Become ISC2 Certified in Cybersecurity you own this product

Everything you need to get the certification

Paulo Carreira and Andreé Miranda Louraço

MEAP began June 2025
Last updated January 2026
Publication in June 2026 (estimated)

ISBN 9781633435667
450 pages (estimated)

Included with a Manning Online subscription

printed in black & white

available in Italian

catalog / Leadership and Careers / Technical Skills / Cybersecurity

resources: Book forum

table of content

Introduction

Part 1: Security Principles

1 Security Concepts of Information Assurance

1.1 Fundamental Terms of Cybersecurity

1.1.1 Organizations

1.1.2 Information Systems and Information Technology

1.1.3 Tangible Assets, Intangible Assets, and Human Assets

1.1.4 Vulnerabilities, Threats, and Actors

1.1.5 Security Controls

1.2 The Confidentiality, Integrity, Availability (CIA) Triad

1.3 Data Classification

1.3.1 Sensitive information

1.3.2 Confidential information

1.3.3 Personally Identifiable Information (PII)

1.3.4 Protected Health Information (PHI)

1.4 Closing Thoughts

1.5 Summary

1.6 Review Questions

1.7 Answers to Review Questions

2 Risk Management

2.1 Risk

2.1.1 Impact

2.1.2 Likelihood

2.1.3 The definition of risk

2.2 Risk Management

2.2.1 Risk management process overview

2.2.2 Risk Assessment

2.2.3 Risk Treatment

2.3 Closing Thoughts

2.4 Summary

2.5 Review Questions

2.6 Answers to Review Questions

3 Understanding Security Controls

3.1 Understanding Security Controls

3.1.1 Categories of Security Controls

3.1.2 Physical controls

3.1.3 Technical controls

3.1.4 Administrative controls

3.1.5 Types of security controls

3.1.6 Understanding security controls by category and by type

3.2 Defense-in-Depth

3.3 Closing Thoughts

3.4 Summary

3.5 Review Questions

3.6 Answers to Review Questions

4 Understanding Governance Processes and Elements

4.1 Governance Framework Overview

4.2 Laws and Regulations

4.2.1 General Data Protection Regulation (GDPR)

4.2.2 Health Insurance Portability and Accountability Act (HIPAA)

4.2.3 Gramm-Leach-Bliley Act (GLBA)

4.3 Standards

4.4 Policies

4.5 Procedures

4.6 Guidelines

4.7 Closing Thoughts

4.8 Summary

4.9 Review Questions

4.10 Answers to Review Questions

5 ISC2 Code of Ethics

5.1 Ethics

5.2 Professional Codes of Conduct

5.3 The ISC2 Code of Ethics

5.3.1 ISC2 Code of Ethics Preamble

5.3.2 The ISC2 Code of Ethics canons

5.3.3 Examples of application of the cannons

5.3.4 Reporting violations

5.4 Closing Thoughts

5.5 Summary

5.6 Review Questions

5.7 Answers to Review Questions

Part 2: Incident Response, Business Continuity, and Disaster Recovery Concepts

6 Incident Response

6.1 Why Is Incident Response Important?

6.2 Events, Incidents, and Security Incidents

6.3 Incident Response Lifecycle

6.3.1 Preparation

6.3.2 Detection and Analysis

6.3.3 Containment, Eradication, and Recovery

6.3.4 Post-Incident activity

6.4 Incident Response Plan

6.5 The Security Operations Center (SOC)

6.5.1 SOC Structure

6.5.2 Escalation

6.6 Closing Thoughts

6.7 Summary

6.8 Review Questions

6.9 Answers to Review Questions

7 Business Continuity Planning

7.1 The importance of Business Continuity

7.2 Business Impact Analysis

7.3 Business Continuity Plan

7.3.1 Developing a Business Continuity Plan

7.3.2 Components of Business Continuity Plan

7.4 Testing the BCP

7.5 Closing Thoughts

7.6 Summary

7.7 Review Questions

7.8 Answers to Review Questions

8 Disaster Recovery Plan

8.1 Disaster Recovery Plan

8.2 Data Recovery Strategies

8.3 Disaster Recovery Infrastructure

8.3.1 Recovery Sites

8.4 Testing the DRP

8.5 Closing Thoughts

8.6 Summary

8.7 Review Questions

8.8 Answers to Review Questions

Part 3: Concepts of Access Control

9 Access Control

9.1 Subjects, Objects, and Rules

9.2 Identification, Authentication, Authorization, and Accountability

9.2.1 Identification

9.2.2 Authentication

9.2.3 Authorization

9.2.4 Accountability

9.3 Identity and Access Management (IAM)

9.4 Account Types

9.5 Privileged Access Management (PAM)

9.6 Principles of Access Control

9.6.1 Least Privilege

9.6.2 Segregation of Duties (SoD)

9.6.3 Two-Person Control

9.6.4 Need-to-Know

9.6.5 Defense-in-Depth

