# CISSP - ISSAP (Information Systems Security Architecture Professional) 陳詰昌 power.shell@gmail.com # 課程大綱 [Exam Outline](https://www.isc2.org/-/media/Project/ISC2/Main/Media/documents/exam-outlines/ISSAP-Exam-Outline-November-2020-English.pdf?rev=a134a03e24c64afea88f7675e4b8e8bc&hash=5C03AA616995C6876BA0A68BEB435F5F) * Domain 1. Architect for Governance, Compliance and Risk Management 17% * Domain 2. Security Architecture Modeling 15% * Domain 3. Infrastructure Security Architecture 21% * Domain 4. Identity and Access Management (IAM) Architecture 16% * Domain 5. Architect for Application Security 13% * Domain 6. Security Operations Architecture 18% # Flash Card 1. [D1 flash cards](https://www.isc2.org/certifications/issap/issap-self-study-resources/issap-flash-cards-1) 2. [D2 flash cards](https://www.isc2.org/certifications/issap/issap-self-study-resources/issap-flash-cards-2) 3. [D3 flash cards](https://www.isc2.org/certifications/issap/issap-self-study-resources/issap-flash-cards-3) 4. [D4 flash cards](https://www.isc2.org/certifications/issap/issap-self-study-resources/issap-flash-cards-4) 5. [D5 flash cards](https://www.isc2.org/certifications/issap/issap-self-study-resources/issap-flash-cards-5) 6. [D6 flash cards](https://www.isc2.org/certifications/issap/issap-self-study-resources/issap-flash-cards-6) # Domain 1 ## 1.1 Determine legal, regulatory, organizational and industry requirements * Determine applicable information security standards and guidelines * Identify third-party and contractual obligations (e.g., supply chain, outsourcing, partners) * Determine applicable sensitive/personal data standards, guidelines and privacy regulations * Design for auditability (e.g., determine regulatory, legislative, forensic requirements, segregation,high assurance systems) * Coordinate with external entities (e.g., law enforcement, public relations, independent assessor) * 確定適用的資訊安全標準和指南 * 確定第三方和合約義務(例如供應鏈、外包、合作夥伴) * 確定適用的敏感/個人資料標準、指南和隱私法規 * 可審計性設計(例如,確定監管、立法、取證要求、隔離、高保證系統) * 與外部實體協調(例如執法、公共關係、獨立評估員) ## 1.2 Manage Risk * Identify and classify risks * Assess risk * Recommend risk treatment (e.g., mitigate, transfer, accept, avoid) * Risk monitoring and reporting * 識別風險並對其進行分類 * 評估風險 * 建議風險處理(例如減輕、轉移、接受、避免) * 風險監控和報告 # Domain 2 ## 2.1 Identify security architecture approach * Types and scope (e.g., enterprise, network, Service-Oriented Architecture (SOA), cloud, Internet of Things(IoT), Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA)) * Frameworks (e.g., Sherwood Applied Business Security Architecture (SABSA), Service-Oriented Modeling Framework (SOMF)) * Reference architectures and blueprints * Security configuration (e.g., baselines, benchmarks, profiles) * Network configuration (e.g., physical, logical, high availability, segmentation, zones) ## 2.2 Verify and validate design (e.g., Functional Acceptance Testing (FAT), regression) * Validate results of threat modeling (e.g., threat vectors, impact, probability) * Identify gaps and alternative solutions * Independent Verification and Validation (IV&V) (e.g., tabletop exercises, modeling and simulation, manual review of functions) # Domain 3 ## 3.1 Develop infrastructure security requirements * On-premise, cloud-based, hybrid * Internet of Things (IoT), zero trust ## 3.2 Design defense-in-depth architecture * Management networks * Industrial Control Systems (ICS) security * Network security * Operating systems (OS) security * Database security * Container security * Cloud workload security * Firmware security * User security awareness considerations ## 3.3 Secure shared services (e.g., wireless, e-mail, Voice over Internet Protocol (VoIP), Unified Communications (UC), Domain Name System (DNS), Network Time Protocol (NTP)) ## 3.4 Integrate technical security controls * Design boundary protection (e.g., firewalls, Virtual Private Network (VPN), airgaps, software defined perimeters, wireless, cloud-native) * Secure device management (e.g., Bring Your Own Device (BYOD), mobile, server, endpoint, cloud instance,storage) ## 3.5 Design and integrate infrastructure monitoring * Network visibility (e.g., sensor placement, time reconciliation, span of control, record compatibility) * Active/Passive collection solutions (e.g., span port, port mirroring, tap, inline, flow logs) * Security analytics (e.g., Security Information and Event Management (SIEM), log collection, machine * learning, User Behavior Analytics (UBA)) ## 3.6 Design infrastructure cryptographic solutions * Determine cryptographic design considerations and constraints * Determine cryptographic implementation (e.g., in-transit, in-use, at-rest) * Plan key management lifecycle (e.g., generation, storage, distribution) ## 3.7 Design secure network and communication infrastructure (e.g., Virtual Private Network(VPN), Internet Protocol