List is “a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted”. |
| CSMA/CA | Carrier Sense Multiple Access with Collision Avoidance is used by WiFi 802.11. |
| CSMA/CD | Carrier Sense Multiple Access with Collision Detection is used by Ethernet. |
| CTR | Counter is a DES stream cipher mode, where it use a 64bits counter for feedback. It doesn’t propagate error. |
| CVE | Common vulnerabilities and Exposures system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Mitre Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security. |
| CVSS | Common Vulnerabilities Scoring System is a free and open industry standard for assessing the severity of computer system security vulnerabilities. |
| CYOD | Choose Your Own Device is a business trend and phenomenon designed to give an organization more control of devices that employees use to handle company data. With CYOD, an organization allows employees to select from specified devices for business usage. External |
| DAC | Discretionary Access Control is an Access Control system that rely on the fact that object can be access regarding subject/group to which they belong. |
| DCCP | Datagram Congestion Control Protocol |
| DCE | Data Circuit-terminating Equipment is a device that sits between the data terminal equipment (DTE) and a data transmission circuit. It is also called data communication(s) equipment and data carrier equipment. Usually, the DTE device is the terminal (or computer), and the DCE is a modem. |
| DDOS | Distributed Deny Of Service attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. |
| DES | Data Encryption Standard is a symmetric-key algorithm for the encryption of electronic data. |
| Diffie Hellman | is a method of securely exchanging cryptographic keys over a public channel. |
| DMCA | Digital Millennium Copyright Act, is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works (commonly known as digital rights management or DRM). |
| DREAD | Damage, Reproductibility, Exploitability, Affected used, Discoverability, is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations. It was abandoned by its creators. |
| DRM | Digital Right Management |
| DRP | Disaster Recovery Plan is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. |
| DSA | Digital Signature Algorithm, is a FIPS for digital signatures. |
| DSS | Digital Signature Standard is a FIPS specifying a suite of algorithms that can be used to generate digital signatures established by the NIST. |
| DTE | Data Terminal Equipment is an end instrument that converts user information into signals or reconverts received signals. These can also be called tail circuits. Usually, the DTE device is the terminal (or computer), and the DCE is a modem. |
| EAL | Evaluation Assurance Level in the CC, is the rating level assign to the Target Of Evaluation. |
| ECB | Electronic Code Book, is an encryption mode, use by DES for example. The disadvantage of this method is a lack of diffusion. Because ECB encrypts identical plaintext blocks into identical ciphertext blocks, it does not hide data patterns well. In some senses, it doesn’t provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all. |
| ECDSA | Elliptic Curve Digital Signature Algorithm is an implementation of DSA that use elliptic curve. |
| ECPA | Electronic Communications Privacy Act is law enacted in 1986 to extend restriction to wiretape. |
| EDRM | Electronic Discovery Reference Model is a ubiquitous diagram that represents a conceptual view of these stages involved in the e-discovery process. Electronic discovery (also e-discovery or ediscovery) refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often referred to as electronically stored information or ESI). |
| EF | Exposure Factor, is the subjective, potential percentage (some time noted as 0.8 for 80%) of loss to a specific asset if a specific threat is realized. Discussed in Chapter 1. |
| EMI | Electromagnetic Interference also called RFI when in the radio frequency spectrum, is a disturbance generated by an external source that affects an electrical circuit by electromagnetic induction, electrostatic coupling, or conduction. |
| ESP | Encapsulating Security Payload is a member of the IPsec protocol suite. |
| E0 | is a stream cipher used in the Bluetooth protocol. It generates a sequence of pseudorandom numbers and combines it with the data using the XOR operator. The key length may vary, but is generally 128 bits. It’s a weak cipher. |
| E2EE | End to End Encryption is a system of communication where only the communicating users can read the messages. |
| FAR | False Accept Rate is in biometrics the probability of type II errors or false match rate (FMR). |
| FCRA | Fair Credit Reporting Act was one of the first instances of data protection law passed in the computer age. Key among these innovations was the determination that there should be no secret databases that are used to make decisions about a person’s life. |
| FEMA | Federal Emergency Management Agency have for purpose to coordinate the response to a disaster that has occurred in the United States and that overwhelms the resources of local and state authorities. The governor of the state in which the disaster occurs must declare a state of emergency and formally request from the president that FEMA and the federal government respond to the disaster. |
| FERPA | Family Educational Right and Privacy Act cover the right for parents to have access to their child’s education data. |
| FHSS | Frequency Hopping Spread Spectrum is a method of changing frequency during a communication, using a sequence known only from the authorized device/person. Bluetooth do it through AFH. |
| FIPS | Federal Information Processing Standards are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. FIPS publications do not apply to national security systems (as defined in FISMA). FIPS publications may be adopted and used by non-federal government organizations and private sector organizations. |
