CISSP Certification: CISSP Domain 1 & 2 Boot Camp 2025 Exam

Welcome to this course taught by Thor Pedersen. Thor is an experienced instructor with a background in cybersecurity and project management, with extensive work experience in IT, Cyber Security, and project management, he holds CISSP, CISM, , CC, CDPSE, CCNP, CCNA, and PMP certifications. His courses on Udemy are the best-selling and highest rated, and he has helped thousands of students pass their exams over the years. In this course, Thor will provide you with the knowledge and skills you need to succeed on your certification exam. He is eager to connect with you and help you along the way, and you can reach out to him through his LinkedIn profile (linkedin.thorteaches.com) or by joining his Facebook group (fb.thorteaches.com). You can also watch some of his free videos on YouTube (youtube.thorteaches.com). Don't wait any longer - let Thor help you achieve your certification goals.

In this lesson, we will be discussing various tips and tricks for getting the most out of my courses. First, I will introduce the concept of the "little elephant," which indicates that a particular topic is particularly important. Next, we will discuss the use of ",..." in lists, which indicates that the list is not exhaustive. I will also explain the use of bold text to indicate keywords. Additionally, we will take a look at the Udemy interface and its various features, including the ability to pause, play, rewind, and fast forward lectures, as well as the option to change the speed of the lecture to better match your preference. We will also discuss the availability of professionally done subtitles in English, as well as autogenerated subtitles in other languages. Finally, we will explore the option to add your own notes, access a question and answer section, view educational announcements, and receive a certificate of completion upon completing the course.

In this lesson, we will be discussing various tips and tricks for getting the most out of my courses. First, I will introduce the concept of the "little elephant," which indicates that a particular topic is particularly important. Next, we will discuss the use of ",..." in lists, which indicates that the list is not exhaustive. I will also explain the use of bold text to indicate keywords. Additionally, we will take a look at the Udemy interface and its various features, including the ability to pause, play, rewind, and fast forward lectures, as well as the option to change the speed of the lecture to better match your preference. We will also discuss the availability of professionally done subtitles in English, as well as autogenerated subtitles in other languages. Finally, we will explore the option to add your own notes, access a question and answer section, view educational announcements, and receive a certificate of completion upon completing the course.

In this lesson, we will be covering the important topic of Security and Risk Management in the CISSP certification exam. This domain is crucial because it forms the foundation for all the other domains and carries the highest weight on the exam, with 16% of the weighted questions coming from this domain. We will discuss concepts such as the cost benefit analysis in IT security, the CIA triad of confidentiality, integrity, and availability, security governance principles, laws and regulations, evidence handling, intellectual property, ethics, and policies, standards, procedures, and guidelines. We will also delve into the risk management lifecycle and the importance of business continuity planning and business impact analysis in ensuring the smooth functioning and continuity of a business.

This lesson is an introduction to the CIA triad, which is a fundamental concept in the field of IT security. The CIA triad consists of three components: confidentiality, integrity, and availability. Confidentiality refers to the protection of sensitive information from unauthorized access. Integrity involves ensuring that data is not modified without proper authorization. Availability refers to the ability of authorized users to access data when needed. The lesson explains that the importance of each component of the CIA triad can vary depending on the type of data being protected and the needs of the business. The lesson also discusses common threats to confidentiality, such as attacks on encryption and social engineering, and methods for protecting data at rest, in motion, and in use.

In this lesson, we will be discussing the concept of availability in cybersecurity. This refers to the ability for authorized individuals and systems to access data when it is needed. If access is not available, it can hinder work and potentially lead to lost sales or revenue. We will also discuss the different types of attacks that can compromise availability, including DDOS attacks, physical attacks, and even disgruntled employees. To protect against these threats, we will discuss the use of intrusion detection and prevention systems, patch management, and backup systems. It is important to consider the cost versus benefit of implementing these measures and to determine the appropriate level of availability needed for an organization.

The CIA Triad Quiz

In this lecture, we will be discussing the concept of IAAA: Identification, Authentication, Authorization, and Accountability in the context of security systems. We will cover the basics of each aspect, including identification methods such as names, usernames, and ID numbers, and authentication methods including knowledge factors (something you know) such as passwords and possession factors (something you have) such as ID cards or smart cards. We will also discuss biometrics as a unique form of authentication that cannot be reissued once compromised. We will delve further into these topics later in the course.

In this lesson, we will discuss the concepts of least privilege, need to know, and Non-repudiation in Information Security. We will look at least privilege as the practice of giving users the absolute minimum access they need to do their job. We will talk about how this is a form of Mandatory Access Control and how, if a user needs access to something they don't have access to, they need to justify why they need it. We will also discuss need to know and how it's related to Discretionary Access Control, where users only have access to what they need and need to have a valid reason for accessing it. Additionally, we will also talk about Non-repudiation and how it relates to accountability and auditing of user access to data. We will also touch on the concepts of subjects and objects in Information Security and how they play a role in the exam and in the industry.

