With a legacy that runs decades, the CISSP certification has earned its place as a requirement for mid to senior information security professionals. This is a much needed certification to unlock the highest paying jobs in the industry. See below for CISSP 2018 Update exam details.

What is it worth? If you've been a hands-on admin for most of your career, you'll find this certification process frustrating. It becomes worth it on the other side when it starts opening doors for you. Don't be surprised if you start getting hits from recruiters after getting this certification. Part of this reason is you need 5 years of experience and meet their endorsement requirements to finally hold the certification in your hand.

Exam Structure

  • Number of Questions: 100 questions (150 max)
  • Duration: 180 minute duration, a little under 2 minutes to a little over a minute per question, depending on length of exam
  • Score Range: 100-1000
  • Passing Score: 700 (70%, not including experimental questions)
  • Types of Questions:
    • Multiple Choice – can have more than one answer
    • Ordering – place blocks of text in order
    • Matching – match text on left to text on right

Exam Domains

  1. Security and Risk Management 15%
  2. Asset Security 10%
  3. Security Architecture and Engineering 13%
  4. Communication and Network Security 14%
  5. Identity and Access Management (IAM) 13%
  6. Security Assessment and Testing 12%
  7. Security Operations 13%
  8. Software Development Security 10%

Exam History

The CISSP was first created in 1994. Since release, over 130,000 professionals have earned their CISSP certification in over 170 different countries.

In June of 2004, the certification was accredited under ISO/IEC 17024:2003. This is the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard for personnel certification.

The CISSP is also an approved certification by the Department of Defense (DoD) to satisfy the DoD 8570 and DoD 8140 directives.

Source: Wikipedia

Additional History Links

Study Notes

A current overview of (ISC)² CISSP 2018 Update exam.

  1. Security and Risk Management
  2. Asset Security
  3. Security Architecture and Engineering
  4. Communication and Network Security
  5. Identity and Access Management (IAM)
  6. Security Assessment and Testing
  7. Security Operations
  8. Software Development Security

Additional Official CISSP Exam Resources

Exam Tips

This exam mostly evaluates your comprehension of theories and concepts but you occasionally need to know technical information. This is not a technical certification though. Don't expect any hands on lab style questions about implementing enterprise solutions. You aren't the tech or engineer.

Similarly to CompTIA exams, this exam is vendor neutral but specific products may be mentioned. Unlike CompTIA exams, you must answer questions before moving on since you can't return to flagged questions.

Take your time and read the question thoroughly, as the correct selection may not be the right answer, but best choice out of the 4 listed multiple choice possibilities.

After the Exam

  • Requires endorsement from existing CISSP holder in good standing. Visit the Endorsement Application page after getting notified via email that you passed.
  • If you're not sure if you have the required 5 years of experience, check out their Experience Requirements page for more details. You'll be surprised at everything that can waive a year of experience.
  • Requires 40 Continued Professional Education (CPEs) every year after passing exam.
  • Annual Maintenance Fee (AMF) start applying right after passing.

Likely Jobs

  • Security Analyst
  • Security Auditor
  • Security Systems Engineer or Architect
  • Network Engineer or Architect
  • Security Consultant
  • IT and Security Manager
  • IT and Security Officer (ISO)
  • IT and Security Director
  • Chief Information Officer
  • Chief Security Officer
  • Chief Information Security Officer

Obviously if you barely get the certification with 5 years of experience, you won't be first in line to get some of the director or executive positions. But you can at least identify and forge a path.

You're best bet may be to look for architecture, network team lead, or security analyst roles as experience and certifications would scale well and allow the CISSP to be a strong differentiator. Strong sectors include funded startups, government contracting, and bank contracting.