Security (IPsec), Transport Layer Security (TLS)) ## 3.8 Evaluate physical and environmental security requirements * Map physical security requirements to organizational needs (e.g., perimeter protection and internal zoning, fire suppression) * Validate physical security controls # Domain 4 ## 4.1 Design identity management and lifecycl * Establish and verify identity * Assign identifiers (e.g., to users, services,processes, devices) * Identity provisioning and de-provisioning * Define trust relationships (e.g., federated, standalone) * Define authentication methods (e.g., Multi-Factor Authentication (MFA), risk-based, location-based, knowledge-based, object-based, characteristicsbased) * Authentication protocols and technologies (e.g.,Security Assertion Markup Language (SAML),Remote Authentication Dial-In User Service(RADIUS), Kerberos) ## 4.2 Design access control management and lifecycle * Access control concepts and principles (e.g.,discretionary/mandatory, segregation/Separation of Duties (SoD), least privilege) * Access control configurations (e.g., physical,logical, administrative) * Authorization process and workflow (e.g.,governance, issuance, periodic review,revocation) * Roles, rights, and responsibilities related to system, application, and data access control(e.g., groups, Digital Rights Management (DRM),trust relationships) * Management of privileged accounts * Authorization (e.g., Single Sign-On (SSO), rulebased, role-based, attribute- based) ## 4.3 Design identity and access solutions * Access control protocols and technologies (e.g.,eXtensible Access Control Markup Language(XACML), Lightweight Directory Access Protocol(LDAP)) * Credential management technologies (e.g.,password management, certificates, smart cards) * Centralized Identity and Access Management(IAM) architecture (e.g., cloud-based, on-premise,hybrid) * Decentralized Identity and Access Management(IAM) architecture (e.g., cloud-based, on-premise,hybrid) * Privileged Access Management (PAM) implementation (for users with elevated privileges) * Accounting (e.g., logging, tracking, auditing) # Domain 5 ## 5.1 Integrate Software Development Life Cycle (SDLC) with application security architecture (e.g., Requirements Traceability Matrix (RTM), security architecture documentation, secure coding) * Assess code review methodology (e.g., dynamic, manual, static) * Assess the need for application protection (e.g., Web Application Firewall (WAF), anti-malware, secure Application Programming Interface (API), secure Security Assertion Markup Language (SAML)) * Determine encryption requirements (e.g., at-rest, in-transit, in-use) * Assess the need for secure communications between applications and databases or other endpoints * Leverage secure code repository ## 5.2 Determine application security capability requirements and strategy (e.g., open source, Cloud Service Providers (CSP), Software as a Service (SaaS)/Infrastructure as a Service(IaaS)/ Platform as a Service (PaaS) environments) * Review security of applications (e.g., custom, Commercial Off-the-Shelf (COTS), in-house, cloud) * Determine application cryptographic solutions (e.g.,cryptographic Application Programming Interface (API), Pseudo Random Number Generator (PRNG), key management) * Evaluate applicability of security controls for system components (e.g., mobile and web client applications; proxy, application, and database services) ## 5.3 Identify common proactive controls for applications (e.g., Open Web Application Security Project (OWASP)) # Domain 6 ## 6.1 Gather security operations requirements (e.g., legal, compliance, organizational, and business requirements) ## 6.2 Design information security monitoring (e.g., Security Information and Event Management (SIEM), insider threat, threat intelligence, user behavior analytics, Incident Response (IR)procedures) * Detection and analysis * Proactive and automated security monitoring and remediation (e.g., vulnerability management, compliance audit, penetration testing) ## 6.3 Design Business Continuity (BC) and resiliency solutions * Incorporate Business Impact Analysis (BIA) * Determine recovery and survivability strategy * Identify continuity and availability solutions (e.g.,cold, warm, hot, cloud backup) * Define processing agreement requirements (e.g.,provider, reciprocal, mutual, cloud, virtualization) * Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) * Design secure contingency communication for operations (e.g., backup communication channels, Out-of-Band (OOB)) ## 6.4 Validate Business Continuity Plan (BCP)/Disaster Recovery Plan (DRP) architecture ## 6.5 Design Incident Response (IR) management * Preparation (e.g., communication plan, Incident Response Plan (IRP), training) * Identification * Containment * Eradication * Recovery * Review lessons learned