In this lecture, we will be discussing the difference between management and governance within an organization and how they work together to achieve the overall goals and direction set by leadership. We will also be looking at different standards and control frameworks that an organization may adhere to and the concept of defense in depth to protect against potential threats. It is important to remember that as an IT security manager, our role is to advise on risk and plan, build, run, and monitor activities to align with the direction set by governance, rather than being a hands-on techie or senior leadership. We will also delve into the concept of risk appetite and how it plays a role in determining the direction and actions of an organization.

In this lesson, we will be covering various standards and control frameworks that are important to know for the exam, including PCI- DSS, OCTAVE, COBIT, COSO, ITIL, and FRAP. We will learn about the purpose of each framework, but will not need to know how to implement them. Specifically, PCI-DSS is a standard used in the payment card industry, OCTAVE is a team-oriented approach to self-directed risk management, COBIT is a set of goals for the IT organization, COSO is a set of goals for the entire organization, ITIL is a set of frameworks for aligning IT services with business needs, and FRAP is a facilitated risk analysis process focused on one business unit, application, or system at a time.

As an IT Security professional, it is important to understand the various laws and regulations that apply to your company and industry in order to effectively adhere to them and perform your job duties. These laws include criminal, civil, administrative, private regulations, customary, and religious laws, and each have different levels of proof required and punishments for non-compliance. Additionally, IT professionals should be aware of concepts such as liability, due diligence, due care, and negligence, which all play a role in ensuring the security of an organization.

In this lecture, we will be discussing the importance of evidence and how it is obtained and handled in a court of law. We will examine the different types of evidence, including real evidence, direct evidence, circumstantial evidence, corroborating evidence, and hearsay. We will also discuss the best evidence rule and the importance of preserving the crime scene and the integrity of the evidence. We will cover the use of computer-generated records and logs as hearsay evidence, and the importance of maintaining a clear chain of custody and ensuring that the evidence is unaltered.

In this lesson, we will be discussing intellectual property and the different types of protection it offers, including copyright, trademarks, patents, and trade secrets. We will also cover common attacks against intellectual property, such as piracy, counterfeiting, and patent infringement. It is important to understand the protection and potential issues surrounding intellectual property, especially for those working in the creative industries or with proprietary information.

In this lecture, we will be discussing privacy and the various laws and regulations surrounding the protection of Personal Identifiable Information (PII) in the United States, European Union, and internationally. PII is data that can uniquely identify an individual, such as their full name, national ID number, and biometric information. We will also explore the differences in privacy laws between the U.S. and European Union, and how these laws impact companies like Google, Apple, and Microsoft. Finally, we will go over the specific laws and regulations that are relevant for the exam, including the Fair Credit Reporting Act, Children's Online Privacy Protection Act, and the General Data Protection Regulation (GDPR).

In this lesson, we will be discussing the General Data Protection Regulation (GDPR), a data protection law in the European Union (EU) that governs data protection and privacy for all individuals in the EU and the European Economic Area. The GDPR was enacted in 2018 and is much more proactive in its approach to IT security and privacy compared to the patchwork of laws in the United States. If a company violates the GDPR, they can be fined up to 20 million euro or 4% of their annual revenue, whichever is greater. The GDPR covers data collection and privacy for individuals and gives individuals in the EU numerous rights, including the right to see all data held about them, the right to be forgotten, and the right to object to the processing of their data.

In this lesson, we will be discussing two international laws and regulations: the OECD Privacy Guidelines and the Wassenaar Arrangement. The OECD Privacy Guidelines are guidelines established by the Organization for Economic Cooperation and Development (OECD) that focus on protecting data and privacy as it passes over borders. These guidelines have eight driving principles, including the collection limitation principle, data quality principle, purpose specification principle, use limitation principle, and security safeguard principle, among others. The Wassenaar Arrangement is an international agreement that initially focused on conventional arms but has also added dual-use goods and technologies, including cryptography. There are 41 countries participating in the Wassenaar Arrangement and it imposes import and export restrictions on cryptographic algorithms for some countries, including Iran, Iraq, China, and Russia. It is important for IT security professionals to be aware of these laws and regulations as they may impact their ability to import or export certain goods and technologies.

In this lecture, we will be discussing the security implications of purchasing third party software for our organization, as well as what happens when we acquire other companies or our company is divided into smaller divisions. We will examine the importance of having Service Level Agreements in place to ensure that the security of third party software and hardware meets our standards and policies, and discuss the process of conducting risk analyses and audits before acquiring other companies to ensure their security posture is sufficient. We will also touch on the importance of having a holistic security approach and considering the cost benefit analysis when determining the level of security for different assets.