CISSP Term Definitions Addendum

Term Definition
AAA Authentication, Authorization, Accounting is used to refer to a family of protocols that mediate network access. Two network protocols providing this functionality are particularly popular RADIUS protocol and Diameter.
ABAC Attribute Based Access Control also known as Policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together.
Accountability In ethics and governance, accountability is answerability, blameworthiness, liability, and the expectation of account-giving. In IT, it can be achieved by a strong identification and authentication system, a non-modifiable log system to obtain non-repudiation.
ACM Access Control Matrix is a way of representing the right a set of subjects have on a set of objects. It's represented in an table.
AES Advanced Encryption Standard, is a specification for the encryption of electronic data established by the NIST in 2001. Discussed in domain 3.
AFH Adapting Frequency Hoping is the FHSS method used in Bluetooth.
ALE Annualized Loss Expectancy is third and final step of the quantitative assessment seeks to combine the potential loss and rate per year to determine the magnitude of the risk.
AV Asset Value, is the cost in dollar of an asset. Discussed in Chapter 1.
AH Authentication Header is a member of the IPsec protocol suite.
APIPA Automatic Private IP Addressing is protocol to get an IP when there is no DHCP. It automatically choose an IP in the range to
ARO Annualized Rate of Occurrence is an estimate of how often a threat would be successful in exploiting a vulnerability.
ARP Address Resolution Protocol is used to resolve IP addresses to MAC addresses.
ASLR Address Space Layout Randomization increase security of an OS or a software by randomizing the address space positions of key data areas of a process.
ATM Asynchronous Transfer Mode is a standard for carriage of traffic. It use fixed-size packets.
BCP Business Continuity Planning is the process of creating systems of prevention and recovery to deal with potential threats to a company.
BIA Business Impact Analysis differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities.
BRP Business Recovery Planning, a subset of DRP, focus on returning to normal business after recovering from a disaster.
BYOD Bring Your Own Device is a policy that allow users to connect their own device to the company's network.
CALEA Communications Assistance for Law Enforcement Act, under B.Clinton, 1994. CALEA's purpose is to enhance the ability of law enforcement agencies to conduct lawful interception of communication by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in capabilities for targeted surveillance .
CAPTCHA Completely Automated Turing test to tell Computer and Human Apart.
CBC Cipher Block Chaining mode employs an IV and chaining to destroy cipher text patterns. Because CBC works in block mode, it decrypt message one block at a time.
CCTA Central Computer and Telecommunication Agency, the UK's agency that created ITIL.
CC Common Criteria is an international standard (ISO/IEC 15408) for computer security certification.
CCMP Counter Mode Cipher Block Chaining Message Authentication Code Protocol is an encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is a cryptographic encapsulation mechanism based upon the Counter Mode with CBC-MAC of the Advanced Encryption Standard (AES) standard. It was created to address the vulnerabilities presented by Wired Equivalent Privacy (WEP), a dated, insecure protocol.
CCTV Closed Circuit Television.
CER Crossover Error Rate is where the ratio of the FRR and the FAR are equal.
CFAA Computer Fraud and Abuse Act is a bill enacted in 1984. The CFAA prohibits the access to a system without authorization. Before this law, the computer or network related crime was prosecuted as mails and wire fraud.
CFCE Certified Forensic Computer Examiner is a certification in computer forensic.
CFB Cipher FeedBack, is a block cipher mode, using a memory buffer to have same size block. It's retired due to the wait in encoding each block. The Cipher Feedback (CFB) mode, a close relative of CBC, makes a block cipher into a self-synchronizing stream cipher.
CFTT Computer Forensics Tool Testing is a project at the NIST is to establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. NIST
CHAP Challenge Handshake Authentication Protocol is used to authenticate a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider.
CISSP Certified Information System Security Professional.
CMDB Configuration Management DataBase
CMM Capability Maturity Model
CMS Configuration Management System is a systems engineering process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.
Cognitive Password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. Typical questions are something like “What the name of your first pet”, etc.
COOP Continuity Of Operation Plan focus on maintenance the business during a disaster.
COPPA Children's Online Privacy Protection Act of 1998 is a law about the privacy of children under the age of 13.
COBIT Control Objectives for Information and Related Technologies is a good-practice framework created by international professional association ISACA for information technology management and IT governance.
Covert Channel In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.
CPA Critical Path Analysis (or sometimes Critical Path Method (CPM)) is an algorithm for scheduling a set of project activities. It is commonly used in conjunction with the program evaluation and review technique (PERT).
