CISSP in 21 Days

3 (1 reviews total)
By M. L. Srinivasan
    Advance your knowledge in tech with a Packt subscription

  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Introduction to CISSP

About this book

Certified Information Systems Security Professional (CISSP) is an internationally recognized security qualification. Success in this respected exam opens the door to your dream job as a security expert as well as an eye catching salary. But passing the final exam is challenging. Every year a lot of candidates do not prepare sufficiently for the examination, and fail at the final stage. This happens when they cover everything but do not revise properly and hence lack in confidence.

This book will take you through the final weeks before the exam with a day-by-day plan covering all of the exam topics. It will help you to enter the exam room with confidence, knowing that you have done all you can to prepare for the big day.

This small and concise CISSP exam quick-revision guide provides a disciplined approach to be adopted for reviewing and revising the core concepts a month before the exam. This book provides concise explanation of important concepts in all the 10 domains of the CISSP Common Body of Knowledge (CBK). Each domain is covered in two chapters that are represented as days. Each chapter contains some practice questions.  A full-blown mock test is included for practice. This book is not a replacement to full study guides and tries to build on and reemphasize the concepts learned from such guides.

Publication date:
December 2008
Publisher
Packt
Pages
320
ISBN
9781847194503

 

Chapter 1. Introduction to CISSP

Certified Information System Security Professional (CISSP) is a coveted certification for an information security professional. Certified individuals are considered experienced and knowledgeable information security professionals. This is due to the requirements for certification. To appear for the exam, a candidate should have a minimum of four to five years of relevant practical experience in two or more domains of information security.

CISSP is acclaimed as the gold standard of the security industry. The CISSP exam is conducted by the International Information System Security Certification Consortium (ISC)², a non-profit consortium that is engaged in certifying information security professionals throughout their careers. The (ISC)² was founded in 1989 by industry leaders and has certified over 60,000 information security professionals in more than 120 countries.

The (ISC)² Board of Directors includes top Information Security (IS) professionals from a cross-section of the industry. The board members are CISSP certified and are elected, on a volunteer status, by others who have been certified.

As per (ISC)2, CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement:

  • Certified Information Systems Security Professional (CISSP)

  • Information Systems Security Architecture Professional (ISSAP)

  • Information Systems Security Management Professional (ISSMP)

  • Information Systems Security Engineering Professional (ISSEP)

  • Certification and Accreditation Professional (CAPCM)

  • Systems Security Certified Practitioner (SSCP)

We will be focusing on the CISSP exam in this quick revision guide.

Eligibility requirements for the CISSP exam and certification

Eligibility for obtaining this certificate is twofold:

  1. 1. Passing the exam:

    The exam consists of 250 multiple choice questions worth 1000 points that are to be answered in a duration of six hours. Of the 1000 points, a minimum of 700 points (70%) is required to pass this exam. The weighted value for each question varies and the distribution is not disclosed to the candidates. The exam is a written-type exam and an online test option is not offered. The (ISC)² regularly conducts the exam throughout the world. The exam schedules are available at the (ISC)² website: http://www.isc2.org.

  2. 2. Professional experience:

    Subscribing to the (ISC)² code of ethics, and showing a proof of direct professional work experience of no less than four to five years in two or more security domains, as prescribed in (ISC)² CISSP Common Body of Knowledge (CBK)

    Note

    Those who do not have relevant experience can still appear for the CISSP exam. If they pass, (ISC)2 will award them with an Associate of (ISC)2 credential. Subsequently by gaining relevant years of experience, the candidate can show evidence and obtain the CISSP credential.

    As per (ISC)2

    The Associate of (ISC)² status is available to qualified candidates who:

    • Subscribe to the (ISC)² Code of Ethics

    • Pass the CISSP or SSCP certification exams based on the (ISC)² CBK, our taxonomy of information security topics.

The following information is extracted from the (ISC)² website pertaining to (ISC)² CBK .

The (ISC)² CBK is a taxonomy—a collection of topics relevant to information security professionals around the world. The (ISC)² CBK establishes a common framework of information security terms and principles, which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding.

The (ISC)² was established in 1989, in part, to aggregate, standardize, and maintain the (ISC)² CBK for information security professionals worldwide.

Domains from the (ISC)² credentials are drawn from various topics within the (ISC)² CBK. The (ISC)² uses the CBK to assess a candidate's level of mastery of the most critical domains of information security.