In this lecture, we will discuss the importance of ethics in the field of IT security, specifically focusing on the ISC2 code of ethics, the Ten Commandments from the Computer Ethics Institute, and the IABs Ethics and the Internet. It is crucial for both the exam and your career to understand and adhere to these guidelines and codes of ethics, as failure to do so can result in the revocation of your certification. We will also discuss the importance of understanding the ethics standards of your own organization. Understanding and following these ethical guidelines will not only help you on the exam, but also ensure that you act responsibly and ethically as an IT security professional.

In this lecture, we will discuss the principles of security governance and how they shape the values, vision, mission, and strategic objectives of an organization. We will also explore the importance of understanding and adhering to these principles in order to effectively support the goals of the organization and make informed decisions as IT security professionals. The lecture will cover the process of building long and short term plans based on these principles and how they drive the development of policies, standards, and procedures. Additionally, we will discuss the role of IT security in supporting the overall success of the organization and the importance of knowing the purpose and values of the organization when starting a new job.

In this lecture, we will discuss the various policies, standards, procedures, guidelines, and baselines that are important for our exam. It is important to understand the role of each of these and how they work together, as they are influenced by our values, vision, and mission, as well as laws and regulations. Policies can be regulatory, advisory, or informational and are high level and nonspecific. Standards are mandatory and more detailed, while guidelines are discretionary recommendations and baselines are minimum requirements. Procedures are specific steps that are taken to follow the standards and guidelines, and all of these work together to ensure a consistent security posture across the organization. We will discuss the importance of training and educating users to protect against attackers who often target the weakest link in a system - the user. We will also cover the role of hiring practices, including background checks and non-disclosure agreements, in maintaining secure employment and protecting company secrets. Finally, we will discuss the proper procedure for terminating employees in a secure manner and the importance of coaching and offering additional training to employees who may be struggling with security mistakes.

In this lesson, we will be discussing Access Control, including the categories of Administrative or Directive Controls, Technical Controls, and Physical Controls. We will also explore the different types of Access Control, including preventative, detective, corrective, recoverable, deterrent, and compensating measures. We will discuss the importance of training and awareness in the Administrative category, as well as the various technical and physical measures used for Access Control. It is important to carefully read and understand the question and answer options in order to accurately identify the type of Access Control being discussed.

The risk management lifecycle is an essential aspect of IT security, as it helps professionals identify, assess, and mitigate risks that may affect their systems and infrastructure. The risk management lifecycle is an iterative process that consists of four phases: Risk Identification, Risk Assessment, Risk Response and Mitigation, and Risk and Control Monitoring and Reporting. In this lecture, we will focus on the first phase, Risk Identification, which involves assembling a team from across the enterprise and defining the scope of the risk assessment. Understanding the risk management lifecycle is important for both daily tasks and certification exams, as it helps professionals understand the flow and importance of each phase in managing risks.

In this lecture, we will be discussing risk assessment and the various strategies that can be used to manage risks in a company. This includes performing a qualitative and quantitative risk analysis, creating a risk register, and possibly an uncertainty analysis to understand the potential consequences of risks. We will also discuss the cost benefit analysis that goes into choosing a risk strategy, such as mitigation, transference, acceptance, or avoidance, and the importance of considering an organization's risk appetite. Finally, we will touch on the importance of making informed decisions based on analysis and avoiding risk rejection, which is never acceptable.

In this lecture, we will be exploring the process of qualitative and quantitative risk analysis using a risk analysis matrix and risk registers. We will start by looking at a practical example of analyzing the risk of a laptop being stolen or forgotten and determining the likelihood and consequences of this event. We will then delve into the use of a risk register to examine various factors and prioritize risks in order to mitigate them. The process of quantitative risk analysis involves analyzing the costs and frequency of risks in order to determine the appropriate level of protection. Throughout the lecture, it is emphasized the importance of finding the right balance of security in order to effectively manage and mitigate risks.

In this lecture, we will be discussing KGIs (Key Goal Indicators), KPIs (Key Performance Indicators), and KRIs (Key Risk Indicators). KGIs are used to measure the success of a goal after it has been completed, while KPIs measure the performance of a specific task and have a direct correlation to the overall goal. KRIs are used to measure and demonstrate the risks that an organization may face and to ensure that the organization is adhering to its risk appetite. KRIs can also serve as an early warning system for potential events that could be harmful to the organization's activities. It is important to properly manage and monitor KGIs, KPIs, and KRIs in order to improve processes, meet targets, and identify and mitigate potential risks.

In this lecture, the process of risk assessment and management is discussed, including identifying and presenting risks to senior management, choosing a response strategy such as mitigation, transference, acceptance or avoidance, implementing countermeasures to reduce risk, and ongoing monitoring and reporting on risks and controls. The importance of due diligence and due care in this process is emphasized, as well as the role of the IT security manager in communicating risks and controls to senior management in a language they can understand. Key risk indicators (KRIs) and key performance indicators (KPIs) are also introduced as tools for monitoring and measuring the effectiveness of risk management efforts.