CPPT Continuity Planning Project Team should represent all the stakeholders in the organization, such as HR, the IT department, the physical security department, public relations, and all other personnel responsible for effective business.
CRL Certificate Revocation List is “a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted”.
CSMA/CA Carrier Sense Multiple Access with Collision Avoidance is used by WiFi 802.11.
CSMA/CD Carrier Sense Multiple Access with Collision Detection is used by Ethernet.
CTR Counter is a DES stream cipher mode, where it use a 64bits counter for feedback. It doesn't propagate error.
CVE Common vulnerabilities and Exposures system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Mitre Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.
CVSS Common Vulnerabilities Scoring System is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
CYOD Choose Your Own Device is a business trend and phenomenon designed to give an organization more control of devices that employees use to handle company data. With CYOD, an organization allows employees to select from specified devices for business usage. External
DAC Discretionary Access Control is an Access Control system that rely on the fact that object can be access regarding subject/group to which they belong.
DCCP Datagram Congestion Control Protocol
DCE Data Circuit-terminating Equipment is a device that sits between the data terminal equipment (DTE) and a data transmission circuit. It is also called data communication(s) equipment and data carrier equipment. Usually, the DTE device is the terminal (or computer), and the DCE is a modem.
DDOS Distributed Deny Of Service attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers.
DES Data Encryption Standard is a symmetric-key algorithm for the encryption of electronic data.
Diffie Hellman is a method of securely exchanging cryptographic keys over a public channel.
DMCA Digital Millennium Copyright Act, is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works (commonly known as digital rights management or DRM).
DREAD Damage, Reproductibility, Exploitability, Affected used, Discoverability, is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations. It was abandoned by its creators.
DRM Digital Right Management
DRP Disaster Recovery Plan is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.
DSA Digital Signature Algorithm, is a FIPS for digital signatures.
DSS Digital Signature Standard is a FIPS specifying a suite of algorithms that can be used to generate digital signatures established by the NIST.
DTE Data Terminal Equipment is an end instrument that converts user information into signals or reconverts received signals. These can also be called tail circuits. Usually, the DTE device is the terminal (or computer), and the DCE is a modem.
EAL Evaluation Assurance Level in the CC, is the rating level assign to the Target Of Evaluation.
ECB Electronic Code Book, is an encryption mode, use by DES for example. The disadvantage of this method is a lack of diffusion. Because ECB encrypts identical plaintext blocks into identical ciphertext blocks, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.
ECDSA Elliptic Curve Digital Signature Algorithm is an implementation of DSA that use elliptic curve.
ECPA Electronic Communications Privacy Act is law enacted in 1986 to extend restriction to wiretape.
EDRM Electronic Discovery Reference Model is a ubiquitous diagram that represents a conceptual view of these stages involved in the e-discovery process. Electronic discovery (also e-discovery or ediscovery) refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often referred to as electronically stored information or ESI).
EF Exposure Factor, is the subjective, potential percentage (some time noted as 0.8 for 80%) of loss to a specific asset if a specific threat is realized. Discussed in Chapter 1.
EMI Electromagnetic Interference also called RFI when in the radio frequency spectrum, is a disturbance generated by an external source that affects an electrical circuit by electromagnetic induction, electrostatic coupling, or conduction.
ESP Encapsulating Security Payload is a member of the IPsec protocol suite.
E0 is a stream cipher used in the Bluetooth protocol. It generates a sequence of pseudorandom numbers and combines it with the data using the XOR operator. The key length may vary, but is generally 128 bits. It's a weak cipher.
E2EE End to End Encryption is a system of communication where only the communicating users can read the messages.
FAR False Accept Rate is in biometrics the probability of type II errors or false match rate (FMR).
FCRA Fair Credit Reporting Act was one of the first instances of data protection law passed in the computer age. Key among these innovations was the determination that there should be no secret databases that are used to make decisions about a person's life.
FEMA Federal Emergency Management Agency have for purpose to coordinate the response to a disaster that has occurred in the United States and that overwhelms the resources of local and state authorities. The governor of the state in which the disaster occurs must declare a state of emergency and formally request from the president that FEMA and the federal government respond to the disaster.
FERPA Family Educational Right and Privacy Act cover the right for parents to have access to their child's education data.
FHSS Frequency Hopping Spread Spectrum is a method of changing frequency during a communication, using a sequence known only from the authorized device/person. Bluetooth do it through AFH.
