The CISSP Exam
To meet the certification requirements of a CISSP, you must have one of the following:
Five years professional experience in two (or more) of the domains within the Common Body of Knowledge (CBK).
Four years experience in two (or more) of the ten domains, and a four-year college degree or master’s degree in information security from a National Center of Excellence.
At least three years experience in two (or more) of the ten domains and a four-year college degree or master’s degree in information security from a National Center of Excellence, plus a professional certification from the following list (candidates are permitted a waiver of one year of experience for any credential on the approved credentials list):
CERT Certified Computer Security Incident Handler (CSIH)
Certified Business Continuity Planner (CBCP)
Certified Computer Crime Investigator (Advanced) (CCCI)
Certified Computer Crime Prosecutor
Certified Computer Examiner (CCE)
Certified Fraud Examiner (CFE)
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Certified Internal Auditor (CIA)
Certified Protection Professional (CPP)
Certified Wireless Security Professional (CWSP)
CompTIA Security+
Computer Forensic Computer Examiner (CFCE)
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Certified Forensic Analyst (GCFA)
GIAC Information Security Officer (GISO)
GIAC IT Security Audit Essentials (GSAE)
GIAC Security Expert (GSE)
GIAC Certified ISO-17799 Specialist (G7799)
GIAC Security Leadership Certification (GSLC)
GIAC Systems and Network Auditor (GSNA)
GIAC Certified Security Consultant (GCSC)
Microsoft Certified Systems Administrator (MCSA)
Microsoft Certified Systems Engineer (MCSE)
Master Business Continuity Planner (MBCP)
System Security Certified Practitioner (SSCP)
Consult www.isc2.org for a complete list and description of requirements for your CISSP certification.
Because the CISSP exam covers the ten domains making up the CISSP CBK, it is often described as being “an inch deep and a mile wide,” a reference to the fact that many questions on the exam are not very detailed in nature and do not require you to be an expert in every subject. However, the questions do require you be familiar with many different security subjects.
The CISSP exam is comprised of 250 multiple-choice questions, and you have six hours to complete it. The questions are pulled from a much larger question bank to ensure the exam is as unique as possible for each entrant. In addition, the test bank constantly changes and evolves to more accurately reflect the real world of security. The exam questions are continually rotated and replaced in the bank as necessary. Each question has four answer choices, only one of which is correct. Only 225 questions are graded, while 25 are used for research purposes. The 25 research questions are integrated into the exam, so you won’t know which go towards your final grade. To pass the exam, you need a minimum raw score of 700 points out of 1,000. Questions are weighted based on their difficulty; not all questions are worth the same number of points. The exam is not product- or vendor-oriented, meaning no questions will be specific to certain products or vendors (for instance, Windows 2000, Unix, or Cisco). Instead, you will be tested on the security models and methodologies used by these types of systems.
(ISC)2 has also added scenario-based questions to the CISSP exam. These questions present a short scenario to the test taker rather than asking the test taker to identify terms and/or concepts. A scenario-based question would be worded something like “John returned from lunch and found that the company’s IDS indicated that a critical server has had continuous ICMP traffic sent to it for over 45 minutes, which is taking up 85% of the server’s CPU resource. What does John need to do at this point?”
The goal of the scenario-based questions is to ensure that test takers not only know and understand the concepts within the CBK, but also can apply this knowledge to real-life situations. This is more practical because in the real world, you won’t be challenged by having someone come up to you and ask, “What is the definition of collusion?” You need to know how to detect and prevent collusion from taking place, in addition to knowing the definition of the term.
Note
| Hundreds of scenario-based questions have been added to the CD-ROM in the back of this book to help you prepare for this exam. |
The International Information Systems Security Certification Consortium (ISC)2 process for earning credentials will change as of October 2007. In order to obtain this credential, candidates for any of the (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2 certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification, such as the CISSP, SSCP, or CAP. This sponsor will vouch for your years of experience.
After passing the exam, you will be asked to supply documentation, supported by a sponsor, proving that you indeed have this type of experience. The sponsor must sign a document vouching for the security experience you are submitting. So, make sure you have this sponsor lined up prior to registering for the exam and providing payment. You don’t want to pay for and pass the exam, only to find you can’t find a sponsor for the final step needed to achieve your certification.