| FISA | Foreign Intelligence Surveillance Act, regulate the use of electronic surveillance. |
| FISMA | Federal Information Security Management Act. A 2002 Act. The act recognized the importance of information security to the economic and national security interests of the United States. |
| FM200 | is a gas used in datacenter to to remove fire without destroying the equipment. |
| Fraggle Attack | is a DDOS based on UDP and target’s IP spoofing. |
| Frame Relay | is a standardized technology that specifies the physical and data link layers of digital telecommunications channels using a packet switching methodology. |
| FRR | False Reject Rate is in biometrics the probability of type I errors or false non-match rate (FNMR) |
| GDPR | General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). |
| GLBA | Gramm–Leach–Bliley Act repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the bipartisan passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. |
| HIDS | Host-based Intrusion Detection System is an IDS installed on a host. |
| HIPAA | Health Insurance Portability and Accountability Act was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. |
| HITECH | Health Information Technology for Economic and Technical Health is an act that include new regulation and compliance requirement to the HIPAA act. |
| HMAC | Hash-based Message Authentication Code is a hashing method with a password. |
| HTTP | HyperText Transfer Protocol, OSI layer 7 protocol |
| IACIS | International Association of Computer Investigative Specialists has been providing computer Forensic Training for over 27 years. |
| HVAC | Heating, Ventilation and Air Conditioning. |
| IaaS | Infrastructure as a Service, is when a provider allow customer to install VM, manage network, etc. |
| IANA | Internet Assigned Number Authority is a function of ICANN, a nonprofit private American corporation that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols and Internet numbers. |
| IDEAL | Initial Diagnose Establish Action Leverage |
| IDS | Intrusion Detection System. |
| IEEE | Institute of Electrical and Electronic Engineers. |
| IEEE 802 | Institute of Electrical and Electronic Engineers 802 is a family of IEEE standards dealing with local area networks and metropolitan area networks. |
| IEEE 802.11 | IEEE802.11 is part of the IEEE 802 set of LAN protocols, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing WLAN, Wi-Fi. |
| IEEE 802.15 | Bluetooth. |
| IKE | Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. |
| IPComp | IP Payload Compression Protocols is a low level compression protocol for IP datagrams. |
| IPS | Intrusion Prevention System. |
| IPsec | IP Security is a secure network protocol suite that authenticates and encrypts the packets of data sent over an internet protocol network. |
| ISA | Interconnect Security Agreement. |
| ITADA | Fraud related to activity in connection with identification documents, authentication features, and information”). The statute now makes the possession of any “means of identification” to “knowingly transfer, possess, or use without lawful authority” a federal crime, alongside unlawful possession of identification documents. |
| ITIL | Information Technology Infrastructure Library is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. It was created in the 1980s by CCTA from a request from the UK gov. |
| ITSEC | Information Technology Security Evaluation Criteria, is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective countries. |
| ITU | International Telecommunication Union is a specialized agency of the United Nations (UN) that is responsible for issues that concern information and communication technologies. |
| ISACA | Information System Audit and Control Association is an international professional association focused on IT governance. It created COBIT. |
| ISAKMP | Internet Security Association and Key Management Protocol is a protocol defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an Internet environment. |
| ISC2 | International Information Systems Security Certification Consortium, a non-profit group with the primary goal to provide training and certifications in the IT Security field. www.isc2.org |
| ITAM | IT Asset Management introduces financial aspects of the asset – cost, value and contractual status. ITAM also refers to full lifecycle management of the asset. ITAM is designed to manage the physical, contractual and financial aspects of the asset. |
| IV | Initialization vector. |
| KDC | Key Distribution Center is authentication server in a Kerberos network. |
| L2TP | Layer 2 Tunneling Protocol is a Layer 2 tunneling protocol used to support VPNs or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy. |
| LCP | Link Control Protocol, forms part of the PPP, within the family of Internet protocols. In setting up PPP communications, both the sending and receiving devices send out LCP packets to determine the standards of the ensuing data transmission. |
| LLC | Logical Link Control is a layer 2 protocol that allow multiple protocols on the same network medium. It’s 802.2. |
| MAC | Mandatory Access Control is an Access Control system based on data classification and labels. The famous Top Secret come from here. |
| MD5 | Message Digest 5, a hashing algorithm producing 128 bits output. |
| MIC | Message Integrity Check is an integrity control used in WPA. |
| MTD | Maximum Tolerable Downtime is the longest period of time a resource can be unavailable without causing irreparable harm to the business. |
| NAC | Network Access Control is a technology that allow access to the network only if the device fill the requirement (OS version, AV up to date, etc). If a device fail these requirement, a page displaying a allowing to resolve the issue may be displayed. |
