Become ISC2 Certified in Cybersecurity you own this product

Everything you need to get the certification

Paulo Carreira and Andreé Miranda Louraço

MEAP began June 2025
Last updated January 2026
Publication in Summer 2026 (estimated)

ISBN 9781633435667
450 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Leadership and Careers / Technical Skills / Cybersecurity

resources: Book forum

table of content

Introduction

Part 1: Security Principles

1 Security Concepts of Information Assurance

1.1 Fundamental Terms of Cybersecurity

1.1.1 Organizations

1.1.2 Information Systems and Information Technology

1.1.3 Tangible Assets, Intangible Assets, and Human Assets

1.1.4 Vulnerabilities, Threats, and Actors

1.1.5 Security Controls

1.2 The Confidentiality, Integrity, Availability (CIA) Triad

1.3 Data Classification

1.3.1 Sensitive information

1.3.2 Confidential information

1.3.3 Personally Identifiable Information (PII)

1.3.4 Protected Health Information (PHI)

1.4 Closing Thoughts

1.5 Summary

1.6 Review Questions

1.7 Answers to Review Questions

2 Risk Management

2.1 Risk

2.1.1 Impact

2.1.2 Likelihood

2.1.3 The definition of risk

2.2 Risk Management

2.2.1 Risk management process overview

2.2.2 Risk Assessment

2.2.3 Risk Treatment

2.3 Closing Thoughts

2.4 Summary

2.5 Review Questions

2.6 Answers to Review Questions

3 Understanding Security Controls

3.1 Understanding Security Controls

3.1.1 Categories of Security Controls

3.1.2 Physical controls

3.1.3 Technical controls

3.1.4 Administrative controls

3.1.5 Types of security controls

3.1.6 Understanding security controls by category and by type

3.2 Defense-in-Depth

3.3 Closing Thoughts

3.4 Summary

3.5 Review Questions

3.6 Answers to Review Questions

4 Understanding Governance Processes and Elements

4.1 Governance Framework Overview

4.2 Laws and Regulations

4.2.1 General Data Protection Regulation (GDPR)

4.2.2 Health Insurance Portability and Accountability Act (HIPAA)

4.2.3 Gramm-Leach-Bliley Act (GLBA)

4.3 Standards

4.4 Policies

4.5 Procedures

4.6 Guidelines

4.7 Closing Thoughts

4.8 Summary

4.9 Review Questions

4.10 Answers to Review Questions

5 ISC2 Code of Ethics

5.1 Ethics

5.2 Professional Codes of Conduct

5.3 The ISC2 Code of Ethics

5.3.1 ISC2 Code of Ethics Preamble

5.3.2 The ISC2 Code of Ethics canons

5.3.3 Examples of application of the cannons

5.3.4 Reporting violations

5.4 Closing Thoughts

5.5 Summary

5.6 Review Questions

5.7 Answers to Review Questions

Part 2: Incident Response, Business Continuity, and Disaster Recovery Concepts

6 Incident Response

6.1 Why Is Incident Response Important?

6.2 Events, Incidents, and Security Incidents

6.3 Incident Response Lifecycle

6.3.1 Preparation

6.3.2 Detection and Analysis

6.3.3 Containment, Eradication, and Recovery

6.3.4 Post-Incident activity

6.4 Incident Response Plan

6.5 The Security Operations Center (SOC)

6.5.1 SOC Structure

6.5.2 Escalation

6.6 Closing Thoughts

6.7 Summary

6.8 Review Questions

6.9 Answers to Review Questions

7 Business Continuity Planning

7.1 The importance of Business Continuity

7.2 Business Impact Analysis

7.3 Business Continuity Plan

7.3.1 Developing a Business Continuity Plan

7.3.2 Components of Business Continuity Plan

7.4 Testing the BCP

7.5 Closing Thoughts

7.6 Summary

7.7 Review Questions

7.8 Answers to Review Questions

8 Disaster Recovery Plan

8.1 Disaster Recovery Plan

8.2 Data Recovery Strategies

8.3 Disaster Recovery Infrastructure

8.3.1 Recovery Sites

8.4 Testing the DRP

8.5 Closing Thoughts

8.6 Summary

8.7 Review Questions

8.8 Answers to Review Questions

Part 3: Concepts of Access Control

9 Access Control

9.1 Subjects, Objects, and Rules

9.2 Identification, Authentication, Authorization, and Accountability

9.2.1 Identification

9.2.2 Authentication

9.2.3 Authorization

9.2.4 Accountability

9.3 Identity and Access Management (IAM)

9.4 Account Types

9.5 Privileged Access Management (PAM)

9.6 Principles of Access Control

9.6.1 Least Privilege

9.6.2 Segregation of Duties (SoD)

9.6.3 Two-Person Control

9.6.4 Need-to-Know

9.6.5 Defense-in-Depth

9.7 Closing Thoughts

9.8 Summary

