For Dummies CISSP, 3rd Edition
Contents
1. domains Access Control y Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal Regulations Investigations and Compliance Operations Security Physical Environmental Security Security Architecture and Design v Telecommunications and Network Security Vou Must Be This Tall to Ride And Other Requirements The CISSP candidate must have a minimum of five cumulative years of profes sional full time direct work experience in two or more of the domains listed in the preceding section The work experience requirement is a hands on one you can t satisfy the requirement by just having information security listed as one of your job responsibilities You need to have information secu rity knowledge and perform work that requires you to regularly apply that knowledge Chapter 1 ISC and the CISSP Certification However you can get a waiver for a maximum of one year of the five year professional experience requirement if you have one of the following A four year college degree vw An advanced degree in information security from a U S National Center of Academic Excellence in Information Assurance Education CAEIAE or a regional equivalent 1 A credential that appears on the ISC approved list which includes more than 30 technical and professional certifications such as vari ous SANS GIAC certifications Microsoft c2. the ISC you need a scaled score of 700 or better to pass the examination Not all the questions are weighted equally so we can t abso lutely state the number of correct questions required for a passing score The examination isn t computer based It s administered the old fashioned way exam booklet answer sheet and a lot of pencils You can write in the exam booklet but ISC only scores answers recorded on the answer sheet 16 Part I Certification Basics NING RY You won t find any multiple answer fill in the blank scenario or simulation questions on the CISSP exam However all 250 multiple choice questions require you to select the best answer from four possible choices So the correct answer isn t always a straightforward clear choice In fact you can count on many questions to initially appear like they have more than one cor rect answer ISC goes to great pains to ensure that you really really know the material For instance a sample question might resemble the following Which of the following is the FTP control channel A TCP port 21 B UDP port 21 C TCP port 25 D IP port 21 Many readers almost instinctively know that FTP s control channel is port 21 but is it TCP UDP or IP Increasingly CISSP exam questions are based more on situations than on simple knowledge of facts For instance here s a question you might get A system administrator has found that a former employee has su
3. Chapter 1 ISC and the CISSP Certification In This Chapter Finding out about ISC and the CISSP certification Understanding CISSP certification requirements Registering for the exam Developing a study plan Taking the CISSP exam and waiting for results Se say that the Certified Information Systems Security Professional CISSP candidate requires a breadth of knowledge 50 miles across and 2 inches deep To embellish on this statement we believe that the CISSP can didate is more like the Great Wall of China with a knowledge base extending over 3 500 miles maybe a few holes here and there stronger in some areas than others but nonetheless one of the Seven Wonders of the Modern World The problem with many currently available CISSP preparation materials is in defining how high the Great Wall actually is Some material overwhelms and intimidates CISSP candidates leading them to believe that the wall is as high as it is long Other study materials are perilously brief and shallow giving the unsuspecting candidate a false sense of confidence while he or she merely attempts to step over the Great Wall careful not to stub a toe CISSP For Dummies answers the question What level of knowledge must a CISSP candi date possess to succeed on the CISSP exam About ISC and the CISSP Certification The International Information Systems Security Certification Consortium CISC www isc2 org was established in 1989 as a nonprofit
4. ISC Web site This booklet provides a good outline of the subjects on which you ll be tested Next read this book take the practice exam and review the materials on the accompanying CD ROM CISSP For Dummies is written to provide the CISSP candidate an excellent overview of all the broad topics covered on the CISSP exam You can also find several study guides at www cissps com www cccure org and www cramsession com Joining or creating your own study group can help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals No practice exams exactly duplicate the CISSP exam and forget about brain dumps However many resources are available for practice questions Some practice questions are too hard others are too easy and some are just plain irrelevant Don t despair The repetition of practice questions helps reinforce important information that you need to know in order to successfully answer questions on the CISSP exam For this reason we recommend taking as many practice exams as possible Use the Practice Exam and or the Flash Cards on the CD ROM and try the practice questions at Cl ment Dupuis and Nathalie Lambert s CCCure Web site www cccure org Getting hands on experience Getting hands on experience may be easier said than done but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam For
5. a better CISSP Chapter 3 reviews what to do after you earn your CISSP certification After being notified of a passing score on the CISSP examination you must submit a qualified third party endorsement from another CISSP your employer or any licensed certified or commissioned professional such as a banker attorney or certified public accountant to validate your work expe rience This endorsement must be submitted within 90 days of the date of the exam results notification letter otherwise your application and exam results are voided ISC randomly audits a percentage of submitted applications requiring additional documentation normally a resume and confirmation from employers of work history and review by ISC ASC normally sends final notification of certification via e mail within one business day seven business days if audited after it receives the endorsement 17 18 Part I Certification Basics After you earn your CISSP certification you must remain an ISC member in good standing and renew your certification every three years You can renew the CISSP certification by accumulating 120 Continuing Professional Education CPE credits or by retaking the CISSP examination You must earn a minimum of 20 CPE credits during each year of your three year recertifica tion cycle You earn CPE credits for various activities including taking educa tional courses or attending seminars and security conferences be