| NAT-PT | Network Address Translation/Protocol Translation (NAT-PT) is defined in RFC 2766 but due to numerous problems, it has been obsoleted by RFC 4966 and deprecated to historic status. |
| NDA | Non-Disclosure Agreement. |
| NFPA | National Fire Protection Association is a United States trade association, albeit with some international members, that creates and maintains private, copyrighted standards and codes for usage and adoption by local governments. The association was formed in 1896 by a group of insurance firms. |
| NIDS | Network Intrusion Detection System is an IDS installed on a the network, generally on a promiscuous port, to avoid issue. |
| NIFC | National Interagency Fire Center in Boise, Idaho is the physical facility which is the home to the National Interagency Coordination Center (NICC), and the National Multi-Agency Coordination group (NMAC or MAC). |
| NIPS | Network Intrusion Prevention System is an IPS installed on the network. Generally inline, to be able to modify the traffic accordingly to its policy. |
| NIST | National Institute of Standard and Technology |
| NSA | National Security Agency, |
| OASIS | Organization for the Advancement of Structured Information Standard is a global nonprofit consortium that works on the development, convergence, and adoption of open standards for security, Internet of Things, energy, content technologies, emergency management, and other areas. |
| OCTAVE | Operationally Critical Threat, Asset and Vulnerability Evaluation approach defines a risk-based strategic assessment and planning technique for security. |
| OSI | Open Systems Interconnection model |
| OFB | Output Feedback mode makes a block cipher into a synchronous stream cipher. It generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption. . |
| OFDM | Orthogonal Frequency Division Multiplexing, in telecommunications, orthogonal frequency-division multiplexing (OFDM) is a method of encoding digital data on multiple carrier frequencies. OFDM has developed into a popular scheme for wideband digital communication, used in applications such as digital television and audio broadcasting, DSL internet access, wireless networks, power line networks, and 4G mobile communications. |
| OSCP | Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. |
| OWASP | Open Web Application Security Project is an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. |
| PaaS | Platform as a Service, is when a provider allow customer to develop, run and manage application without having to manage the infrastructure like the OS, Network, etc. |
| PAN | Personal Area Network |
| PASTA | Process for Attack Simulation and Threat Analysis is a seven-step, risk-centric methodology. Discussed in domain 1. |
| PCI DSS | Payment Card Industry Data Security Standard |
| PEAP | Protected Extensible Authentication Protocol also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated TLS tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided. |
| PEM | Privacy-Enhanced Mail is a de facto file format for storing and sending cryptographic keys, certificates, and other data. |
| PGP | Pretty Good Privacy is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. It use a web of trust. |
| PHI | Protected Health Information, under the US law is any information about health status, provision of health care, or payment for health care. |
| PII | Personally Identifiable Information, is information that allow to identify or give personal information on an individual. |
| PKI | Public Key Infrastructure. |
| PP | Protection Profile in the CC, is a set of security requirement that describe the TOE. |
| PPP | Point to Point Protocol is a layer 2 protocol used to establish a direct connection between two devices. PPP is a successor for SLIP. |
| PPTP | Point to Point Tunneling Protocol is an obsolete method for implementing virtual private networks. PPTP has many well known security issues. |
| P2PE | Point to Point Encryption is a standard created by the PCI. |
| RADIUS | Remote Authentication Dial-In User Service is a networking protocol, operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. |
| RAID | Redundant Array of Independent Disks. |
| RARP | Reverse Address Resolution Protocol, translate MAC into IP address. |
| RBAC | Role-Based Access Control is a security model defined around roles and privileges. Sometime RBAC can be “Rule Based Access Control”. A firewall is a rule based acess control. |
| Repudiation | is the ability to deny something. In IT, i’s the ability to deny a user have done an action. The goal is to obtain non-repudiation, to be able to prove a user have done an action. |
| RFI | Radio-Frequency Interference, is a disturbance generated by an external source that affects an electrical circuit by electromagnetic induction, electrostatic coupling, or conduction. |
| RPC | Remove Procedure Call is when a computer program causes a procedure (subroutine) to execute in a different address space (commonly on another computer on a shared network). |
| RPO | Recovery Point Objective is the amount of data loss or system unavailability, measured in time, a system or a company can endure. Recovery Point Objective is also the maximum sustainable data loss based on backup schedules and recovery. |
| RSA | Rivest–Shamir–Adleman is one of the first public-key cryptosystems and is widely used for secure data transmission. |
| RSN | Robust Security Network is another name for WPA2 |
| RTO | Recovery Time Objective is the acceptable amount of time to restore the function. |
| SA | Security Association is the sharing of the parameters in a VPN between the two side to create the connection. |
