Introduction: The CISSP Certification
This Introduction covers the following subjects:
The Goals of the CISSP Certification: Describes the sponsoring bodies and the stated goals of the certification.
The Value of the CISSP Certification: Examines the career and business drivers that comprise the value of the certification.
The Common Body of Knowledge: Lists the eight domains of information that make up the topics covered in the certification.
Steps to Becoming a CISSP: Describes the process involved in achieving CISSP certification.
Certified Information Systems Security Professional (CISSP) is one of the most respected and sought-after security certifications available today. It is a globally recognized credential which demonstrates that the holder has knowledge and skills across a broad range of security topics.
As the number of security threats to organizations grows and the nature of these threats broaden, companies large and small have realized that security can no longer be an afterthought. It must be built into the DNA of the enterprise to be successful. This requires trained professionals being versed not only in technology security but all aspects of security. It also requires a holistic approach to protecting the enterprise.
Security today is no longer a one-size-fits-all proposition. The CISSP credential is a way security professionals can demonstrate the ability to design, implement, and maintain the correct security posture for an organization, based on the complex environments in which today’s organizations exist.
The Goals of the CISSP Certification
The CISSP certification is created and managed by one of the most prestigious security organizations in the world and has a number of stated goals. Although not critical for passing the exam, having knowledge of the organization and of these goals is helpful in understanding the motivation behind the creation of the exam.
Sponsoring Bodies
The CISSP is created and maintained by the International Information Systems Security Certification Consortium (ISC)2. The (ISC)2 is a global not-for-profit organization that provides both a vendor-neutral certification process and supporting educational materials.
The CISSP is one of a number of security-related certifications offered by (ISC)2. Other certifications offered by this organization include the following:
Systems Security Certified Practitioner (SSCP)
Certified Authorization Professional (CAP)
Certified Secure Software Lifecycle Professional (CSSLP)
Several additional versions of the CISSP are offered that focus in particular areas:
CISSP-Information Systems Security Architecture Professional (CISSP-ISSAP)
CISSP-Information Systems Security Engineering Professional (CISSP-ISSEP)
CISSP-Information Systems Security Management Professional (CISSP-ISSMP)
(ISC)2 derives some of its prestige from the fact that it was the first security certification body to meet the requirements set forth by ANSI/ISO/IEC Standard 17024, a global benchmark for personnel certification. This ensures that certifications offered by this organization are both highly respected and sought after.
Stated Goals
The goal of (ISC)2, operating through its administration of the CISSP certification, is to provide a reliable instrument to measure an individual’s knowledge of security. This knowledge is not limited to technology issues alone but extends to all aspects of security that face an organization.
In that regard, the topics are technically more shallow than those tested by some other security certifications, while also covering a much wider range of issues than those other certifications. Later in this section, the topics that comprise the eight domains of knowledge are covered in detail, but it is a wide range of topics. This vast breadth of knowledge and the experience needed to pass the exam are what set the CISSP certification apart.
The Value of the CISSP Certification
The CISSP certification holds value for both the exam candidate and the enterprise. This certification is routinely in the top 10 of yearly lists that rank the relative demand for various IT certifications.
To the Security Professional
Numerous reasons exist for why a security professional would spend the time and effort required to achieve this credential:
To meet growing demand for security professionals
To become more marketable in an increasingly competitive job market
To enhance skills in a current job
To qualify for or compete more successfully for a promotion
To increase salary
In short, this certification demonstrates that the holder not only has the knowledge and skills tested in the exam but also that the candidate has the wherewithal to plan and implement a study plan that addresses an unusually broad range of security topics.
To the Enterprise
For an organization, the CISSP certification offers a reliable benchmark to which job candidates can be measured by validating knowledge and experience. Candidates who successfully pass the rigorous exam are required to submit documentation verifying experience in the security field. Individuals holding this certification will stand out from the rest, not only making the hiring process easier but also adding a level of confidence in the final hire.
The Common Body of Knowledge
The material contained in the CISSP exam is divided into eight domains, which comprise what is known as the Common Body of Knowledge. This book devotes a chapter to each of these domains. Inevitable overlap occurs between the domains, leading to some overlap between topics covered in the chapters; the topics covered in each chapter are described next.