6. ccess fully logged in to the system The system administrator should A Shut down the system B Confirm the breach in the security logs C Lock or remove the user account D Contact law enforcement You won t find the answer to this in a book well probably not But every exam question still has a best answer perhaps not an ideal answer but definitely a best answer A common and effective test taking strategy for multiple choice questions is to carefully read each question and then eliminate any obviously wrong choices The CISSP examination is no exception Wrong choices aren t necessarily obvious on the CISSP examination You may find a few obviously wrong choices but they only stand out to someone who has studied thoroughly for the examination and has a good grasp of all ten of the security domains Only 225 questions are actually counted toward your final score The other 25 are trial questions for future versions of the CISSP examination However the exam doesn t identify these questions for the test taker so you have to answer all 250 questions like they re all the real thing Chapter 1 ISC and the CISSP Certification The CISSP examination is currently available in English French German Japanese Korean and Spanish You re permitted to bring a foreign language dictionary non electronic for the exam if needed You need to indicate your language preference when you register for the exam Chapter 14 c
7. ertifications and CompTIA Security For the complete list go to www isc2 org credential_ waiver default aspx p In the U S CAEIAE programs are jointly sponsored by the National Security Agency and the Department of Homeland Security For more information go to www nsa gov ia academic_outreach nat_cae index shtml Registering for the Exam To register for the exam you first need to find a suitable exam date and loca tion It s given throughout the year at various locations typically at colleges community centers or convention centers worldwide You can find exam schedules on the ISC Web site at www isc2 org Unlike many other certification exams the CISSP examination isn t conve niently available at Thomson Prometric or Pearson VUE testing centers You may need to travel to take this exam which requires planning in advance for travel arrangements possibly including airline rental car and hotel reservations If you re traveling to another country for your CISSP examina tion visa requirements may also apply Next you need to create an ISC account on the ISC Web site agree to the SC Terms and Conditions complete the online registration form and pay your examination fee If you re paying for your CISSP examination with a check or money order you need to print out the registration form and mail it to the ASC office for the region in which you re planning to take the CISSP examination Current ma
8. example if you re weak in networking or applications development talk to the networking group or programmers in your company They may be able to show you a few things that can help make sense of the volumes of informa tion that you re trying to digest 14 Part I Certification Basics ar w Your company or organization should have a security policy that s readily available to its employees Get a copy and review its contents Are critical ele ments missing Do any supporting guidelines standards and procedures exist If your company doesn t have a security policy perhaps now is a good time for you to educate management about issues of due care due diligence and other concepts from the Legal Regulations Investigations and Compliance security domain Review your company s Business Continuity and Disaster Recovery Plans They don t exist Perhaps you can lead this initiative to help both you and your company Attending an ISC CISSP CBK Review Seminar The ISC also administers five day CISSP CBK Review Seminars to help the CISSP candidate prepare You can find schedules and registration forms for the CBK Review Seminar on the ISC Web site at www isc2 org The early rate for the CISSP CBK Review seminar in the U S is 2 495 if you register 16 days or more in advance the standard rate is 2 695 If you generally learn better in a classroom environment or find that you have knowledge or actual expe
9. iling addresses are listed in the registration form instructions which you can download from the ISC Web site When you register you re required to quantify your work experience in information security answer a few questions regarding criminal history and related background and agree to abide by the ISC Code of Ethics 11 2 Part I Certification Basics The current exam fee in the U S is 549 if you register at least 16 days in a advance of your exam date We recommend that you register early for several reasons The normal registration fee is 599 and the rescheduling fee is 100 By registering early you can essentially split the difference if you need to reschedule your exam for some reason vy By committing to a specific testing date you re more likely to stay focused and avoid procrastination Registering early allows you to better plan your travel arrangements and possibly save some money by booking reservations well in advance 1 Space is limited at all test centers Reservations are accepted on a first come first served basis in the case of registrations by mail ASC uses the date of the postmark If the test date fills up before you register and this is a hot certification you may be hard pressed to find another test date and location that suits you in that same year y Great news If you re a U S military veteran and are eligible for Montgomery GI Bill benefits the Veteran s Administra
10. longing to association chapters and attending meetings viewing vendor presentations completing university or college courses providing security training pub lishing security articles or books serving on relevant industry boards taking part in self study and doing related volunteer work You must document your annual CPE activities on the secure ISC Web site to receive proper credit You also have to pay an 85 annual maintenance fee payable to ISC Maintenance fees are billed in arrears for the preceding year and you can pay them online also in the secure area of the ASC Web site See Chapter 3 for more information on earning CPE credits and maintaining your CISSP certification