The (ISC)² CBK, from which the (ISC)² credentials are drawn, is updated annually by the (ISC)² CBK Committee to reflect the most current and relevant topics required to practice the profession of information security.

 

Eligibility requirements for the CISSP exam and certification


Eligibility for obtaining this certificate is twofold:

  1. 1. Passing the exam:

    The exam consists of 250 multiple choice questions worth 1000 points that are to be answered in a duration of six hours. Of the 1000 points, a minimum of 700 points (70%) is required to pass this exam. The weighted value for each question varies and the distribution is not disclosed to the candidates. The exam is a written-type exam and an online test option is not offered. The (ISC)² regularly conducts the exam throughout the world. The exam schedules are available at the (ISC)² website: http://www.isc2.org.

  2. 2. Professional experience:

    Subscribing to the (ISC)² code of ethics, and showing a proof of direct professional work experience of no less than four to five years in two or more security domains, as prescribed in (ISC)² CISSP Common Body of Knowledge (CBK)

    Note

    Those who do not have relevant experience can still appear for the CISSP exam. If they pass, (ISC)2 will award them with an Associate of (ISC)2 credential. Subsequently by gaining relevant years of experience, the candidate can show evidence and obtain the CISSP credential.

    As per (ISC)2

    The Associate of (ISC)² status is available to qualified candidates who:

    • Subscribe to the (ISC)² Code of Ethics

    • Pass the CISSP or SSCP certification exams based on the (ISC)² CBK, our taxonomy of information security topics.

The following information is extracted from the (ISC)² website pertaining to (ISC)² CBK .

The (ISC)² CBK is a taxonomy—a collection of topics relevant to information security professionals around the world. The (ISC)² CBK establishes a common framework of information security terms and principles, which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding.

The (ISC)² was established in 1989, in part, to aggregate, standardize, and maintain the (ISC)² CBK for information security professionals worldwide.

Domains from the (ISC)² credentials are drawn from various topics within the (ISC)² CBK. The (ISC)² uses the CBK to assess a candidate's level of mastery of the most critical domains of information security.

The (ISC)² CBK, from which the (ISC)² credentials are drawn, is updated annually by the (ISC)² CBK Committee to reflect the most current and relevant topics required to practice the profession of information security.

 

The (ISC)² CBK security domains


The (ISC)² CBK for CISSP contains ten security domains. A candidate attempting the CISSP exam is tested for knowledge in these domains. The following are the ten security domains along with their key areas of knowledge:

  1. 1. Access Control

    • Knowledge of access control concepts, methodologies, and techniques to identify, evaluate, and respond to access control attacks such as brute force, dictionary, spoofing, denial-of-service, and so on.

    • Design, coordinate, and evaluate vulnerability and penetration tests

  2. 2. Application Security

    • Role of security in system life cycles

    • Application environment and security controls

    • Databases, data warehousing, threats, vulnerabilities, and protection

    • Knowledge-based systems and their security

    • Application and system related vulnerabilities and threats

  3. 3. Business Continuity and Disaster Recovery Planning

    • Developing and documenting project scope and plan

    • Conducting the Business Impact Analysis (BIA)

    • Developing recovery strategies

    • Training

    • Maintaining the business continuity plans

  4. 4. Cryptography

    • Application and the use of cryptography

    • Methods of encryption

    • Types of encryption

    • Initialization vectors

    • Cryptographic systems

    • Key management techniques

    • Message digests and hashing

    • Digital signatures

    • Non-repudiation

    • Methods of cryptanalytic attacks

    • Employing cryptographic in network security

    • Cryptography and email security

    • The Public Key Infrastructure (PKI)

    • Alternatives such as steganography, watermarking, and so on

  5. 5. Information Security and Risk Management

    • Understanding the organizational goals, mission, and objectives

    • Establishing governance

    • Understanding the concepts of confidentiality, integrity, and availability

    • Understanding and applying "security" concepts such as defense-in-depth, single points of failure, and so on

    • Developing and implementing security policies

    • Defining an organization's roles and responsibilities

    • Security considerations in outsourcing

    • Developing and maintaining internal service agreements

    • Integrating and supporting identity management

    • Understanding and applying risk management concepts

    • Evaluating personnel security

    • Developing and conducting security education, training, and awareness

    • Understanding data classification concepts

    • Evaluating information system security strategies

    • Supporting certification accreditation efforts

    • Designing, conducting, and evaluating security assessment

    • Reporting security incidents to the management

    • Understanding professional ethics

  6. 6. Legal, Regulations, Compliance, and Investigations

    • Understanding common elements of international laws pertaining to information systems security