9.7 Closing Thoughts

9.8 Summary

9.9 Review Questions

9.10 Answers to Review Questions

10 Physical Access Controls

10.1 Physical Access Protection

10.1.1 Security perimeters

10.1.2 Protecting the outer perimeter

10.1.3 Protecting the inner perimeter

10.1.4 Protecting work-area perimeters

10.1.5 Protecting secure-area perimeters

10.2 Physical Authentication

10.2.1 Sign-in and ID verification

10.2.2 Badge systems

10.2.3 Biometrics

10.3 Physical Access Monitoring

10.3.1 Security guards

10.3.2 Security cameras (CCTV)

10.3.3 Alarm systems

10.3.4 Physical access logs

10.4 Closing Thoughts

10.5 Summary

10.6 Review Questions

10.7 Answers to Review Questions

11 Logical Access Controls

11.1 Access Control Models

11.1.1 Discretionary access control (DAC)

11.1.2 Mandatory access control (MAC)

11.1.3 Role-Based access control (RBAC)

11.2 Identity Management

11.2.1 Directory services

11.2.2 Single Sign-On (SSO)

11.2.3 Federated Identity Management (FIM)

11.3 Monitoring Logical Access

11.3.1 Logical access logging

11.3.2 Log centralization

11.3.3 Typical suspicious access patterns

11.3.4 Privilege monitoring

11.4 Closing Thoughts

11.5 Summary

11.6 Review Questions

11.7 Answers to Review Questions

Part 4: Network Security

12 Networking

12.1 Networking Overview

12.2 Network Components

12.2.1 Endpoint devices

12.2.2 Network Interface Cards

12.2.3 Hubs and Repeaters

12.2.4 Switches

12.2.5 Routers

12.2.6 Wireless Access Point (WAP)

12.2.7 Proxy Servers

12.2.8 Firewalls

12.2.9 Connection links

12.3 Types of Networks

12.3.1 LAN, MAN, WAN, HAN

12.3.2 Wired and Wireless Networks

12.3.3 Internet of Things (IoT)

12.4 Addressing

12.4.1 MAC Addresses

12.4.2 IP Addresses

12.4.3 DNS

12.5 Networking Models

12.5.1 Data communication layers

12.5.2 Application (upper) layers

12.5.3 Encapsulation and Decapsulation

12.5.4 Layer responsibilities

12.6 Logical Ports

12.6.1 Well-known ports and port ranges

12.6.2 Secure ports and secure protocols

12.7 Network Segmentation

12.7.1 Physical segmentation

12.7.2 Virtual Local Area Networks (VLANs)

12.7.3 Subnetting

12.7.4 Micro-segmentation

12.7.5 Demilitarized Zone (DMZ)

12.7.6 Virtual Private Networks (VPN)

12.8 Closing Thoughts

12.9 Summary

12.10 Review Questions

12.11 Answers to Review Questions

13 Network Threats and Attacks

13.1. The Stages of a Cyber Attack

13.1.1. Reconnaissance

13.1.2. Weaponization

13.1.3. Delivery

13.1.4. Exploitation

13.1.5. Installation

13.1.6. Command and Control (C2)

13.1.7. Objective Execution

13.2. Understanding Threats and Attacks

13.2.1. Malware

13.2.2. Scripting Attacks

13.2.3. Password Attacks

13.2.4. Social Engineering

13.2.5. Spoofing

13.2.6. On-Path Attacks

13.2.7. Denial of Service (DoS) Attacks

13.2.8. Side-Channel Attacks

13.2.9. Physical Attacks

13.2.10. Insider Threats

13.2.11. Advanced Persistent Threats (APT)

13.3. Detecting, Preventing, and Containing Threats

13.3.1. Threat Intelligence

13.3.2. IDS and IPS

13.3.3. Logging and Monitoring

13.3.4. Security Information and Event Management (SIEM) Systems

13.3.5. Endpoint Protection

13.3.6. Firewalls

13.3.7. Email and Web Application Filtering

13.3.8. Network Access Control

13.3.9. Wireless Security

13.3.10. IoT Security

13.4. Network Security Assessment and Testing

13.4.1. Security Scanning

13.4.2. Understanding Vulnerability Assessments

13.4.3. Penetration Testing

13.5. Closing Thoughts

13.6. Summary

13.7. Review Questions

13.8. Answer to Review Questions

14 On-Premises and Cloud Infrastructure

14.1 Data Centers

14.1.1 High availability

14.1.2 Power redundancy

14.1.3 Network redundancy

14.1.4 Physical redundancy

14.1.5 HVAC and Environmental Controls

14.1.6 Physical security

14.1.7 On-premises infrastructure

14.2 Cloud Infrastructure

14.2.1 Cloud service providers and customers

14.2.2 Virtualization

14.2.3 The essential characteristics of Cloud Computing

14.3 Cloud Service Models

14.4 Cloud Deployment Models

14.4.1 Public Cloud

14.4.2 Private Cloud

14.4.3 Community Cloud

14.4.4 Hybrid Cloud

14.5 Managed Service Providers

14.5.1 Service Level Agreement (SLA)

14.5.2 Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA)