| SaaS | Software as a Service, is when a provider allow customer to use a software through web or other, but the customer manage nothing, he just use the application. |
| SABSA | Sherwood Applied Business Security Architecture. SABSA is a framework and methodology for enterprise security architecture and service management. |
| SAML | Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. |
| SCAP | Security Content Automation Protocol is a NIST naming convention to describe security vulnerabilities. |
| SCTP | Stream Control Transmission Protocol |
| SDLC | System Development Life Cycle or Software Development Life Cycle. It’s stated in the Sybex book that there is no distinction made about it for CISSP. ciscopress |
| SET | Secure Electronic Transaction is a communications protocol standard for securing credit card transactions over networks, specifically, the Internet. |
| SEAL | Software-optimized Encryption Algorithm is a stream cipher optimized for machines with a 32-bit word size and plenty of RAM. |
| SHA-1 | Secure Hash Algorithm 1 is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest. Deprecated. Discussed in chapter 3. |
| SHA-2 | Secure Hash Algorithm is a set of cryptographic hash functions designed by the United States National Security Agency (NSA).Secure Hash Algorithm 2 |
| S-HTTP | Secure HyperText Transfer Protocol is an obsolete alternative to the HTTPS protocol for encrypting web communications carried over HTTP. Discussed in chapter 3. |
| SIEM | Security Information and Even Management, are a family of tools that does monitoring, reporting, notifications, correlation of events, etc. |
| SLA | Service Level Agreement is a commitment between a service provider and a client. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user. |
| SLE | Single Loss Expectency is the monetary value expected from the occurrence of a risk on an asset. It’s calculate by AV*EF=SLE . |
| S/MIME | Secure/Multipurpose Internet Mail Extension is a standard for public key encryption and signing of MIME data. |
| SMTP | Simple Mail Transfer Protocol, OSI layer 7 protocol |
| Smurf Attack | is a distributed denial-of-service attack based on ICMP and target’s IP spoofing. |
| SNMA | Sollicited Node Multicast Address, the protocol used to replace ARP in IPv6. |
| SOC | System Organization Control are report of audit of a company, in the standard defined in SSAE 16. |
| SOX | Sarbanes Oxley Act of 2002 is mandatory. ALL organizations, large and small, MUST comply. SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. SOX site |
| SPIT | Spam over Internet Telephony is unsolicited call using VOIP. |
| SQL | Structured Query Language, OSI layer 5 protocol |
| SSL | Secure Sockets Layer. Developed in the early 90’s by Netscape, it’s now replaced by TLS. The last version, SSL3 is deprecated due some security breaches. While using TCP, it’s still an OSI’s layer 4 protocol. |
| ST | Security Target is the documentation the TOE and others security requirement in the CC testing process. |
| TACACS | Terminal Access Controller Access-Control System refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server. |
| TOE | Target of Evaluation, in the CC, is the tested product. |
| TCP | Transmission Control Protocol |
| TGS | Ticket-Granting Service issue ticket and session keys to the client. |
| TGT | Ticket-Grant Ticket is in Kerberos, a timestamped and encrypted. This ticket is granted by the KDC. The TGT will be sent to the TGS each time the user want to reach a new resource. |
| TLS | Transport Layer Security |
| TPM | Trusted Platform Module (also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. |
| TCB | Trusted Computing Base is the set of all hardware, firmware, and/or software components that are critical to the system security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. |
| TCSEC | Trusted Computing System Evaluation Criteria, is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. Not used anymore but it’s the model for others security evaluation method, such as ITSEC. |
| UDP | User Datagram Protocol |
| UPS | Uninterruptible Power Supply is an electrical apparatus that provides emergency power to a load when the input power source or mains power fails. |
| USA PATRIOT | Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, In response to the September 11 attacks, Congress swiftly passed legislation to strengthen national security. |
| USPTO | United States Patent and Trademark Office. USPTO |
| VAST | Visual, Agile and Simple Threat modeling. |
| VPN | Virtual Private Network |
| WAN | World Area Network is a telecommunications network or computer network that extends over a large geographical distance/place. |
| WPA2 | Wi-Fi Protected Access 2 security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. |
| XACML | eXtensible Access Control Markup Language defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. It’s used mainly in SDN. |
| XCCDF | Extensible Configuration Checklist Description Format is an XML format specifying security checklists, benchmarks and configuration documentation. It’s part of the SCAP. XCCDF development is being pursued by NIST, the NSA, The MITRE Corporation, and the US Department of Homeland Security. |
| XSRF | Cross-Site Request Forgery also known as one-click attack or session riding and abbreviated as CSRF. It works by having a users click on a forged link pointing to a site where the users already have a session opened. |
| XOR | Exclusive OR, or boolean operator that return true only when the input differ. |
| X.400 | X.400 is a suite of ITU-T Recommendations that define standards for Data Communication Networks for Message Handling Systems (MHS) — more commonly known as email. It’s replaced by SMTP. |
| X.500 | is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup. It’s kind of replaced by LDAP. |
| X.509 | is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL. |