In this lecture, we explore the importance of RACI charts in project management, IT governance, and information security management. RACI is an acronym that stands for Responsible, Accountable, Consulted, and Informed, and the chart is used to define roles and responsibilities for each task or step in a project or process. The Responsible party is tasked with completing the work, while the Accountable person has the ultimate authority and accountability for the task or decision. Consulted individuals provide input through two-way communication before work begins and decisions are made, while Informed parties are kept up-to-date on progress and decisions through one-way communication, such as progress reports. RACI charts are crucial in information security management because they provide a visual representation of communication channels, ensuring that all necessary parties are informed and consulted, and that responsibilities are clearly defined. The chart resembles a spreadsheet, with tasks or responsibilities listed in rows and teams or individuals in columns, with each square assigned an R, A, C, or I as appropriate. RACI charts are iterative and can evolve as the project or process progresses, making them an effective tool for promoting efficiency and effectiveness in information security management.

In this lecture, we delve into the comprehensive approach of Governance, Risk Management, and Compliance (GRC) in analyzing and managing risks while aligning with business objectives and compliance standards. Governance ensures strategic alignment between IT and business objectives, proper resource management, performance monitoring, value delivery, and integration of policies, compliance, and ethics. Risk Management involves identifying, assessing, and responding to risks through qualitative and quantitative risk analysis, and implementing appropriate risk responses such as acceptance, avoidance, mitigation, or transference. Compliance ensures conformity with laws, regulations, and internal policies, and involves auditing, monitoring, incident response compliance, ethics, and privacy. The interconnectedness of GRC is crucial, as governance guides risk management through risk appetite, establishes guidelines for compliance, and compliance requirements feed into governance policies and procedures. Risk management identifies threats and vulnerabilities that can cause non-compliance, and compliance highlights areas of non-compliance for risk assessments. A strong GRC approach reinforces each element, resulting in a more resilient and effective information security program, preventing legal penalties, reputational damage, and financial losses.

In this lecture, we explore NIST SP 800-53 Revision 5, a comprehensive guidebook for creating, operating, and maintaining secure systems in an ever-changing threat landscape. This publication presents detailed security and privacy controls primarily intended for US federal systems but is highly customizable and useful for any organization. It guides organizations in defending information systems, managing risks effectively, and addressing privacy concerns through a continuous cycle of risk assessment, control implementation, and monitoring. Revision 5 emphasizes a risk-based, organization-wide approach to information security, focusing on the entire lifecycle of systems, people, processes, and the operational environment. The publication uses control families, control classes, and baseline controls to categorize and prioritize security and privacy measures. Major updates in Revision 5 include the inclusion of privacy controls to protect personally identifiable information (PII), outcome-based controls that allow for tailored security measures, increased focus on supply chain risk management, and protection against insider threats. Understanding the key concepts and updates in NIST SP 800-53 Revision 5 is essential for professionals seeking certification in information security.

In this lecture, we will be discussing NIST special publication 800-37, which covers the risk management framework for federal information systems and the security lifecycle approach. We will be covering both revision one, published in 2010 and updated in 2014, and revision two, published in 2018. It is important to cover both revisions because revision one is still being used in exams and the question pool is constantly being updated with new questions. Revision two updates the framework to include a step for preparing and getting senior management on board, as well as integrating privacy risk management processes and aligning with other NIST publications. We will also discuss how the NIST cybersecurity framework can be implemented using the risk management processes.

In this lecture, we will delve into the different types of attackers and the attacks they use, starting with hackers. Hackers used to be individuals who found ways to use systems in unintended ways or exploit them for unauthorized purposes, such as AT&T switches that could be hacked to make free, long distance and international calls. Now, hackers are mostly seen as attackers who seek to disrupt the Confidentiality, Integrity, and Availability of systems. There are various types of hackers, including White Hat hackers (also known as Ethical Hackers or professional penetration testers) who find flaws in systems to fix them, Black Hat hackers who actively exploit vulnerabilities, and Grey Hat hackers who are somewhere in between and may tell someone about a vulnerability they find but may also publicize it if it is not addressed. We will also discuss Script Kiddies, individuals who use pre-existing scripts or tools without understanding how they work, and Nation-State Actors, hackers sponsored by governments to perform cyber attacks.

In this lesson, we will be discussing botnets and phishing, two tools used by hackers. A bot, also known as a zombie, is a computer system that has been infected by malware and can be controlled remotely by the attacker to perform various tasks. Botnets are organized into a Command and Control network and can contain hundreds of thousands of infected systems, known as zombies, that can be used for spam emails, DDOS attacks, and more. Phishing is a form of social engineering through email, where attackers send fake emails to trick individuals into giving away personal information or money. There are different types of phishing, including regular phishing, spear phishing, whale phishing, and vishing, which is phishing through phone calls.