FIPS Federal Information Processing Standards are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. FIPS publications do not apply to national security systems (as defined in FISMA). FIPS publications may be adopted and used by non-federal government organizations and private sector organizations.
FISA Foreign Intelligence Surveillance Act, regulate the use of electronic surveillance.
FISMA Federal Information Security Management Act. A 2002 Act. The act recognized the importance of information security to the economic and national security interests of the United States.
FM200 is a gas used in datacenter to to remove fire without destroying the equipment.
Fraggle Attack is a DDOS based on UDP and target's IP spoofing.
Frame Relay is a standardized technology that specifies the physical and data link layers of digital telecommunications channels using a packet switching methodology.
FRR False Reject Rate is in biometrics the probability of type I errors or false non-match rate (FNMR)
GDPR General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
GLBA Gramm–Leach–Bliley Act repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the bipartisan passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate.
HIDS Host-based Intrusion Detection System is an IDS installed on a host.
HIPAA Health Insurance Portability and Accountability Act was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.
HITECH Health Information Technology for Economic and Technical Health is an act that include new regulation and compliance requirement to the HIPAA act.
HMAC Hash-based Message Authentication Code is a hashing method with a password.
HTTP HyperText Transfer Protocol, OSI layer 7 protocol
IACIS International Association of Computer Investigative Specialists has been providing computer Forensic Training for over 27 years.
HVAC Heating, Ventilation and Air Conditioning.
IaaS Infrastructure as a Service, is when a provider allow customer to install VM, manage network, etc.
IANA Internet Assigned Number Authority is a function of ICANN, a nonprofit private American corporation that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols and Internet numbers.
IDEAL Initial Diagnose Establish Action Leverage
IDS Intrusion Detection System.
IEEE Institute of Electrical and Electronic Engineers.
IEEE 802 Institute of Electrical and Electronic Engineers 802 is a family of IEEE standards dealing with local area networks and metropolitan area networks.
IEEE 802.11 IEEE802.11 is part of the IEEE 802 set of LAN protocols, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing WLAN, Wi-Fi.
IEEE 802.15 Bluetooth.
IKE Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite.
IPComp IP Payload Compression Protocols is a low level compression protocol for IP datagrams.
IPS Intrusion Prevention System.
IPsec IP Security is a secure network protocol suite that authenticates and encrypts the packets of data sent over an internet protocol network.
ISA Interconnect Security Agreement.
ITADA Fraud related to activity in connection with identification documents, authentication features, and information”). The statute now makes the possession of any “means of identification” to “knowingly transfer, possess, or use without lawful authority” a federal crime, alongside unlawful possession of identification documents.
ITIL Information Technology Infrastructure Library is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. It was created in the 1980s by CCTA from a request from the UK gov.
ITSEC Information Technology Security Evaluation Criteria, is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective countries.
ITU International Telecommunication Union is a specialized agency of the United Nations (UN) that is responsible for issues that concern information and communication technologies.
ISACA Information System Audit and Control Association is an international professional association focused on IT governance. It created COBIT.
ISAKMP Internet Security Association and Key Management Protocol is a protocol defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an Internet environment.
(ISC)² International Information Systems Security Certification Consortium, a non-profit group with the primary goal to provide training and certifications in the IT Security field. www.isc2.org
ITAM IT Asset Management introduces financial aspects of the asset – cost, value and contractual status. ITAM also refers to full lifecycle management of the asset. ITAM is designed to manage the physical, contractual and financial aspects of the asset.
IV Initialization vector.
KDC Key Distribution Center is authentication server in a Kerberos network.
L2TP Layer 2 Tunneling Protocol is a Layer 2 tunneling protocol used to support VPNs or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.
LCP Link Control Protocol, forms part of the PPP, within the family of Internet protocols. In setting up PPP communications, both the sending and receiving devices send out LCP packets to determine the standards of the ensuing data transmission.
LLC Logical Link Control is a layer 2 protocol that allow multiple protocols on the same network medium. It's 802.2.
MAC Mandatory Access Control is an Access Control system based on data classification and labels. The famous Top Secret come from here.
MD5 Message Digest 5, a hashing algorithm producing 128 bits output.
MIC Message Integrity Check is an integrity control used in WPA.
MTD Maximum Tolerable Downtime is the longest period of time a resource can be unavailable without causing irreparable harm to the business.
