Complete CISSP Domains Cheat Sheet: Essential Security Concepts & Practices

Introduction

The Certified Information Systems Security Professional (CISSP) is one of the most respected certifications in the information security industry. Governed by (ISC)², CISSP validates advanced knowledge and experience in eight distinct domains that collectively cover the critical aspects of information security. This cheat sheet provides a comprehensive overview of all CISSP domains, serving as a quick reference guide for security professionals preparing for the exam or implementing security best practices in their organizations.

The 8 CISSP Domains Overview

Domain 1: Security and Risk Management

Core Concepts

• Security Governance: Alignment of security function to business strategy, goals, mission, and objectives
• Risk Management: Identification, analysis, and mitigation of risks
• Compliance: Adherence to laws, regulations, and contractual obligations
• Professional Ethics: Adherence to (ISC)² Code of Ethics

Key Laws and Regulations

• GDPR: European data protection and privacy regulation
• HIPAA: US healthcare data privacy and security
• PCI DSS: Payment card industry security standard
• SOX: US financial reporting requirements

Risk Management Process

1. Risk Identification: Locate and document potential risks
2. Risk Assessment: Evaluate probability and impact
3. Risk Response: Strategies to address risks
   • Accept
   • Avoid
   • Transfer
   • Mitigate
4. Risk Monitoring: Ongoing surveillance and review

Security Policies Types

• Organizational: Defines overall security program
• Issue-specific: Addresses individual security issues
• System-specific: Focuses on specific systems or technologies

Domain 2: Asset Security

Data Classification Levels

• Public: No impact if disclosed
• Internal/Private: Minor impact if disclosed
• Confidential: Significant impact if disclosed
• Restricted/Secret: Severe impact if disclosed

Data States Requiring Protection

• Data at Rest: Stored on media
• Data in Transit: Moving through networks
• Data in Use: Being processed/accessed

Data Protection Methods

• Encryption: Converts data into ciphertext
• Masking: Hides portions of data
• Tokenization: Replaces sensitive data with non-sensitive equivalents
• Data Loss Prevention (DLP): Monitors and protects data

Information Lifecycle

1. Creation/Acquisition
2. Distribution
3. Use
4. Maintenance/Storage
5. Disposal/Destruction

Domain 3: Security Architecture and Engineering

Security Models

• Bell-LaPadula: Confidentiality focus (no read up, no write down)
• Biba: Integrity focus (no read down, no write up)
• Clark-Wilson: Transaction integrity focus
• Brewer-Nash (Chinese Wall): Conflict of interest prevention

Cryptography Fundamentals

• Symmetric Encryption: Same key for encryption/decryption (AES, 3DES)
• Asymmetric Encryption: Public/private key pairs (RSA, ECC)
• Hashing: One-way functions producing fixed-length output (SHA-256, SHA-3)
• Digital Signatures: Authentication, non-repudiation, integrity

Security Controls Types

• Administrative: Policies, procedures, guidelines
• Technical/Logical: Software/hardware mechanisms
• Physical: Barriers, guards, cameras

Security Control Categories

• Preventive: Stop incidents before they occur
• Detective: Identify incidents after they occur
• Corrective: Mitigate impact of incidents
• Deterrent: Discourage potential attackers
• Recovery: Restore operations after incidents
• Compensating: Alternative when primary controls can’t be implemented

Domain 4: Communication and Network Security

Network Architecture Components

• Zones and Topologies: DMZ, intranet, extranet
• Network Devices: Routers, switches, firewalls
• Transmission Technologies: Bluetooth, Wi-Fi, VPN

Secure Network Architectures

• Defense-in-Depth: Multiple layers of security
• Zero Trust: “Never trust, always verify”
• Software-Defined Networking (SDN): Programmatic network management

Secure Communication Protocols

• TLS/SSL: Secure web communications
• IPsec: Network layer security
• SSH: Secure remote access
• S/MIME: Secure email

Common Network Attacks

• DDoS: Overwhelming services with traffic
• Man-in-the-Middle: Intercepting communications
• ARP Poisoning: Corrupting ARP tables
• DNS Poisoning: Corrupting DNS resolution

Domain 5: Identity and Access Management

Authentication Factors

• Something You Know: Passwords, PINs
• Something You Have: Smart cards, tokens
• Something You Are: Biometrics
• Somewhere You Are: Geolocation
• Something You Do: Behavioral biometrics

Access Control Models

• Discretionary (DAC): Owner-based permissions
• Mandatory (MAC): System-enforced classifications
• Role-Based (RBAC): Permissions assigned to roles
• Attribute-Based (ABAC): Dynamic rules based on attributes
• Rule-Based: Predefined rules for access