9.9 Review Questions

9.10 Answers to Review Questions

10 Physical Access Controls

10.1 Physical Access Protection

10.1.1 Security perimeters

10.1.2 Protecting the outer perimeter

10.1.3 Protecting the inner perimeter

10.1.4 Protecting work-area perimeters

10.1.5 Protecting secure-area perimeters

10.2 Physical Authentication

10.2.1 Sign-in and ID verification

10.2.2 Badge systems

10.2.3 Biometrics

10.3 Physical Access Monitoring

10.3.1 Security guards

10.3.2 Security cameras (CCTV)

10.3.3 Alarm systems

10.3.4 Physical access logs

10.4 Closing Thoughts

10.5 Summary

10.6 Review Questions

10.7 Answers to Review Questions

11 Logical Access Controls

11.1 Access Control Models

11.1.1 Discretionary access control (DAC)

11.1.2 Mandatory access control (MAC)

11.1.3 Role-Based access control (RBAC)

11.2 Identity Management

11.2.1 Directory services

11.2.2 Single Sign-On (SSO)

11.2.3 Federated Identity Management (FIM)

11.3 Monitoring Logical Access

11.3.1 Logical access logging

11.3.2 Log centralization

11.3.3 Typical suspicious access patterns

11.3.4 Privilege monitoring

11.4 Closing Thoughts

11.5 Summary

11.6 Review Questions

11.7 Answers to Review Questions

Part 4: Network Security

12 Networking

12.1 Networking Overview

12.2 Network Components

12.2.1 Endpoint devices

12.2.2 Network Interface Cards

12.2.3 Hubs and Repeaters

12.2.4 Switches

12.2.5 Routers

12.2.6 Wireless Access Point (WAP)

12.2.7 Proxy Servers

12.2.8 Firewalls

12.2.9 Connection links

12.3 Types of Networks

12.3.1 LAN, MAN, WAN, HAN

12.3.2 Wired and Wireless Networks

12.3.3 Internet of Things (IoT)

12.4 Addressing

12.4.1 MAC Addresses

12.4.2 IP Addresses

12.4.3 DNS

12.5 Networking Models

12.5.1 Data communication layers

12.5.2 Application (upper) layers

12.5.3 Encapsulation and Decapsulation

12.5.4 Layer responsibilities

12.6 Logical Ports

12.6.1 Well-known ports and port ranges

12.6.2 Secure ports and secure protocols

12.7 Network Segmentation

12.7.1 Physical segmentation

12.7.2 Virtual Local Area Networks (VLANs)

12.7.3 Subnetting

12.7.4 Micro-segmentation

12.7.5 Demilitarized Zone (DMZ)

12.7.6 Virtual Private Networks (VPN)

12.8 Closing Thoughts

12.9 Summary

12.10 Review Questions

12.11 Answers to Review Questions

13 Network Threats and Attacks

13.1. The Stages of a Cyber Attack

13.1.1. Reconnaissance

13.1.2. Weaponization

13.1.3. Delivery

13.1.4. Exploitation

13.1.5. Installation

13.1.6. Command and Control (C2)

13.1.7. Objective Execution

13.2. Understanding Threats and Attacks

13.2.1. Malware

13.2.2. Scripting Attacks

13.2.3. Password Attacks

13.2.4. Social Engineering

13.2.5. Spoofing

13.2.6. On-Path Attacks

13.2.7. Denial of Service (DoS) Attacks

13.2.8. Side-Channel Attacks

13.2.9. Physical Attacks

13.2.10. Insider Threats

13.2.11. Advanced Persistent Threats (APT)

13.3. Detecting, Preventing, and Containing Threats

13.3.1. Threat Intelligence

13.3.2. IDS and IPS

13.3.3. Logging and Monitoring

13.3.4. Security Information and Event Management (SIEM) Systems

13.3.5. Endpoint Protection

13.3.6. Firewalls

13.3.7. Email and Web Application Filtering

13.3.8. Network Access Control

13.3.9. Wireless Security

13.3.10. IoT Security

13.4. Network Security Assessment and Testing

13.4.1. Security Scanning

13.4.2. Understanding Vulnerability Assessments

13.4.3. Penetration Testing

13.5. Closing Thoughts

13.6. Summary

13.7. Review Questions

13.8. Answer to Review Questions

14 On-Premises and Cloud Infrastructure

14.1 Data Centers

14.1.1 High availability

14.1.2 Power redundancy

14.1.3 Network redundancy

14.1.4 Physical redundancy

14.1.5 HVAC and Environmental Controls

14.1.6 Physical security

14.1.7 On-premises infrastructure

14.2 Cloud Infrastructure

14.2.1 Cloud service providers and customers

14.2.2 Virtualization

14.2.3 The essential characteristics of Cloud Computing

14.3 Cloud Service Models

14.4 Cloud Deployment Models

14.4.1 Public Cloud

14.4.2 Private Cloud

14.4.3 Community Cloud

14.4.4 Hybrid Cloud

14.5 Managed Service Providers

14.5.1 Service Level Agreement (SLA)

14.5.2 Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA)