NAC Network Access Control is a technology that allow access to the network only if the device fill the requirement (OS version, AV up to date, etc). If a device fail these requirement, a page displaying a allowing to resolve the issue may be displayed.
NAT-PT Network Address Translation/Protocol Translation (NAT-PT) is defined in RFC 2766 but due to numerous problems, it has been obsoleted by RFC 4966 and deprecated to historic status.
NDA Non-Disclosure Agreement.
NFPA National Fire Protection Association is a United States trade association, albeit with some international members, that creates and maintains private, copyrighted standards and codes for usage and adoption by local governments. The association was formed in 1896 by a group of insurance firms.
NIDS Network Intrusion Detection System is an IDS installed on a the network, generally on a promiscuous port, to avoid issue.
NIFC National Interagency Fire Center in Boise, Idaho is the physical facility which is the home to the National Interagency Coordination Center (NICC), and the National Multi-Agency Coordination group (NMAC or MAC).
NIPS Network Intrusion Prevention System is an IPS installed on the network. Generally inline, to be able to modify the traffic accordingly to its policy.
NIST National Institute of Standard and Technology
NSA National Security Agency,
OASIS Organization for the Advancement of Structured Information Standard is a global nonprofit consortium that works on the development, convergence, and adoption of open standards for security, Internet of Things, energy, content technologies, emergency management, and other areas.
OCTAVE Operationally Critical Threat, Asset and Vulnerability Evaluation approach defines a risk-based strategic assessment and planning technique for security.
OSI Open Systems Interconnection model
OFB Output Feedback mode makes a block cipher into a synchronous stream cipher. It generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption. .
OFDM Orthogonal Frequency Division Multiplexing, in telecommunications, orthogonal frequency-division multiplexing (OFDM) is a method of encoding digital data on multiple carrier frequencies. OFDM has developed into a popular scheme for wideband digital communication, used in applications such as digital television and audio broadcasting, DSL internet access, wireless networks, power line networks, and 4G mobile communications.
OSCP Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track.
OWASP Open Web Application Security Project is an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
PaaS Platform as a Service, is when a provider allow customer to develop, run and manage application without having to manage the infrastructure like the OS, Network, etc.
PAN Personal Area Network
PASTA Process for Attack Simulation and Threat Analysis is a seven-step, risk-centric methodology. Discussed in domain 1.
PCI DSS Payment Card Industry Data Security Standard
PEAP Protected Extensible Authentication Protocol also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated TLS tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.
PEM Privacy-Enhanced Mail is a de facto file format for storing and sending cryptographic keys, certificates, and other data.
PGP Pretty Good Privacy is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. It use a web of trust.
PHI Protected Health Information, under the US law is any information about health status, provision of health care, or payment for health care.
PII Personally Identifiable Information, is information that allow to identify or give personal information on an individual.
PKI Public Key Infrastructure.
PP Protection Profile in the CC, is a set of security requirement that describe the TOE.
PPP Point to Point Protocol is a layer 2 protocol used to establish a direct connection between two devices. PPP is a successor for SLIP.
PPTP Point to Point Tunneling Protocol is an obsolete method for implementing virtual private networks. PPTP has many well known security issues.
P2PE Point to Point Encryption is a standard created by the PCI.
RADIUS Remote Authentication Dial-In User Service is a networking protocol, operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.
RAID Redundant Array of Independent Disks.
RARP Reverse Address Resolution Protocol, translate MAC into IP address.
RBAC Role-Based Access Control is a security model defined around roles and privileges. Sometime RBAC can be “Rule Based Access Control”. A firewall is a rule based acess control.
Repudiation is the ability to deny something. In IT, i's the ability to deny a user have done an action. The goal is to obtain non-repudiation, to be able to prove a user have done an action.
RFI Radio-Frequency Interference, is a disturbance generated by an external source that affects an electrical circuit by electromagnetic induction, electrostatic coupling, or conduction.
RPC Remove Procedure Call is when a computer program causes a procedure (subroutine) to execute in a different address space (commonly on another computer on a shared network).
RPO Recovery Point Objective is the amount of data loss or system unavailability, measured in time, a system or a company can endure. Recovery Point Objective is also the maximum sustainable data loss based on backup schedules and recovery.
RSA Rivest–Shamir–Adleman is one of the first public-key cryptosystems and is widely used for secure data transmission.
RSN Robust Security Network is another name for WPA2
RTO Recovery Time Objective is the acceptable amount of time to restore the function.
SA Security Association is the sharing of the parameters in a VPN between the two side to create the connection.