Identity Management Lifecycle

1. Provisioning: Creating accounts and assigning privileges
2. Account Review: Periodic validation of access rights
3. Account Revocation: Removing access when no longer needed

Privileged Access Management

• Just-in-Time Access: Temporary elevated privileges
• Privileged Account Monitoring: Recording and auditing activities
• Separation of Duties: No single person has complete control

Domain 6: Security Assessment and Testing

Assessment Types

• Vulnerability Assessment: Identifying weaknesses
• Penetration Testing: Exploiting vulnerabilities
• Code Review: Examining source code for security issues
• Architecture Review: Evaluating design for security flaws

Testing Methodologies

• Black Box: No prior knowledge of system
• White Box: Complete knowledge of system
• Gray Box: Limited knowledge of system

Security Monitoring

• Log Analysis: Reviewing system logs
• SIEM: Security Information and Event Management
• Continuous Monitoring: Ongoing surveillance
• User and Entity Behavior Analytics (UEBA): Detecting anomalous behavior

Security Metrics

• Mean Time to Detect (MTTD): Average time to discover incidents
• Mean Time to Respond (MTTR): Average time to address incidents
• Coverage: Percentage of systems protected
• False Positive Rate: Incorrect security alerts

Domain 7: Security Operations

Incident Response Process

1. Preparation: Planning and readiness
2. Detection and Analysis: Identifying and evaluating incidents
3. Containment: Limiting impact
4. Eradication: Removing the threat
5. Recovery: Restoring operations
6. Post-Incident Activities: Lessons learned, documentation

Digital Forensics

• Evidence Collection: Proper gathering and preservation
• Chain of Custody: Documenting evidence handling
• Analysis: Examining evidence for relevant information
• Reporting: Documenting findings

Business Continuity Components

• Business Impact Analysis (BIA): Identifying critical functions
• Recovery Time Objective (RTO): Maximum tolerable downtime
• Recovery Point Objective (RPO): Maximum tolerable data loss
• Disaster Recovery Planning: Procedures for major disruptions

Security Awareness and Training

• Phishing Simulations: Testing user susceptibility
• Role-Based Training: Security education specific to job functions
• Security Culture: Fostering security-conscious behavior

Domain 8: Software Development Security

Secure SDLC Integration

• Security Requirements: Defining security needs early
• Threat Modeling: Identifying potential threats
• Secure Coding: Implementing secure programming practices
• Security Testing: Validating security controls

Common Software Vulnerabilities

• Injection Flaws: SQL, LDAP, OS command injection
• Authentication Failures: Weak credentials, session management
• Sensitive Data Exposure: Inadequate encryption
• XML External Entities (XXE): Processing dangerous XML
• Broken Access Control: Improper authorization
• Security Misconfiguration: Default or incomplete settings
• Cross-Site Scripting (XSS): Client-side code injection
• Insecure Deserialization: Processing untrusted data

Application Security Testing

• SAST: Static Application Security Testing
• DAST: Dynamic Application Security Testing
• IAST: Interactive Application Security Testing
• RASP: Runtime Application Self-Protection

DevSecOps Practices

• Automated Security Testing: Integration into CI/CD pipeline
• Infrastructure as Code Security: Secure configuration management
• Container Security: Protecting containerized applications
• Dependency Management: Tracking and updating components

Common Challenges and Solutions

Best Practices Across All Domains

• Implement defense-in-depth with multiple security layers
• Follow the principle of least privilege for access control
• Maintain comprehensive asset inventories
• Conduct regular security awareness training
• Establish clear incident response procedures
• Perform ongoing vulnerability management
• Implement change management processes
• Maintain documentation of security architecture
• Establish metrics to measure security effectiveness
• Conduct regular tabletop exercises for incident scenarios
• Stay current with threat intelligence
• Engage in information sharing with industry peers

Resources for Further Learning

Official Resources

• (ISC)² Official CISSP Study Guide
• (ISC)² Official Practice Tests
• (ISC)² Common Body of Knowledge (CBK)

Industry Standards

• NIST Cybersecurity Framework
• ISO/IEC 27001/27002
• CIS Controls
• MITRE ATT&CK Framework

Online Training

• Coursera CISSP Certification courses
• Pluralsight Security Courses
• INE Security Training
• SANS Security Training

Communities

• (ISC)² Member Community
• Reddit r/cissp
• LinkedIn CISSP Groups
• Local (ISC)² Chapters