Security and Risk Management (e.g. Security, Risk, Compliance, Law, Regulations, Business Continuity)
The security and risk management domain covers a broad spectrum of general information security and risk management topics. Topics include:
Concepts of confidentiality, integrity, and availability
Security governance principles, including organizational processes and control frameworks
Compliance with laws, regulations, and privacy requirements
Professional ethics
Security policies, standards, procedures, and guidelines
Business continuity requirements
Personnel security policies
Threat modeling
Security risk considerations during acquisitions
Information security education, training, and awareness
Asset Security (Protecting Security of Assets)
The asset security domain focuses on the collection, handling, and protection of information throughout its life cycle. Topics include:
Information and supporting asset classification
Asset ownership
Privacy protection
Asset retention
Security controls
Handling requirements
Security Engineering (Engineering and Management of Security)
The security engineering domain addresses the practice of building information systems and related architecture that deliver the required functionality when threats occur. Topics include:
Engineering processes using secure design principles
Security model concepts
Control and countermeasure selection
Security capabilities of information systems
Vulnerabilities of security architectures, designs, and solution elements
Vulnerabilities in web-based systems
Vulnerabilities in mobile systems
Vulnerabilities in embedded devices and cyber-physical systems
Cryptography
Site and facility design
Physical security
Communication and Network Security (Designing and Protecting Network Security)
The communication and network security domain focuses on protecting data in transit and securing the underlying networks over which the data travels. The topics include:
Network architecture secure design principles
Network components security
Secure communication channels
Network attacks
Identity and Access Management (Controlling Access and Managing Identity)
The identity and access management domain discusses provisioning and managing the identities and access used in the interaction of humans and information systems, of disparate information systems, and even between individual components of information systems. Topics include:
Physical and logical asset access
Identification and authentication of people and devices
Identity as a Service integration
Third-party identity service integration
Authorization mechanisms
Access control attacks
Identity and access provisioning life cycle
Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
The security assessment and testing domain covers the evaluation of information assets and associated infrastructure using tools and techniques for the purpose of identifying and mitigating risk due to architectural issues, design flaws, configuration errors, hardware and software vulnerabilities, coding areas, and any other weaknesses that may affect an information system’s ability to deliver its intended functionality in a secure manner. The topics include:
Assessment and test strategies design and validation
Security control testing
Security process data collection
Test output analysis and reporting
Internal and third-party audits
Security Operations (e.g. Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
The operations security domain surveys the execution of security measures and maintenance of proper security posture. Topics include:
Investigations and investigation types
Logging and monitoring activities
Resource provisioning security
Security operations concepts
Resource protection techniques
Incident management
Preventive measures
Patch and vulnerability management
Change management process
Recovery strategies
Disaster recovery processes
Disaster recovery plan testing
Business continuity planning and testing
Physical security
Personnel safety concerns
Software Development Security (Understanding, Applying, and Enforcing Software Security)
The software development security domain explores the software development life cycle and development best practices. Topics include:
System and software development life cycle
Security controls in development environments
Software security effectiveness
Security impact of acquired software
Steps to Becoming a CISSP
To become a CISSP, certain prerequisites must be met and procedures followed. This final section covers those topics.
Qualifying for the Exam
Candidates must have a minimum of five years of direct full-time professional security work experience in two or more of the eight domains in the Common Body of Knowledge. You may receive a one-year experience waiver with a four-year college degree or additional credential from the approved list, available at the (ISC)2 website, thus requiring four years of direct full-time professional security work experience in two or more of the eight domains of the CISSP.
If you lack this experience, you can become an Associate of (ISC)2 by successfully passing the CISSP exam. You’ll then have six years to earn your experience to become a CISSP.
Signing Up for the Exam
The steps required to sign up for the CISSP are as follows:
Create a Pearson Vue account and schedule your exam.
Complete the Examination Agreement, attesting to the truth of your assertions regarding professional experience and legally committing to the adherence of the (ISC)2 Code of Ethics.
Review the Candidate Background Questions.
Submit the examination fee.
Once you are notified that you have successfully passed the examination, you will be required to subscribe to the (ISC)2 Code of Ethics and have your application endorsed before the credential can be awarded. An endorsement form for this purpose must be completed and signed by an (ISC)2 certified professional who is an active member, and who is able to attest to your professional experience.
About the CISSP Exam
The CISSP exam is a computer-based test that the candidate can spend up to 6 hours completing. There are no formal breaks, but you are allowed to bring a snack and eat it at the back of the test room, but any time used for that counts toward the 6 hours. You must bring a government-issued identification card. No other forms of ID will be accepted. You may be required to submit to a palm vein scan.
The test consists of 250 items with 4 choices per item. Some of the items will not be scored and are for research, and these are not identified to the candidate. The passing grade is 700 out of a possible 1,000. Candidates will receive the unofficial results at the test center from the test administrator. (ISC)2 will then follow up with an official result via email.