Exam CISSP-2018: Certified Information Systems Security Professional 2018

ExamCollection Verified – Instant Download. Download Exam CISSP-2018 PDF files free.

Here you can download free practice tests for such certifications as MCSAMCSE, MCDBA, MCSD,A+,Network+, Security+, CCNA, CCNP, IBM, HP, VMware  and so on. All tests on this site have been converted with VCE Exam Simulator.

All latest VCE files will be convertedFiles are converted in 24 to 36 hours. VCE to PDF converter FREE

CISSP-2018 PREMIUM VCE files + PDF Files LATEST + VCE Player on WINDOWS: $40.00 

BuyNow

CISSP.vce & CISSP.pdf

INVALID

290 Questions & Answers version 2018

FREE: 1297 Questions & Answers old version

VCE files + PDF files + VCE Player: $40.00

Last update: October–2019

New Question Updates for: 30 days FREE

100% Pass or Money Back

  1. Latest questions, authenticity guaranteed;
  2. Refund policy applies;
  3. Great savings – Corporate Clients welcome;
  4. Immediate download after purchase;
  5. 95% of VCEplus clients pass their exams;
  6. Guaranteed by VCEplus & ExamCollection;
  7. Email Support[email protected];
  8. Online SupportChat with us

Free Exam Questions in PDF Format

The content of the CISSP has been refreshed to reflect the most pertinent issues that information security professionals currently face, along with the best practices for mitigating those issues. Some topics have been updated while others have been realigned. The result is an exam that most accurately reflects the technical and managerial competence required from an experienced information security professional to effectively design, engineer, implement and manage an organization’s information security program within an ever-changing security landscape.

Previous CISSP Domain Name New CISSP Domain Name
Domain 1: Security and Risk Management Domain 1: Security and Risk Management
Domain 2: Asset Security Domain 2: Asset Security
Domain 3: Security Engineering Domain 3: Security Architecture and Engineering
Domain 4: Communications and Network Security Domain 4: Communication and Network Security
Domain 5: Identity and Access Management Domain 5: Identity and Access Management (IAM)
Domain 6: Security and Assessment Testing Domain 6: Security Assessment and Testing
Domain 7: Security Operations Domain 7: Security Operations
Domain 8: Software Development Security Domain 8: Software Development Security

The domain weights are as follows:

Major Domains Weightings (Percentage)
Domain 1: Security and Risk Management 15%
Domain 2: Asset Security 10%
Domain 3: Security Architecture and Engineering 13%
Domain 4: Communication and Network Security 14%
Domain 5: Identity and Access Management (IAM) 13%
Domain 6: Security Assessment and Testing 12%
Domain 7: Security Operations 13%
Domain 8: Software Development Security 10%
Total 100%

OVERVIEW OF CHANGES (Buyer review)

DOMAIN 1: SECURITY AND RISK MANAGEMENT (15% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

Overall, I can honestly say there was at most 1% change within this domain.  Nothing significant.

Apply Security governance principles through:

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
1.2 Apply security governance principles through: Evaluate & Apply security governance principles through:
1.2 Control frameworks Security Control frameworks
1.3 Compliance Determine Compliance Requirements
1.3 Legislative and regulatory compliance Contractual, Legal, Industry standards, and Regulatory Requirements.
1.3 Privacy requirements compliance Privacy requirements
1.4 Computer crimes Cyber Crimes and Data Breaches
1.4 Licensing and intellectual property Licensing and intellectual property requirements
1.4 Data Breaches REMOVED AND ADDED TO BULLET ABOVE
1.5 Understand professional ethics Understand, adhere to, and promote professional ethics
1.5 Exercise (ISC)2 Code of Professional Ethics (ISC)2 Code of Professional Ethics
1.5 Support organization’s code of ethics Organizational code of ethics
1.6 Develop and Implement documented security policy, standards, procedures, and guidelines. Develop, Document, and Implement security policy, standards, procedures, and guidelines.
1.7 Understand Business Continuity requirements Identify, Analyse, and Prioritize Business Continuity requirements
1.7 Develop and document project scope and plan Develop and document scope and plan
1.7 Conduct business impact analysis Business impact analysis
1.8 Contribute to personnel security policies Contribute to and enforce personnel security policies and procedures
 1.8 Employment Candidate Screening Candidate Screening and Hiring
 1.8 Employment termination processes Onboarding and termination process
 1.8 Vendor, consultant, and contractor controls  Vendor, consultant, and contractor agreements and controls
 1.8 Compliance Compliance Policy Requirements
 1.8 Privacy Privacy Policy Requirments
 1.9 Risk Assessment/acceptance Risk Response
 1.9 Countermeasure Selection Countermeasure Selection and Implementation
 1.9 Implementation REMOVED AND ADDED TO BULLET ABOVE
 1.9 Control Assessment Security Control Assessment
 1.9 Types of Controls Applicable types of controls
1.10 Understand and apply threat modeling  Understand and apply threat modeling concepts and methodology
1.10 Identifying threats REMOVED
1.10 Determining and Diagramming potential attacks REMOVED
1.10 Performing reduction analysis REMOVED
1.10 Technology and processes to remediate threats REMOVED
1.10 Added: Threat Modeling concepts
1.10 Added: Threat modeling methodologies
1.11 Integrate security risk considerations into acquisition strategy and practice Apply risk-based management concepts to the supply chain
1.11 Hardware, Software, and Services Risks associated with Hardware, Software, and Services
1.12 Establish and manage information security education, training, and awareness Establish and maintain a security education, training, and awareness program
1.12 Appropriate levels of awareness, training, and education required within organization REMOVED AND REPLACE BY THE TWO BULLETS BELOW
1.12 Periodic reviews for content relevancy Periodic content reviews
1.12 Added: Method and Techniques to present awareness and training
1.12 Added: Program effectiveness evaluation