SaaS Software as a Service, is when a provider allow customer to use a software through web or other, but the customer manage nothing, he just use the application.
SABSA Sherwood Applied Business Security Architecture. SABSA is a framework and methodology for enterprise security architecture and service management.
SAML Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
SCAP Security Content Automation Protocol is a NIST naming convention to describe security vulnerabilities.
SCTP Stream Control Transmission Protocol
SDLC System Development Life Cycle or Software Development Life Cycle. It's stated in the Sybex book that there is no distinction made about it for CISSP. ciscopress
SET Secure Electronic Transaction is a communications protocol standard for securing credit card transactions over networks, specifically, the Internet.
SEAL Software-optimized Encryption Algorithm is a stream cipher optimized for machines with a 32-bit word size and plenty of RAM.
SHA-1 Secure Hash Algorithm 1 is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest. Deprecated. Discussed in chapter 3.
SHA-2 Secure Hash Algorithm is a set of cryptographic hash functions designed by the United States National Security Agency (NSA).Secure Hash Algorithm 2
S-HTTP Secure HyperText Transfer Protocol is an obsolete alternative to the HTTPS protocol for encrypting web communications carried over HTTP. Discussed in chapter 3.
SIEM Security Information and Even Management, are a family of tools that does monitoring, reporting, notifications, correlation of events, etc.
SLA Service Level Agreement is a commitment between a service provider and a client. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user.
SLE Single Loss Expectency is the monetary value expected from the occurrence of a risk on an asset. It's calculate by AV*EF=SLE .
S/MIME Secure/Multipurpose Internet Mail Extension is a standard for public key encryption and signing of MIME data.
SMTP Simple Mail Transfer Protocol, OSI layer 7 protocol
Smurf Attack is a distributed denial-of-service attack based on ICMP and target's IP spoofing.
SNMA Sollicited Node Multicast Address, the protocol used to replace ARP in IPv6.
SOC System Organization Control are report of audit of a company, in the standard defined in SSAE 16.
SOX Sarbanes Oxley Act of 2002 is mandatory. ALL organizations, large and small, MUST comply. SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. SOX site
SPIT Spam over Internet Telephony is unsolicited call using VOIP.
SQL Structured Query Language, OSI layer 5 protocol
SSL Secure Sockets Layer. Developed in the early 90's by Netscape, it's now replaced by TLS. The last version, SSL3 is deprecated due some security breaches. While using TCP, it's still an OSI's layer 4 protocol.
ST Security Target is the documentation the TOE and others security requirement in the CC testing process.
TACACS Terminal Access Controller Access-Control System refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server.
TOE Target of Evaluation, in the CC, is the tested product.
TCP Transmission Control Protocol
TGS Ticket-Granting Service issue ticket and session keys to the client.
TGT Ticket-Grant Ticket is in Kerberos, a timestamped and encrypted. This ticket is granted by the KDC. The TGT will be sent to the TGS each time the user want to reach a new resource.
TLS Transport Layer Security
TPM Trusted Platform Module (also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
TCB Trusted Computing Base is the set of all hardware, firmware, and/or software components that are critical to the system security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system.
TCSEC Trusted Computing System Evaluation Criteria, is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. Not used anymore but it's the model for others security evaluation method, such as ITSEC.
UDP User Datagram Protocol
UPS Uninterruptible Power Supply is an electrical apparatus that provides emergency power to a load when the input power source or mains power fails.
USA PATRIOT Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, In response to the September 11 attacks, Congress swiftly passed legislation to strengthen national security.
USPTO United States Patent and Trademark Office. USPTO
VAST Visual, Agile and Simple Threat modeling.
VPN Virtual Private Network
WAN World Area Network is a telecommunications network or computer network that extends over a large geographical distance/place.
WPA2 Wi-Fi Protected Access 2 security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks.
XACML eXtensible Access Control Markup Language defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. It's used mainly in SDN.
XCCDF Extensible Configuration Checklist Description Format is an XML format specifying security checklists, benchmarks and configuration documentation. It's part of the SCAP. XCCDF development is being pursued by NIST, the NSA, The MITRE Corporation, and the US Department of Homeland Security.
XSRF Cross-Site Request Forgery also known as one-click attack or session riding and abbreviated as CSRF. It works by having a users click on a forged link pointing to a site where the users already have a session opened.
XOR Exclusive OR, or boolean operator that return true only when the input differ.
X.400 X.400 is a suite of ITU-T Recommendations that define standards for Data Communication Networks for Message Handling Systems (MHS) — more commonly known as email. It's replaced by SMTP.
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup. It's kind of replaced by LDAP.
X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL.

Pin It on Pinterest