In this lecture, we will be discussing business continuity planning (BCP) and briefly touching on disaster recovery planning (DRP). These topics are crucial for both the exam and real-world situations as any organization will eventually face a disaster. It is important to have a plan in place to minimize the impact and ensure that the organization can recover as quickly as possible. The BCP is the overall plan that includes subplans such as the continuity of operations plan, crisis communication plan, and critical infrastructure protection plan. We will cover DRP in more detail later, but it focuses on the IT aspects of disaster recovery. It is important to have the right amount of security and recovery in place and to consider the cost benefit analysis. Asking "what if" questions can help identify potential disasters and create a plan to minimize their impact.

Building a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) involves using publicly available frameworks and standards to ensure that all necessary steps are taken to prevent and recover from potential disasters. The process begins with project initiation and stakeholder identification, followed by scoping the project and conducting a Business Impact Analysis to identify and prioritize critical systems. Next, preventative controls are considered and recovery strategies are developed, followed by designing and developing specific plans, implementing countermeasures, training staff, and testing the plan to ensure it is effective.

In this lecture, we will be discussing the Business Impact Analysis (BIA), which is a critical aspect of Business Continuity Planning (BCP). We will be examining which systems are crucial to the business and how long they can be down before they impact operations. We will also delve into the concept of the CIA triad and risk identification and analysis, as well as the importance of communicating with senior management about the costs and consequences of maintaining certain systems. Additionally, we will cover the definitions and roles of key terms such as Recovery Point Objective (RPO), Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Work Recovery Time (WRT).

In this lecture, we delve into the concept of External Dependencies and their significance in the context of Business Impact Analysis (BIA). External dependencies encompass the third-party services, suppliers, and resources that an organization relies on to maintain its normal operations. We explore how these dependencies can significantly influence the criticality and vulnerabilities of business processes, with interruptions to third-party operations potentially leading to cascading effects on the business. The lecture covers various strategies for managing external dependencies, including in-depth dependency mapping, impact analysis, contingency and redundancy planning, dynamic monitoring and reviews, and the use of Service Level Agreements (SLAs). We also discuss the importance of fostering strong relationships and clear communication with external providers to identify and address potential risks, develop contingency plans, and coordinate responses to disruptions. Real-world examples are provided to illustrate the potential impacts of external dependencies on organizations and emphasize the need for robust contingency planning.

In Domain 1, we focused on the CIA triad and the IAAA model for protecting data confidentiality, integrity, and availability. We also discussed the importance of need-to-know, least privilege, non-repudiation, and the role of governance and control frameworks in our defense in depth strategy. We covered various laws and regulations, as well as the concept of due care and due diligence in avoiding negligence. We explored different types of intellectual property and the ISC2 Code of Ethics, and discussed the risk management lifecycle and potential types of attackers. Finally, we covered business continuity planning and business impact analysis. This domain is the foundation that all the other domains build on top of and it is 16% of the weighted exam questions.

In domain 2, we will be discussing the information lifecycle, including how to classify and label data, the different roles and responsibilities in regards to data security, data privacy and retention, and how to properly secure and dispose of data. This is a small part of the overall curriculum, but it is still 10% of the weighted exam questions.

In this lecture, we will discuss the various stages of the information lifecycle, including data acquisition, data use, data archiving, and data disposal. We will explore how data is acquired, either through copying or creation, and the importance of formatting, timestamps, permissions, and encryption in ensuring data security and accessibility. We will also distinguish between data archiving and data backup and discuss the process of data disposal, including destruction methods like disk overwriting and shredding. The lecture will be high level and will be further explored in depth later on.

In this lecture, we will discuss the three states of data and how to protect sensitive information from disclosure, alteration, and destruction. These states include data at rest, data in motion, and data in use, and we will discuss the various methods of encryption and compensating controls that can be used to protect each state. We will also cover industry best practices for storing and transmitting data, including the use of hardware and software encryption, clean desk policies, and user training to raise awareness of data protection.

In this lecture, we will be discussing data classification and how it impacts a system's protection profile. We will cover the various classifications of data, including top secret, secret, confidential, sensitive, unclassified, and sensitive but unclassified, and how they apply to both the military and private sector. We will also discuss clearance and how it is assigned to subjects based on their current and future trustworthiness, as well as the concepts of full access approval, need to know, and least privilege. Understanding these keywords and concepts is important for exams and for understanding how data is protected within a system.