DOMAIN 2: ASSET SECURITY (10% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

Overall, I can honestly say there was less than 1% change within this domain.  Nothing significant.

I was glad to see that Cryptography was removed. However, Data Protection Methods has been added and of course, that will talk about cryptography used to protect your data.  So in summary:  No change just different names.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
2.1 Classify Information and Supporting assets Identify and Classify information and assets
2.2 Determine and Maintain ownership Determine and maintain information and assets ownership
2.1 Added: Data Classification
2.1 Added: Asset Classification
2.5 Baselines REMOVED
2.5 Added: Understand data states
2.5 Cryptography REMOVED
2.5 Added: Data Protection Methods
2.6 Establish handling requirements  Establish Information and Assets handling requirements

DOMAIN 3 – NEW DOMAIN NAME IS: Security Architecture and Engineering (13% of the exam content)

Hum…  This change reminds me of the old Security Architecture and Design domain we had on the 2012 CBK®.   As you can see History always repeats itself.

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

If I am being generous I can say there is about 1% of changes in this domain.

Topics such as the Internet of Things (IOT) and  Cloud-Based systems were added to the description.  However, those topics were already included in the 2012 CBk and there is no new content just bullets added to Domain 3 list.   Some of the other topics were removed from the list but were simply moved and kept on the list by combining them with other topics.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
 3.3 Select controls and countermeasures based upon systems security evaluation models Select controls based upon systems security requirements
 3.4 Understand security capabilities of information systems (e.g., memory protection, trusted platform module, interfaces, fault tolerance) Understand security capabilities of information systems (e.g., memory protection, trusted platform module, encryption/decryption)
 3.5 Large-scale parallel data systems REMOVED
 3.5 Added: Internet of Things (IOT)
 3.5 Added: Cloud-Based Systems
3.8 Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, internet of things (IOT)  Assess and mitigate vulnerabilities in embedded devices
3.9 Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)  Cryptographic life cycle (Key Management, Algorithm selection)
3.9 Cryptographic Types (e.g., symmetric, asymmetric, elliptic curves)  Cryptographic Methods
3.9  Integrity (hashing and salting)  Integrity (hashing)
3.9 Methods of Cryptanalytic attacks (e.g., brute  force, ciphertext only, known plaintext) Understand methods of Cryptanalytic attacks
3.10 Apply secure principles to site and facility design REMOVED
3.11 Design and Implement physical security Implement site and facility Security Controls
3.11 Wiring closets Wiring Closets/Intermediate distribution facility
3.11 Server rooms Server rooms/data centers
3.11 Data Center Security REMOVED combined with bullet above
3.11 Utilities and HVAC considerations Utilities and HVAC
3.11 Water Issues (e.g., leakage, flooding) Environmental issues

DOMAIN 4: Communications and Network Security (14% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

A few items were removed.  As you can see Cryptography was removed and like I have mentioned previously that makes senses considering it is covered in depth with other domains.  It seems ISC2 is bundling all of the Crypto content in one major section.

What amazed me with this domain is how wide it is and how short the description is.  The CBK® and the Detailed Content Outline (DCO) does not do justice to this domain.

Overall there was less than 1% of changes within this domain.  Nothing significant.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
4 .1 Apply secure design principle to network architecture  Apply secure design principle in network architecture
4.1 Cryptography used to maintain communication security REMOVED
4.2 Network Access Control devices  Network Access Control (NAC) devices
4.2 Physical Devices REMOVED
4.3 Design and establish secure communication channels Implement secure communication channels according to design
4.4 Prevent and Mitigate network attacks REMOVED

DOMAIN 5: Identity and Access Management (IAM) (13% of the exam content)

The acronym (IAM) was added to the end of the domain name.