14.6 Closing Thoughts

14.7 Summary

14.8 Review Questions

14.9 Answers to Review Questions

Part 5: Security Operations

15 Data Security

15.1 Cryptography

15.1.1 Symmetric Encryption

15.1.2 Asymmetric Encryption

15.1.3 Comparing Symmetric with Asymmetric Encryption

15.1.4 Hashing

15.1.5 Digital Signatures

15.1.6 Public Key Infrastructure (PKI)

15.2 Data Handling

15.2.1 States of Data

15.2.2 Data Lifecycle

15.2.3 Data Classification

15.2.4 Data Labelling

15.2.5 Data Retention

15.2.6 Data Destruction

15.2.7 Data Exfiltration Prevention

15.2.8 Data Loss Prevention

15.3 Closing thoughts

15.4 Summary

15.5 Review Questions

15.6 Answer to Review Questions

16 System Hardening

16.1 Purpose of System Hardening

16.2 Methods for Hardening

16.2.1 Policies for hardening

16.2.2 Attack surface reduction techniques

16.3 Security Baselines

16.4 Patching

16.5 Updates

16.6 Change Management

16.6.1 Change Management Lifecycle

16.7 Closing Thoughts

16.8 Summary

16.9 Review Questions

16.10 Answer to review questions

17 Security Policy Best Practices

17.1 Why Are Security Policies Necessary?

17.2 Elements of Security Policies

17.2.1 Senior Management Support Statement

17.2.2 Defined Purpose and Objectives

17.2.3 Scope and Applicability

17.2.4 Clear Definitions and Language

17.2.5 Exception Management Process

17.2.6 Regular Review and Maintenance

17.2.7 Enforcement and Consequences

17.3 The Data Handling Policy

17.4 The Password Policy

17.5 The Acceptable Use Policy (AUP)

17.6 The Bring Your Own Device (BYOD) Policy

17.7 Change Management Policy

17.8 The Privacy Policy

17.9 Closing Thoughts

17.10 Summary

17.11 Review Questions

17.12 Answers to Review Questions

18 Security Awareness Training

18.1 Security Awareness

18.2 The Security Culture

18.3 Security Awareness Programs

18.3.1 Why Establish a Security Awareness Program

18.3.2 Building Blocks of a Security Awareness Program

18.4 Security Education, Training and Awareness

18.4.1 Education

18.4.2 Training

18.4.3 Awareness

18.5 Summary

18.6 Review Questions

18.7 Answer to Review Questions

Part 6: Practice Exams

19 Exam 1

20 Exam 2

Appendices

Appendix A: Glossary of Terms

Appendix B: List of Acronyms

Appendix C: Reference Materials

Appendix D: Answers to Review Questions

Appendix E: Additional Resources for Further Study

Overview

2 Risk Management

Organizations cannot protect every asset against every threat with unlimited resources, so this chapter frames cybersecurity as a risk-based discipline. It defines risk as the combination of how much harm an event could cause (impact) and how likely it is to occur (likelihood). Impact spans more than monetary loss, covering operational disruption, regulatory penalties, reputational damage, and effects on third parties; likelihood is often estimated using practical ranges rather than precise probabilities. By combining these dimensions—often visualized in a risk matrix or expressed mathematically—teams can compare vulnerabilities and focus first on those that present the greatest overall risk.

Risk management is presented as an ongoing process with two stages: assessment and treatment. Assessment begins with risk identification, which relies on accurate and regularly updated asset inventories and clear assignment of asset and risk owners. Risk analysis then estimates impact and likelihood using quantitative methods (for example, asset value, exposure factor, single loss expectancy, annualized rate of occurrence, and annualized loss expectancy) or qualitative methods (descriptive scales and a risk matrix), or both. Risk evaluation prioritizes the results, generally breaking ties in favor of higher-impact scenarios and elevating any threat to human safety, so that limited resources address the most consequential risks first.