In this lesson, we will be discussing data handling and data storage, two important administrative controls that help ensure that only trusted individuals have access to data. We will also address the importance of having clear policies on who can access data and the need for auditing and logs to ensure that access is justified. We will discuss the importance of securely storing data, including the use of backup tapes and their proper storage in a secure and geographically distant location. We will also cover the importance of considering Maximum Tolerable Downtime (MTD) and the need to have a disaster recovery plan in place to ensure that data can be restored in a timely manner. Finally, we will discuss the importance of ensuring that vendors who store and transport data are licensed and bonded to protect against data loss.

In this lecture, we will be discussing the various roles and responsibilities within an organization to ensure that data is secure. These roles include the mission or business owner, the data or information owner, the data custodian, the system owner, the data controller and data processor, and the security administrator. Each role has its own specific responsibilities, ranging from creating and managing data to ensuring that proper security controls are in place and that data is processed securely. It is important to understand the nuances of each role and the importance of proper data security within an organization.

In this lecture, we will discuss the concepts of memory and data remanence, including the difference between volatile and non-volatile memory and how it can be used in different types of memory such as ROM, EPROM, EEPROM, and PLDs. We will also discuss the importance of understanding these concepts for the exam and the potential security risks associated with flashing memory and updating systems.

In this lecture, we will discuss how to dispose of media safely and securely, as improper disposal can lead to data breaches. We will cover different methods of disposing of paper, including shredding and cross shredding, and digital disposal methods such as deletion, formatting, overwriting, and purging. It is important to choose the appropriate disposal method for the specific media and ensure that licensed and bonded companies are used for proper disposal. We will also discuss considerations for damaged media and the importance of having backup controls in place.

In this lecture, we will be discussing the concepts of scoping, tailoring, certification, and accreditation in the context of building data security controls and frameworks within an organization. We will be looking at how these concepts can be used to determine which controls to use and how to deploy them, taking into consideration the unique environment and needs of the organization. Certification refers to the process of ensuring that a system has the appropriate protection profile for the data it stores, while accreditation is when the data owner accepts the certification and residual risks associated with the system. We will also address the scenario in which the data owner refuses to accept the certification and how to address their concerns in order to achieve accreditation.

In this lecture, we will be discussing three different technologies that are used to protect digital media: Digital Rights Management (DRM), Cloud Access Security Brokers (CASB), and Data Loss Prevention (DLP). DRM refers to the use of systems and technologies to protect copyrighted digital media, such as by using serial numbers, expiration dates, and IP restrictions. CASB acts as a gatekeeper between users and cloud applications, monitoring user activity and protecting against malicious actions, malware, and Shadow IT. DLP involves tracking and preventing the loss of sensitive data, whether through accidental or intentional means.

In Domain Two, we learned about how to classify and label data and the different roles and responsibilities in maintaining data security. We also discussed the three states of data and the types of volatile and nonvolatile memory. Finally, we discussed the importance of preventing data remanence when disposing of media. While Domain 2 is not as foundational as Domain 1, it is still important as it covers 10% of the exam.

This lecture covers the importance of creating a personalized study plan for the CISSP exam, including how to determine the amount of time needed for studying and how to find pockets of time for daily studying. Thor also provides recommendations for the order in which to tackle study materials, including watching video resources, reading primary books, and doing practice questions. They emphasize the importance of regularly reviewing and adjusting the study plan as needed. You also get a link to a study plan template that can be downloaded and customized for individual use.

In this lecture, we will discuss the importance of practicing questions as a key component to success on the CISSP exam, which requires a deep understanding of scenarios and the ability to articulate and apply knowledge to specific situations. Time management and utilizing practice questions effectively, including reviewing and restudying areas of weakness, are also crucial elements to consider when preparing for the exam. It is recommended to use a range of difficulty levels for practice questions, with a focus on harder questions closer to the exam date, and to only use each set of questions once to avoid memorization.

In this lecture, we will learn how to effectively approach exam questions by taking the time to read and deconstruct them to determine the main focus or keywords, as well as identify any indicators such as "MOST," "BEST," "LEAST," or "ALWAYS." We will also discuss different techniques for evaluating the answer options and eliminating distractors to choose the most accurate and precise answer. It is important to argue with ourselves and consider if the chosen answer meets all the requirements posed by the question.

In this lecture, we will discuss how to choose a career path and the certifications that can complement that path. We will use Cyberseek.org as a tool to see which certifications are in high demand and how to map out a path to reach our desired job position. We will also look at job postings to see what qualifications and certifications are required or preferred for specific roles, and we will discuss the importance of having a clear idea of our end goal in order to determine the necessary steps to get there.

This lesson is focused on helping students be more efficient and effective in achieving their goals, specifically in regards to preparing for the CISSP certification. I offer tips and strategies for staying motivated, creating a plan, and involving others in the process. The lesson also covers the importance of setting clear goals and how to break them down into manageable pieces. I also suggests a common approach for preparing for the CISSP certification, which includes watching videos, reading a book, and taking practice tests. The lesson concludes by encouraging students to try out the various strategies and techniques discussed and to make adjustments as needed.
In order to achieve success in studying for a CISSP certification, it is important to prioritize sleep and exercise in addition to studying. Getting enough sleep will provide mental clarity and help with retaining knowledge, while exercise can improve alertness and mood. Visualization and self-affirmation can also be useful tools in reaching your goal. Celebrating milestones and rewarding yourself can also help to motivate and keep you on track.