11. n include it in the next edition of this book In general we recommend a minimum of two months of focused study Read this book and continue taking the practice exams in this book and on the accompanying CD until you can consistently score 80 percent or better in all areas CISSP For Dummies covers all the information that you need to know if you want to pass the CISSP examination Read this book and reread it until you re comfortable with the information presented and can successfully recall and apply it in each of the ten domains Continue by reviewing other materials particularly in your weak areas and actively participating in an online or local study group Take as many practice exams from as many different sources as possible You can t find any brain dumps for the CISSP examination and no practice test can exactly duplicate the actual exam some practice tests are simply too easy and others are too difficult but repetition can help you retain the important knowledge required to succeed on the CISSP exam About the CISSP Examination The CISSP examination itself is a grueling six hour 250 question marathon To put that into perspective in six hours you could walk about 20 miles watch a Kevin Costner movie 1 times or sing My Way 540 times on a karaoke machine Each of these feats respectively closely approximates the physical mental not intellectual and emotional toll of the CISSP examination As described by
12. overs the details of the exam environment Chapter 15 contains suggestions for preparation on the day of the exam Waiting for Vour Results ar Perhaps the most painful part of the CISSP examination is waiting for the results You can expect to come out of the CISSP examination at best with no idea of whether you passed or failed or worse with the sinking feeling that you bombed it miserably Take heart this is an almost universal reac tion caused by mental fatigue but failure certainly isn t the universal result SC officially states that you can expect your exam results via first class mail within four to six weeks of your examination date However ISC is get ting more efficient and often has results out within one to two weeks ISC doesn t give out results via telephone If you don t receive your results within six weeks contact ISC to inquire about the status Your results simply tell you Pass or Fail You don t receive a score and ISC doesn t identify your domain strengths weaknesses for you You just receive an e mail and an official letter informing you of your results While waiting for your results assume the worst and prepare for the retest Recall specific problem areas from the examination Write them down and study those areas again If you fail the examination this effort can pay huge dividends when you try again And if you find out that you did pass the exami nation you ll be
13. rience in only two or three of the domains you might seriously consider attending a review seminar Attending other training courses or study groups Other reputable organizations such as SANS www sans org offer high quality training in both classroom and self study formats Before signing up and spending your money we suggest that you talk to someone who has completed the course and can tell you about its quality Usually the quality of a classroom course depends on the instructor for this reason try to find out from others whether the proposed instructor is as helpful as he or she is reported to be Many cities have self study groups usually run by CISSP volunteers You may find a study group where you live or if you know some CISSPs in your area you might ask them to help you organize a self study group Always confirm the quality of a study course or training seminar before com mitting your money and time Chapter 1 ISC and the CISSP Certification 15 See Chapter 3 for more information on starting a CISSP study group Are you ready for the exam Are you ready for the big day We can t answer this question for you You must decide based on your individual learning factors study habits and professional experience when you re ready for the exam We don t know of any magic formula for determining your chances of success or failure on the CISSP examination If you find one please write to us so that we ca
14. tax exempt corporation chartered for the explicit purpose of developing a standard ized security curriculum and administering an information security certifi cation process for security professionals worldwide In 1994 the Certified Information Systems Security Professional CISSP credential was launched 10 Part I Certification Basics The CISSP was the first information security credential to be accredited by the American National Standards Institute ANSI to the ISO IEC 17024 2003 standard This international standard helps to ensure that personnel cer tification processes define specific competencies and identify required knowledge skills and personal attributes It also requires examinations to be independently administered and designed to properly test a candidate s com petence for the certification This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor specific certifications a widespread criticism that has caused many vendor certifications to lose relevance over the years The ISO international Organization for Standardization and IEC International Electrotechnical Commission are two organizations that work together to prepare and publish international standards for businesses governments and societies worldwide The CISSP certification is based on a Common Body of Knowledge CBK identified by the ISC and defined through ten distinct
15. tion VA will reimburse you for the full cost of the exam pass or fail Preparing for the Exam Many resources are available to help the CISSP candidate prepare for the exam Self study is a major part of any study plan Work experience is also critical to success and you can incorporate it into your study plan For those who learn best in a classroom or training environment ISC offers CISSP review seminars We recommend that you commit to an intense 60 day study plan leading up to the CISSP exam How intense That depends on your own personal expe rience and learning ability but plan on a minimum of two hours a day for 60 days If you re a slow learner or reader or perhaps find yourself weak in many areas plan on four to six hours a day and more on the weekends But stick to the 60 day plan If you feel you need 360 hours of study you may be tempted to spread this study out over a six month period for 2 hours a day Consider however that committing to six months of intense study is much harder on you as well as your family and friends than two months In the end you ll find yourself studying only as much as you would have in a 60 day period anyway MBER KV amp Chapter 1 ISC and the CISSP Certification 13 Studying on your own Self study can include books and study references a study group and prac tice exams Begin by downloading the free official CISSP Candidate Information Bulletin CIB from the
Download Pdf Manuals
Related Search