Development Editor: Kim Wimpsett
Technical Editor: Scott Pike
Production Editor: Lauren Freestone
Copy Editor: Elizabeth Welch
Editorial Manager: Pete Gaughan
Production Manager: Kathleen Wisor
Associate Publisher: Jim Minatel
Proofreader: Tiffany Taylor
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: © Getty Images Inc./Jeremy Woodhouse
Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-54294-0
ISBN: 978-1-119-54295-7 (ebk.)
ISBN: 978-1-119-54292-6 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2019936132
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2, SSCP, and the SSCP logo are registered trademarks or certification marks of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
This book owes a great deal to the many teachers, coworkers, teammates, and friends who've worked so hard for so long to teach me what I know about information security and insecurity, and about risk management and mismanagement. Where this book works well in conveying that body of knowledge, skills, and attitudes to you is a testament to their generosity in sharing their insights with me. I would also like to acknowledge my faculty teammates here at Embry-Riddle Aeronautical University for sharing their frank and candid views throughout many conversations on making this body of knowledge accessible and engaging in the classroom. The ideas and experiences of Dr. Aaron Glassman, Dr. Wesley Phillips, Dr. Robert “Trez” Jones, and Mr. Hamid Ait Kaci Azzou have profoundly affected my approach to what you see before you here in this book.
The combined team at Wiley/Sybex and at (ISC)2 worked tirelessly to focus, strengthen, and clarify what I wanted to say and how I said it, all while keeping my voice and my teaching ideas authentic and on point. My thanks go out to the editorial team at Wiley/Sybex: Jim Minatel, Kim Wimpsett, Pete Gaughan, Lauren Freestone, Elizabeth Welch, Tiffany Taylor, and their technical reviewers Jacob Penovich, Scott Pike, and Raven Sims, as well as to Tara Zeiler and Charles Gaughf, our reviewers at (ISC)2. Johnna VanHoose Dinse, Wiley's indexer, has also made the art of finding what you want in this book when you need it more of a science (and I've always had a soft spot for a great index!). Where this book works well for you, it works because of the efforts of all of those people to make this book the best it can be. What errors, omissions, misspeaks, and confusions that remain are mine, not theirs.
Finally, I wish to thank my wife Nancy. She saved my life and brought me peace. Her strength inspired me to say “yes” when Jim first called me about doing this book and has kept both of us healthy and happy throughout.
Mike Wills, SSCP, CISSP has spent more than 40 years as a computer systems architect, programmer, security specialist, database designer, consultant, and teacher (among other duties). Starting out as a bit of a phone phreak in his college days, he sharpened his skills on the 1960s generation of mainframes and minicomputers, just in time for the first 8080 and Z80 microprocessors to fuel the home computer revolution. Learning about the ARPANET just added spice to that mix. Since then, he's had ones, zeros, and now qubits under his fingernails too many times to count, whether as part of his jobs, his teaching, or his hobbies.
Mike earned his BS and MS degrees in computer science, both with minors in electrical engineering, from Illinois Institute of Technology, and his MA in Defence Studies from King's College, London. He is a graduate of the Federal Chief Information Officer program at National Defense University and the Program Manager's Course at Defense Systems Management College.
As an Air Force officer, Mike served in the National Reconnaissance Office, building and flying some of the most complex, cutting-edge space-based missions, large and small. As a “ground control” guy, he specialized in the design, operation, and support of highly secure, globe-spanning command, control, communications, and intelligence systems that support US and Coalition missions around the world. These duties often required Mike to “optimize” his way around the official configuration management and security safeguards—all on official business, of course.
No good deed going unpunished, he then spent two years on the Joint Staff as a policy and budget broker for all command, control, and communications systems, and then taught in the School of Information Warfare and Strategy at National Defense University. He's taught at senior leader colleges in both the United States and United Kingdom, and has been a continuing guest lecturer at the UK's Defence Academy. He served as adviser to the UK's Joint Intelligence Committee, Ministry of Justice, and Defence Science and Technology Laboratories on the national and personal security implications of science and technology policy; this led to him sometimes being known as the UK's nonresident expert on outer space law.
Currently he is an assistant professor of Applied Information Technologies in the College of Business at Embry-Riddle Aeronautical University – Worldwide, where he is the change leader and academic visionary behind bringing the Microsoft Software and Systems Academy program into ERAU's classrooms at 13 locations around the United States. Prior to this, Mike helped create two new MS degrees—Information Security and Assurance, and Management of Information Systems—and was program chair of both during their launch and first year of teaching. He also taught in Worldwide's Security and Intelligence Studies program during its 2005 launch in ERAU's European Division.
Mike and his wife Nancy currently call Montevideo, Uruguay, their home. Living abroad since the end of the last century, they find new perspectives, shared values, and wonderful people wherever they go. As true digital nomads, it's getting time to move again. Where to? They'll find out when they get there.
Welcome to the (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, Second Edition! The global cybersecurity talent gap represents a huge opportunity for you to leverage your information technology skills to help protect your organization’s infrastructure, information, systems, and processes and to improve and grow in your professional journey.
The Systems Security Certified Practitioner is a foundational certification that demonstrates you have the advanced technical skills and knowledge to implement, monitor, and administer IT infrastructure using security best practices, policies, and procedures established by the cybersecurity experts at (ISC)² for protecting critical assets. This book will guide you through the seven subject area domains on which the SSCP exam will test your knowledge. Step by step, it will cover the fundamentals involved in each topic and will gradually build toward more focused areas of learning in order to prepare you.
The SSCP is a mark of distinction that hiring managers look for when recruiting for roles that include cybersecurity responsibilities. Your pursuit and maintenance of this credential demonstrates that you have the knowledge and the drive to meet a recognized standard of excellence.
Whether you are brand new to the field or just want a refresher on the core tenets of cybersecurity, this guide will help you build a solid understanding of the technical, physical, administrative and legal aspects of the information security and assurance profession, as well as the ethical fidelity required of the SSCP.
I hope that you will find the (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, Second Edition to be an informative and helpful tool and wish you great success in your preparation and your professional growth.
Sincerely,
David P. Shearer, CISSP
CEO, (ISC)2