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

Six items were added to further clarify the existing content.  Attribute-Based Access Control is a new topic that was added.

This is another domain with less than 1% of changes within the domain content.  Nothing significant.

What is Attribute Based Access Controls?

Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). This model supports Boolean logic, in which rules contain “IF, THEN” statements about who is making the request, the resource, and the action. For example: IF the requestor is a manager, THEN allow read/write access to sensitive data.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
5.2 Manage Identification and authentication of people and devices  Manage Identification and authentication of people, devices, and Services
5.2 Federated Identity Management Federated Identity Management (FIM)
5.3 Integrate Identity as a service (e.g., cloud identity)  Integrate Identity as a third-party service
5.3 Added: On-premise
Added: Cloud 
Added: Federated 
5.4  Integrate third-party identity services (e.g., on premised) REMOVED replaced by bullet above
5.5 Added: Attribute Based Access Controls 
5.6 Prevent and Mitigate access control attacks REMOVED
5.7 Added: User Access Review
5.7 Added: System Account Access Review
5.7 Added: Provisioning and Deprovisioning

DOMAIN 6: Security Assessment and Testing (12% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and a few items were added to further clarify what is the content.

Overall, there was 0% of new content added to this domain.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
6.1 Design and Validate assessment and test strategies Design and Validate Assessment, test, and audit strategies.
6.1 Added: internal 
6.1 Added: external
6.3 Collect security process data (e.g., management and operational controls) Collect security process data (e.g., Technical and Administrative)
6.3 Management review Management review and approval
6.3 Disaster Recovery and Business Continuity  Disaster Recovery (DR) and Business Continuity (BC)
6.4 Analyze and report test outputs (e.g., automated, manual)  Analyze and report test outputs and generate reports
6.5 Conduct or facilitate internal and third-party audits  Conduct or facilitate security audits
6.5 Added: Internal 
6.5 Added: External
6.5 Added: Third-Party 

DOMAIN 7: Security Operations (13% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets.

As you will see a single entry was divided into multiple entries for more clarity.

Subjects such as Industry Standards, Asset management, and Duress were added.

Overall, I can honestly say there is less than 1%  of changes within this domain.  Nothing significant.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
 7.1 Digital Forensics (e.g., media, network, software and embedded devices) Digital Forensics tools, tactics, procedures
7.2 Operational Administrative
7.2 Electronic Discovery (eDiscovery) REMOVED
7.2 Added: Industry Standards
7.3 Security information and event managment Security information and event management (SIEM)
7.4 Secure provisioning of resources Securely provisioning resources
7.4 Added: Asset Management
7.4 Physical Assets REMOVED
7.4 Virtual Assets (e.g., Software-defined network, virtual SAN, guest operating systems) REMOVED
7.4 Cloud Assets (e.g., services, VMs, storage, networks) REMOVED
7.4 Applications (e.g., workloads or private clouds, web services, software as a service. REMOVED
7.5 Monitor Special Privilege (e.g., operations, administrator) Privilege Account Management
7.5 Service-level agreements Service-level agreements (SLA)
7.6 Employ resource protection techniques Apply resource protection technique
7.10 Participate and Understand change management processes (e.g., versioning, baselining, security impact analysis) Understand and participate in change management processes
7.13 Read-through Read-through / TableTop
7.14 Participate in business continuity planning and exercises Participate in business continuity (BC) planning and exercises
7.15 Perimeter (e.g., access control and monitoring) Perimeter Security Controls
7.15 Internal Security Internal Security Controls
7.16 Participate in addressing personnel safety concerns (e.g.,  duress, travel, monitoring) Address personal safety and security controls
7.16 Added: Travel
7.16 Added: Security Training and Awareness
7.16 Added: Emergency Management
7.16 Added: Duress

DOMAIN 8: Software Development Security (10% of the exam content)

As you will see below, there is almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

Overall, I can honestly say there was less than 1% of changes within this domain.  Nothing significant.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
8.1 Understand and apply security in the software development lifecycle Understand and integrate security in the software development lifecycle (SDLC)
8.2 Enforce security controls in development environments Identity and Apply security controls in development environments
8.2 Security weaknesses and vulnerabilities at the source code level (e.g., buffer overflow, escalation of privileges, input/output validation) REMOVED but added further down as new topics and section.  See 8.5 below.
8.2 Security of application programming interfaces REMOVED but added further down as a new topic.  See 8.5 below. 
8.3 Acceptance testing REMOVED
8.5 Added: Define and Apply Secure Coding Guidelines and Standards.
8.5 Added: Security weaknesses and Vulnerabilities at the source code level
8.5 Added: Security of Application Programming Interfaces (API)
8.5 Added: Secure Coding Practices

You may also like...