This lecture provides a comprehensive guide on how to register for your ISC2 exam and what to expect during the process. To begin, visit isc2.org/register-for-exam and fill out the required personal information, ensuring that your name matches your ID exactly. After submitting the form, you will be redirected to the Pearson VUE website to schedule your exam, choose your language from the six available options, and select a testing center. Becoming certified involves passing the exam and being endorsed by an ISC2 certified professional or your boss/co-worker. You must also commit to the ISC2 Code of Ethics and, once certified, pay an Annual Maintenance Fee (AMF) and earn Continuing Professional Education (CPE) credits each year. Before the exam, familiarize yourself with the exam outline, duration, number of questions, and available languages. Be aware of unscored beta questions randomly dispersed throughout the test and the passing score of 700 out of 1,000 points, with questions being weighted differently. You have 365 days to take or reschedule your exam, with fees applying for cancellations or rescheduling. ISC2 updates their exams every 3 years to maintain relevance.

This lecture covers the practicalities of exam day, including what to expect and what to bring. Arrive at the testing center at least 30 minutes early, provide two forms of ID, give your signature, and have your palm veins scanned. Personal belongings must be left in a locked storage area. You will have 5 minutes to review the Non-Disclosure Agreement (NDA) and testing interface, during which you can write down mnemonics on the provided erasable whiteboard. During the exam, remain seated, but raise your hand if you need a break or encounter issues. Breaks do not stop the exam timer, and you must stay within the building. The testing environment may be loud, but earplugs are available. Your primary ID must have a photo and signature, while the secondary ID only requires a signature. Late arrivals may forfeit their exam fee. If you suspect fraud or cheating, report it to ISC2. After completing the exam, you will receive unofficial results, which may take 6-8 weeks to be officially confirmed. If you do not pass, you can reschedule the exam after a waiting period that increases with each attempt, up to a maximum of 4 attempts within a 12-month period.

In this lecture, we discuss the steps to take after provisionally passing your ISC2 certification exam. To become fully certified, you must complete the endorsement process, which involves having someone vouch for your 5 years of full-time work experience within the domains of your certification. If you don't have the required experience, you can become an associate of ISC2 and have 6 years to gain the remaining experience. Once fully certified, you can use the certification logo on your resume and LinkedIn profile. To maintain your certification, you must pay Annual Maintenance Fees (AMFs) and earn Continuing Professional Education (CPE) credits. The number of CPEs required varies by certification, with a minimum number needed annually and per 3-year cycle. CPEs can be earned through various activities, such as webinars, articles, conferences, and video training. There are two types of CPEs: Group A (directly related to the certification) and Group B (professional development). Submitting CPEs is a simple process through the ISC2 website, and you can start earning CPEs on the first of the month following your full certification.

In this lecture, we discuss what to do if you fail your ISC2 certification exam. While it can be disappointing, it is important to remember that failure is a learning experience and an opportunity for growth. After failing, take some time to process your emotions, but then get back to studying as soon as possible while the knowledge is still fresh. Review the exam printout to identify your weak areas and focus your studies on those domains. If you have 2-3 domains where you're below proficiency, book your exam right away. If you have more than that, give yourself more time to study. Remember to approach the exam strategically by answering exactly what is asked, deconstructing the question, eliminating answer options, and trusting your intuition. If you fail multiple times, keep in mind the waiting periods between attempts and the limit of 4 attempts per year. Stay positive, seek support from loved ones, and remember why you started this journey in the first place. With the right attitude and preparation, you can turn failure into success.

This lesson discusses the value of obtaining a CISSP certification in the field of IT and cybersecurity. The CISSP certification is considered the gold standard and is highly requested by recruiters and HR professionals, making it one of the best paid certifications in the industry. The demand for CISSP certified individuals is currently very high, with more open jobs in the US than there are people who are certified. The demand for IT security professionals is also growing, with an estimated annual growth rate of 11-12% and the potential for half a million new jobs each year. Data from CyberSeek shows that there are currently more than 1.5 million cybersecurity jobs in the US and over a third of these positions are unable to be filled. The CISSP certification is particularly in demand, with 93,000 certified individuals in the US and 116,000 open jobs. Other high-level certifications, such as CISM and CISA, also have a high demand with many open jobs.

In this lecture, we will be discussing the 8 domains that make up the CISSP certification curriculum, also known as the 8 Common Bodies of Knowledge (CBKs).