14.6 Closing Thoughts

14.7 Summary

14.8 Review Questions

14.9 Answers to Review Questions

Part 5: Security Operations

15 Data Security

15.1 Cryptography

15.1.1 Symmetric Encryption

15.1.2 Asymmetric Encryption

15.1.3 Comparing Symmetric with Asymmetric Encryption

15.1.4 Hashing

15.1.5 Digital Signatures

15.1.6 Public Key Infrastructure (PKI)

15.2 Data Handling

15.2.1 States of Data

15.2.2 Data Lifecycle

15.2.3 Data Classification

15.2.4 Data Labelling

15.2.5 Data Retention

15.2.6 Data Destruction

15.2.7 Data Exfiltration Prevention

15.2.8 Data Loss Prevention

15.3 Closing thoughts

15.4 Summary

15.5 Review Questions

15.6 Answer to Review Questions

16 System Hardening

16.1 Purpose of System Hardening

16.2 Methods for Hardening

16.2.1 Policies for hardening

16.2.2 Attack surface reduction techniques

16.3 Security Baselines

16.4 Patching

16.5 Updates

16.6 Change Management

16.6.1 Change Management Lifecycle

16.7 Closing Thoughts

16.8 Summary

16.9 Review Questions

16.10 Answer to review questions

17 Security Policy Best Practices

17.1 Why Are Security Policies Necessary?

17.2 Elements of Security Policies

17.2.1 Senior Management Support Statement

17.2.2 Defined Purpose and Objectives

17.2.3 Scope and Applicability

17.2.4 Clear Definitions and Language

17.2.5 Exception Management Process

17.2.6 Regular Review and Maintenance

17.2.7 Enforcement and Consequences

17.3 The Data Handling Policy

17.4 The Password Policy

17.5 The Acceptable Use Policy (AUP)

17.6 The Bring Your Own Device (BYOD) Policy

17.7 Change Management Policy

17.8 The Privacy Policy

17.9 Closing Thoughts

17.10 Summary

17.11 Review Questions

17.12 Answers to Review Questions

18 Security Awareness Training

18.1 Security Awareness

18.2 The Security Culture

18.3 Security Awareness Programs

18.3.1 Why Establish a Security Awareness Program

18.3.2 Building Blocks of a Security Awareness Program

18.4 Security Education, Training and Awareness

18.4.1 Education

18.4.2 Training

18.4.3 Awareness

18.5 Summary

18.6 Review Questions

18.7 Answer to Review Questions

Part 6: Practice Exams

19 Exam 1

20 Exam 2

Appendices

Appendix A: Glossary of Terms

Appendix B: List of Acronyms

Appendix C: Reference Materials

Appendix D: Answers to Review Questions

Appendix E: Additional Resources for Further Study

Overview

1 Security Concepts of Information Assurance

This chapter introduces the foundational concepts that underpin information assurance. It frames organizations as socio-technical systems in which people, processes, and technology work together to create value, and it defines assets broadly to include tangible items (facilities, hardware), intangible items (software, data, intellectual property, reputation), and human assets (employees, contractors, vendors). The goal of cybersecurity is to understand organizational risk, anticipate relevant threats, and select effective controls that preserve operations across increasingly hybrid and cloud-enabled environments.

Key risk terms are clarified: vulnerabilities are weaknesses in assets, threats are factors that can exploit those weaknesses, attacks are intentional exploitations, and threat actors range from insiders and hobbyists to criminal groups and nation-state teams. Security controls are grouped as physical, technical, and administrative measures that collectively uphold the CIA triad—confidentiality, integrity, and availability—while countering the complementary threat classes of disclosure, alteration, and denial. Examples include encryption and access control for confidentiality, hashing and digital signatures for integrity, and redundancy, failover, and backups for availability; these controls often overlap and reinforce one another.