Risk treatment selects proportionate strategies—mitigate, avoid, transfer, or accept—guided by cost/benefit considerations, organizational risk appetite, and specific risk tolerances for business functions. Because no control set eliminates all exposure, residual risk must be acknowledged and either accepted or further reduced, and teams should recognize that new controls can introduce new risks. Effective practice requires documented treatment plans, clear communication with risk owners, integration with daily operations, and continual reassessment as assets, threats, and business priorities evolve, ensuring security investments deliver the greatest reduction in risk aligned to organizational goals.

Illustration of the risk in terms of likelihood and impact

Risk as function of likelihood and impact

Illustration of the risk management process

A risk matrix displaying the level of risk as a function of the values of likelihood and impact

Risk prioritization quadrants according to likelihood and impact

Answers to Review Questions

The correct answer is B. The purpose of any insurance is to transfer risk from one party to another and this process is called risk transference. The insurer is obligated to compensate the insured for a loss caused by an unexpected event over a specified and mutually agreed upon period of time.
The correct answer is A. Risk management is a proactive process of identifying, assessing and prioritizing risks. Appropriate controls are then selected and implemented to reduce or mitigate the potential impact of identified risks. On the other hand, eliminating all risks is impractical, minimizing implementation costs can expose an organization to unnecessary risk, and focusing solely on reactive countermeasures runs counter to the principles of comprehensive risk management.
The correct answer is D. Risk acceptance is a risk management strategy in which an organization chooses not to implement controls to address a risk, but instead accepts the risk and its potential consequences. This doesn't mean that the company ignores the risk; rather, it has made a conscious decision to accept it after considering the costs and benefits.
The correct answer is A. Residual risk helps organizations understand the remaining level of risk they face after implementing their chosen controls and countermeasures, enabling them to make informed decisions about whether additional action is needed or whether the remaining risk is acceptable. None of the other options accurately describe the concept of residual risk.
The correct answer is A. Risk mitigation involves implementing strategies to limit the impact or likelihood of threats occurring. Risk acceptance, on the other hand, is a conscious decision to acknowledge a risk but not take immediate action.

FAQ

What is “risk” in cybersecurity?

Risk is the potential for harm calculated by combining how likely an adverse event is (likelihood) with how severe its consequences would be (impact). As either likelihood or impact increases, overall risk rises.

What’s the difference between impact and likelihood?

- Impact: how much harm an event would cause (to assets, operations, reputation, compliance, and affected third parties). - Likelihood: the probability or expected frequency that the event will occur. Effective prioritization considers both together, not just one.

How do organizations estimate likelihood in practice?

Exact probabilities are hard to determine, so teams use broad, discrete frequency ranges (for example: several times a year, once per year, once every few years). They also factor in ease of exploitation, system exposure, attacker interest, and existing controls.

How should risks be prioritized?

Start with the combined risk (likelihood × impact). If multiple risks fall into the same level, prioritize higher-impact items first—especially anything that could affect safety or cause severe business harm—even if its likelihood is lower.

What are the main stages and steps of the risk management process?

- Risk assessment: identify assets and risks (risk identification), analyze them (qualitative and/or quantitative risk analysis), then evaluate and prioritize them (risk evaluation). - Risk treatment: select and implement strategies to handle prioritized risks, considering organizational constraints and policies.

What is risk identification and why are asset inventories essential?

Risk identification catalogs vulnerabilities, threats, and current controls across all assets. Accurate, regularly updated inventories (hardware, network/communications, software, data/legal obligations, physical facilities, suppliers/third parties) let you find risks where they actually exist and assign clear ownership.

What’s the difference between qualitative and quantitative risk analysis?

- Quantitative: uses numbers (e.g., costs, probabilities) to model loss and compare options objectively (useful when reliable data exists). - Qualitative: uses descriptive scales (e.g., Low/Medium/High, risk matrix) and expert judgment (useful when data is scarce or impacts are subjective, like reputation).

How do you calculate ALE (Annualized Loss Expectancy)?

Use: SLE = AV × EF, then ALE = SLE × ARO. Example: Asset value (AV) $10,000, exposure factor (EF) 40% → SLE $4,000. If annualized rate of occurrence (ARO) is 0.5, then ALE = $4,000 × 0.5 = $2,000 per year.

What’s the difference between risk appetite and risk tolerance?

- Risk appetite: the overall amount of risk leadership is willing to accept to meet business goals. - Risk tolerance: the specific, acceptable level of risk within a given area or activity, staying within the broader appetite.

What are the four risk treatment options and how do you choose?

- Mitigate: reduce likelihood and/or impact (e.g., controls like MFA, encryption). - Avoid: stop or change the risky activity (e.g., retire an unsupported system). - Transfer: shift financial impact to a third party (e.g., insurance). - Accept: consciously tolerate the residual risk. Choose based on cost–benefit, risk levels, and organizational tolerance—and remember treatments can introduce new or changed risks that must be monitored.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $33.59

you save $14.40 (30%)

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more