We will start with Domain 1: Security and Risk Management, which makes up 16% of the exam and covers topics such as security risk and compliance, the CIA triad, security governance principles, legal and regulatory issues, professional ethics, security policies and guidelines, business continuity requirements, personnel security policies, risk management, threat modeling, and IT security training.

We will then move on to Domain 2: Asset Security, which makes up 10% of the exam and covers topics such as identifying and classifying assets, vulnerabilities, clearance, data states, data handling and storage, the information lifecycle, privacy protection, data security controls, and handling requirements.

Then we will discuss Domain 3: Security Architecture and Engineering, which is the largest domain and makes up 13% of the exam, covering topics such as security models, cryptography, physical security, security architecture and design, and system security engineering.

Domain 4: Communications and Network Security is a large domain that makes up 13% of the weighted questions on the exam. It covers topics related to secure networking architecture and design, how we use different protocols like IP and non-IP protocols, and how we segment off and secure our networks. This domain also covers protocols that have been added to IPv4 and IPv6 to improve security and extend their usage, as well as how to secure networking components and establish secure communication channels over unsecured networks. Additionally, we will cover common attacks on our networks and the data we transmit.

In Domain 5, we will be learning about Identity as a Service over the cloud and third-party identity services, as well as common attacks on access control and the lifecycle of identity and access provisioning. Again, a small domain, but 13% of the exam questions.

This leads us into Domain 6: Security Assessment and Testing, which accounts for 12% of the exam questions. In this domain, we will be testing the effectiveness of our security measures and looking for vulnerabilities in our security architecture through manual and automated testing, as well as through penetration testing where we hire an external party to try to hack into our network and identify flaws. We will also be examining physical and logical intrusions, including those that may be achieved through social engineering, and working to raise awareness and change behavior through training to prevent these attacks.

In Domain 7, we focus on preventative measures that can be taken to avoid security breaches and incidents, including logging and monitoring, patch management, vulnerability management, and incident management. We also address business continuity and disaster recovery, including how to keep a business functioning during adverse events and how to mitigate potential disasters through scenario planning. Domain 7 is 13% of the weighted exam questions

Finally, in Domain 8 we cover software development security, including the importance of integrating security into the design phase of software development and considerations for evaluating the security of third-party software. Domain 8 makes up 10% of the weighted exam questions.

In this video series, Thor Pedersen will provide guidance on how to prepare for the CISSP certification exam. He will discuss the importance of finding the right study materials, building a personalized study plan, and acquiring a deep understanding of the concepts covered in the exam. Thor will also emphasize the importance of time management and the ability to deconstruct and analyze exam questions in order to select the most appropriate answer. He will offer recommendations on the best resources to use and provide templates for creating a study plan. The ultimate goal is to give students the highest chance of passing the exam by providing them with the knowledge, skills, and strategies needed to succeed.

In this video, the Thor discusses the different materials and resources that are available to help students pass their exams, including videos and books. He mention specific video courses and instructors that they recommend and suggest previewing videos to find the best fit for each individual learner. Thor also mentions other resources such as practice questions and free materials that will be discussed in the next video. He emphasize the importance of finding the right study approach and materials for each person's learning style and recommend starting with videos before moving on to books due to their size and potential dryness.

In this lesson, Thor will continue discussing materials that students should use for their studying, focusing specifically on free resources. He recommends starting with videos and books, then moving on to free materials and questions, with a focus on spending 50% or more of study time on questions. Thor introduces the OWASP (Open Web Application Security Project) and NIST (National Institute of Standards and Technology) as useful free resources and recommends downloading NIST publications and free study guides made by individuals who have passed the CISSP exam. Thor emphasizes the importance of understanding how each resource works, why it is used, where it is used, when it is used, and how it is used in order to be prepared for scenario-based questions on the exam.

In this lecture, we will discuss the importance of finding the right practice questions and approaching them effectively in order to effectively prepare for the CISSP exam. This includes marking questions for review and restudying the topics covered in those questions, as well as avoiding reusing practice questions and starting with easy to mid level questions before moving on to harder ones. We will also cover a variety of resources for finding practice questions, including AIO and Cybex, thorteaches.com/udemy, CCCURE, Pocketprep, IT Dojo, and various Facebook and LinkedIn groups.

In this lecture, Thor provides recommendations for study materials for the CISSP exam, including video courses, books, and practice questions. They suggest using a combination of free resources, such as Thorteaches.com and Destination Certification, as well as paid options like Study Notes and Theory and itpro.tv for those with a higher budget. Thor also recommends purchasing books from Sybex or AIO and Wentz Wu and Luke Ahmed for a low budget, and all secondary books for a higher budget. They estimate that the low budget for all resources will be around $400 and the high budget will be around $750, in addition to the exam cost of $749. Thor emphasizes the importance of choosing materials that match your learning style and the potential career benefits of obtaining the CISSP certification.