Because not all information carries equal risk, the chapter emphasizes data classification to align protections with sensitivity and impact—commonly using tiers such as public, internal, confidential, and highly confidential. It distinguishes sensitive from confidential data, explains how handling requirements become stricter as potential harm rises, and details categories like personally identifiable information (PII)—including both non-public and public elements that may enable identification—and protected health information (PHI), which demands strict privacy safeguards. Together, these concepts provide a practical framework for prioritizing defenses and applying the right controls to protect an organization’s most valuable assets.

Illustration of the interdependence of the key information security principles of confidentiality, integrity, and availability along with the corresponding threats of disclosure, alteration, and denial.

Answers to Review Questions

The correct answer is D. Software is not a tangible asset. Unlike hardware, buildings, and machines, which have a physical form and can be touched, software is intangible. It consists of code and data that exist digitally rather than physically.
The correct answer is C. Availability is the component of the CIA triad that focuses on ensuring that information is available when it is needed. On the other hand, while Confidentiality and Integrity are part of the CIA, they have different purposes. Authentication is not part of the CIA triad.
The correct answer is A. Any factor that has the potential to disrupt an asset by exploiting a vulnerability is known as a threat. Threats can take many forms, including malicious actors such as hackers, computer viruses, or natural disasters such as hurricanes or earthquakes. The remaining options, on the other hand, are not threats because the first two unchecked options represent vulnerabilities, and the last unchecked option emphasizes the need for protective measures on an asset to counter potential threats.
The correct answer is C. A threat actor is an individual or entity responsible for launching cyberattacks. The remaining options are incorrect because a software vulnerability is a vulnerability, a phishing email is a threat vector, and a denial-of-service attack is an example of an attack method.
The correct answer is C. PII (Personally Identifiable Information) includes personal information such as names and addresses, while PHI (Protected Health Information) is a subset that focuses on health information, including medical records and treatment details. PII and PHI must be protected, but PHI has additional regulatory requirements.

FAQ

What is Information Assurance (IA)?

Information Assurance is the practice of protecting information and the systems that process it so their confidentiality, integrity, and availability are maintained against threats.

How do people, processes, and technology relate to organizational security?

Organizations create value through people executing processes supported by technology (physical and digital). Security must account for all three, because weaknesses in any area can disrupt operations and harm the organization.

What is an “asset” in cybersecurity, and what types exist?

An asset is anything of value that requires protection. Types include: - Tangible: physical items like buildings, servers, networks, and devices. - Intangible: non-physical items like data, software, IP, contracts, and brand reputation. - Human: employees, contractors, and vendors whose skills and actions impact security.

What’s the difference between a vulnerability, a threat, an attack, and a threat actor?

- Vulnerability: a weakness in an asset (e.g., misconfiguration). - Threat: any potential cause of harm that can exploit a vulnerability (e.g., hardware failure, malware). - Attack: the intentional exploitation of a vulnerability. - Threat actor: the person or group carrying out an attack (e.g., insider, criminal group).

Who are common threat actors and what motivates them?

Typical actors include insiders, script kiddies, thrill seekers, hacktivists, criminal syndicates, and advanced persistent threats (APTs). Motivations range from curiosity or notoriety to profit, ideology, espionage, or sabotage, with varying skills and resources.

What is the CIA Triad and why is it fundamental?

- Confidentiality: only authorized access to information. - Integrity: information is accurate and unaltered except by authorized means. - Availability: information and systems are accessible when needed. These principles guide risk assessment and control selection for protecting assets.

What is the DAD model and how does it map to the CIA Triad?

DAD describes three threat classes: - Disclosure → compromises confidentiality. - Alteration → compromises integrity. - Denial → compromises availability. Thinking in DAD terms helps anticipate how threats impact CIA and select appropriate safeguards.

What kinds of security controls are used to protect assets?

- Physical: guards, locks, barriers, cameras, badge/biometric access. - Technical: firewalls, encryption, authentication, anti-malware, access controls. - Administrative: policies, procedures, training, and governance. Controls often overlap and are combined based on risk.

What is data classification and what levels are commonly used?

Data classification organizes information by sensitivity and impact to guide handling and protection. Common levels include Public, Internal, Confidential, and Highly Confidential (or Restricted). Higher sensitivity demands stricter access, storage, transmission, and retention controls.

How do sensitive, confidential, PII, and PHI differ?

- Sensitive: data that could harm individuals or the organization if misused. - Confidential: sensitive data that must be kept private by policy or law (e.g., trade secrets). - PII: data that identifies a person (e.g., SSN, unlisted phone, bank details); can be public or non-public. - PHI: health-related data (e.g., medical records, lab results) tied to an individual; requires strong privacy protections and often anonymization.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $23.99

you save $24.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $23.99

you save $24.00 (50%)

eBook

pdf, ePub, online

$47.99 $23.99

you save $24.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more