    • Understanding and supporting investigations

    • Understanding forensic procedures

  7. 7. Operations Security

    • Applying security concepts such as the need-to-know/least privilege, separation of duties and responsibilities, monitoring special privileges such as operators and administrators, job rotation, marking, handling, storing and destroying of sensitive information and media, record retention, backup of critical information, anti-virus management, remote working and malware management

    • Employing resource protection

    • Handling violations, incidents, and breaches as well as reporting these occurrences when necessary

    • Supporting high availability such as fault tolerance, denial-of-service prevention, and so on

    • Implementing and supporting patch and vulnerability management

    • Ensuring administrative management and control

    • Understanding configuration management concepts

    • Responding to attacks such as spam, virus, spyware, phishing, and so on

  8. 8. Physical (Environmental) Security

    • Participating in site and facility design considerations

    • Supporting the implementation and operation of perimeter security, interior security, operations and facility security

    • Participating in the protection and security of equipments.

  9. 9. Security Architecture and Design

    • Understanding theoretical concepts of security models

    • Understanding components of information systems evaluation models

    • Understanding security capabilities of computer systems

    • Understanding how the security architecture is affected by covert channels, state attacks, emanations, maintenance hooks and privileged programs countermeasures, assurance, trust and confidence and the Trusted Computer Base (TCB) and its reference to monitors and kernels

  10. 10. Telecommunications and Network Security

    • Establishing secure data communications

    • Establishing secure multimedia communications

    • Developing and maintaining secure networks

    • Preventing attacks and controlling potential attack threats such as malicious code, flooding, spamming, and so on

    • Remote access protocols such as CHAP, EAP, and so on

 

Approach


While preparing for the CISSP exam, a candidate has to read and understand many books and references. Many books cover the CISSP CBK domains in depth and provide a starting point for a thorough preparation to the exam. References to such books are covered in the references chapter at the end of this book. However, since many concepts are spread across the ten domains, it is always important to review the various concepts before the exam. This book addresses the requirements of revisiting the key concepts in these ten domains that are explained in a short, simple, and lucid form.

There are many overlapping concepts that are applicable to more than one security domain. For example, the concept of threat, vulnerability, and risk is similar and applicable to all the domains, and only the specifics will vary. Therefore, the ten security domains are aligned in a logical order so that the concepts are covered in the most appropriate sequence in this guide. A candidate can refer to this book throughout while preparing for the test or, most importantly, for a systematic review of the ten domains on a day-by-day basis, one month leading up to the exam. Therefore, the chapters are divided into 21 convenient days on the subject.

 

Summary


This chapter explained the eligibility requirements for the CISSP examination, the organization that is conducting the exam, the structure of the exam, information about the Common Body of Knowledge (CBK), the ten security domains prescribed in CBK, and the relevant key knowledge areas.

In the next chapter, we will explore the important concepts pertaining to information security and risk management.

About the Author

  • M. L. Srinivasan

    M. L. Srinivasan is the founder and CEO of ChennaiNet, an India-based technology company focused on information technology and information security-related product development, services, and training. He's a Certified Information System Security Professional (CISSP) and Certified Information Security Management System Lead Auditor.

    Popularly known as MLS, the author is an information technology and information security professional and has about 25 years' experience in various IT domains, such as software programming, hardware troubleshooting, networking technologies, systems administration, security administration, information security-related consulting, auditing and training.

    He has been an avid trainer throughout his career and has developed many short-term and long-term training programs. He has been invited to speak at many international conferences and seminars on information security. Currently he is associated with NIIT Technologies (USA), and CA Technologies (USA) as a senior instructor covering various product-based training on CA identity manager, CA SiteMinder (Single Sign-On), CA ControlMinder (AccessControl), CA Federation Manager, and CA DataMinder products.

    He was a specialist IT and IS auditor with Det Norske Veritas (DNV), India region. He has performed many quality and information security audits for hundreds of medium and large organizations in the past.

    Browse publications by this author

Latest Reviews

(1 reviews total)
It average in terms of rating. It's bit difficult to understand
Book Title
Unlock this book and the full library for FREE
Start free trial