The reason behind the sponsorship requirement is to insure that those who achieve the certification have real-world experience to offer companies. Book knowledge is extremely important for understanding theory, concepts, standards, and regulations, but it can never replace hands-on experience. Proving you have practical experience supports the relevance of the certification.
Afterward, a small sample group of individuals selected at random will be audited after passing the exam. The audit consists mainly of individuals from (ISC)2 calling on the candidates’ stated sponsors and contacts to verify that the test taker’s related experience is true.
What makes this exam challenging is that most candidates, although they work in the security field, are not necessarily familiar with all ten CBK domains. If a security professional is considered an expert in vulnerability testing or application security, for example, she may not be familiar with physical security, cryptography, or security practices. Thus, studying for this exam will broaden your knowledge of the security field.
The exam questions address the ten CBK security domains, which are described in Table 1-1.
| Domain | Description |
|---|---|
| Access Control | This domain examines mechanisms and methods used to enable administrators and managers to control what subjects can access, the extent of their capabilities after authorization and authentication, and the auditing and monitoring of these activities. Some of the topics covered include:
|
| Telecommunications and Network Security | This domain examines internal, external, public, and private communication systems; networking structures; devices; protocols; and remote access and administration. Some of the topics covered include:
|
| Information Security and Risk Management | This domain examines the identification of company assets, the proper way to determine the necessary level of protection required, and what type of budget to develop for security implementations, with the goal of reducing threats and monetary loss. Some of the topics covered include:
|
| Application Security | This domain examines the security components within operating systems and applications and how to best develop and measure their effectiveness. It looks at software life cycles, change control, and application security. Some of the topics covered include:
|
| Cryptography | This domain examines methods and techniques for disguising data for protection purposes. This involves cryptography techniques, approaches, and technologies. Some of the topics covered include:
|
| Security Architecture and Design | This domain examines concepts, principles, and standards for designing and implementing secure applications, operating systems, and systems. This covers international security measurement standards and their meaning for different types of platforms. Some of the topics covered include:
|
| Operations Security | This domain examines controls over personnel, hardware, systems, and auditing and monitoring techniques. It also covers possible abuse channels and how to recognize and address them. Some of the topics covered include:
|
| Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) | This domain examines the preservation of business activities when faced with disruptions or disasters. It involves the identification of real risks, proper risk assessment, and countermeasure implementation. Some of the topics covered include:
|
| Legal Regulations, Compliance, and Investigation | This domain examines computer crimes, laws, and regulations. It includes techniques for investigating a crime, gathering evidence, and handling procedures. It also covers how to develop and implement an incident-handling program. Some of the topics covered include:
|
| Physical (Environmental) Security | This domain examines threats, risks, and countermeasures to protect facilities, hardware, data, media, and personnel. This involves facility selection, authorized entry methods, and environmental and safety procedures. Some of the topics covered include:
|
(ISC)2 attempts to keep up with changes in technology and methodologies brought to the security field by adding a large number of new questions to the test question bank each year. These questions are based on current technologies, practices, approaches, and standards. For example, the CISSP exam given in 1998 did not have questions pertaining to wireless security, but present and future exams will.
Other examples of material not on past exams include security governance, instant messaging, phishing, botnets, VoIP, and spam. Though these subjects weren’t issues in the past, they are now—and in the case of botnets, VoIP, and spam, they will be in the future.
The test is based on internationally accepted information security standards and practices. If you look at the (ISC)2 web site for test dates and locations, you may find, for example, that the same test is offered this Tuesday in California and next Wednesday in Saudi Arabia.
If you do not pass the exam, you have the option of retaking it as soon as you like. (ISC)2 used to subject individuals to a waiting period before they could retake the exam, but this rule has been removed. (ISC)2 keeps track of which exam version you were given on your first attempt and ensures you receive a different version for any retakes. (ISC)2 also provides a report to a CISSP candidate who did not pass the exam, detailing the areas where the candidate was weakest. Though you could retake the exam soon afterward, it’s wise to devote additional time to these weak areas to improve your score on the retest.