Certified Information Systems Security Professional (CISSP) is one of the most respected and sought-after security certifications available today. It is a globally recognized credential which demonstrates that the holder has knowledge and skills across a broad range of security topics.
As the number of security threats to organizations grows and the nature of these threats broaden, companies large and small have realized that security can no longer be an afterthought. It must be built into the DNA of the enterprise to be successful. This requires trained professionals being versed not only in technology security but all aspects of security. It also requires a holistic approach to protecting the enterprise.
Security today is no longer a one-size-fits-all proposition. The CISSP credential is a way security professionals can demonstrate the ability to design, implement, and maintain the correct security posture for an organization, based on the complex environments in which today’s organizations exist.
The CISSP certification is created and managed by one of the most prestigious security organizations in the world and has a number of stated goals. Although not critical for passing the exam, having knowledge of the organization and of these goals is helpful in understanding the motivation behind the creation of the exam.
The CISSP is created and maintained by the International Information Systems Security Certification Consortium (ISC)2. The (ISC)2 is a global not-for-profit organization that provides both a vendor-neutral certification process and supporting educational materials.
The CISSP is one of a number of security-related certifications offered by (ISC)2. Other certifications offered by this organization include the following:
Systems Security Certified Practitioner (SSCP)
Certified Cloud Security Professional (CCSP)
Certified Authorization Professional (CAP)
Certified Secure Software Lifecycle Professional (CSSLP)
HealthCare Information Security and Privacy Practitioner (HCISPP)
Several additional versions of the CISSP are offered that focus in particular areas:
CISSP-Information Systems Security Architecture Professional (CISSP-ISSAP)
CISSP-Information Systems Security Engineering Professional (CISSP-ISSEP)
CISSP-Information Systems Security Management Professional (CISSP-ISSMP)
(ISC)2 derives some of its prestige from the fact that it was the first security certification body to meet the requirements set forth by ANSI/ISO/IEC Standard 17024, a global benchmark for personnel certification. This ensures that certifications offered by this organization are both highly respected and sought after.
The goal of (ISC)2, operating through its administration of the CISSP and other certifications, is to provide a reliable instrument to measure an individual’s knowledge of security. This knowledge is not limited to technology issues alone but extends to all aspects of security that face an organization.
In that regard, the topics are technically more shallow than those tested by some other security certifications, while also covering a much wider range of issues than those other certifications. Later in this section, the topics that comprise the eight domains of knowledge are covered in detail, but it is a wide range of topics. This vast breadth of knowledge and the experience needed to pass the exam are what set the CISSP certification apart.
The CISSP certification holds value for both the exam candidate and the enterprise. This certification is routinely in the top 10 of yearly lists that rank the relative demand for various IT certifications.
Numerous reasons exist for why a security professional would spend the time and effort required to achieve this credential:
To meet growing demand for security professionals
To become more marketable in an increasingly competitive job market
To enhance skills in a current job
To qualify for or compete more successfully for a promotion
To increase salary
In short, this certification demonstrates that the holder not only has the knowledge and skills tested in the exam but also has the wherewithal to plan and implement a study plan that addresses an unusually broad range of security topics.
For an organization, the CISSP certification offers a reliable benchmark to which job candidates can be measured by validating knowledge and experience. Candidates who successfully pass the rigorous exam are required to submit documentation verifying experience in the security field. Individuals holding this certification will stand out from the rest, not only making the hiring process easier but also adding a level of confidence in the final hire.
The material contained in the CISSP exam is divided into eight domains, which comprise what is known as the Common Body of Knowledge. This book devotes a chapter to each of these domains. Inevitable overlap occurs between the domains, leading to some overlap between topics covered in the chapters; the topics covered in each chapter are described next.
The Security and Risk Management domain, covered in Chapter 1, encompasses a broad spectrum of general information security and risks management topics and is 15% of the exam. Topics include
Concepts of confidentiality, integrity, and availability
Security governance principles
Compliance requirements
Legal and regulatory issues
Professional ethics
Security policy, standards, procedures, and guidelines
Business continuity (BC) requirements
Personnel security policies and procedures
Risk management concepts
Threat modeling concepts and methodologies
Risk-based management concepts for the supply chain
Security awareness, education, and training program
The Asset Security domain, covered in Chapter 2, focuses on the collection, handling, and protection of information throughout its life cycle and is 10% of the exam. Topics include
Information and asset identification and classification
Information and asset ownership
Privacy protection
Asset retention
Data security controls
Information and asset handling requirements
The Security Architecture and Engineering domain, covered in Chapter 3, addresses the practice of building information systems and related architecture that deliver the required functionality when threats occur and is 13% of the exam. Topics include
Engineering processes using secure design principles
Fundamental concepts of security models
Control selection based upon systems security requirements
Security capabilities of information systems
Vulnerabilities of security architectures, designs, and solution elements
Vulnerabilities in web-based systems
Vulnerabilities in mobile systems
Vulnerabilities in embedded devices
Cryptography
Security principles of site and facility design
Site and facility security controls
The Communication and Network Security domain, covered in Chapter 4, focuses on protecting data in transit and securing the underlying networks over which the data travels and is 14% of the exam. The topics include
Secure design principles in network architectures
Network components security
Secure communication channels
The Identity and Access Management domain, covered in Chapter 5 and comprising 13% of the exam, discusses provisioning and managing the identities and access used in the interaction of humans and information systems, of disparate information systems, and even between individual components of information systems. Topics include
Physical and logical access to assets
Identification and authentication of people, devices, and services
Identity as a third-party service
Authorization mechanisms
Identity and access provisioning life cycle
The Security Assessment and Testing domain, covered in Chapter 6 and comprising 12% of the exam, encompasses the evaluation of information assets and associated infrastructure using tools and techniques for the purpose of identifying and mitigating risk due to architectural issues, design flaws, configuration errors, hardware and software vulnerabilities, coding errors, and any other weaknesses that may affect an information system’s ability to deliver its intended functionality in a secure manner. The topics include
Assessment, test, and audit strategies design and validation
Security control testing
Security process data collection
Test output analysis and reporting
Security audits
The Security Operations domain, covered in Chapter 7, surveys the execution of security measures and maintenance of proper security posture and is 13% of the exam. Topics include
Investigations and investigation types
Logging and monitoring activities
Resource provisioning security
Security operations concepts
Resource protection techniques
Incident management
Detective and preventative measures
Patch and vulnerability management
Change management processes
Recovery strategies
Disaster recovery processes
Disaster recovery plan testing
Business continuity planning and exercises
Physical security implementation and management
Personnel safety and security concerns
The Software Development Security domain, covered in Chapter 8, explores the software development life cycle and development best practices and is 10% of the exam. Topics include
Software development life cycle (SDLC) security
Security controls in development environments
Software security effectiveness
Security impact of acquired software
Secure coding guidelines and standards
To become a CISSP, a test candidate must meet certain prerequisites and follow specific procedures. Test candidates must qualify for the exam and sign up for the exam.
Candidates must have a minimum of five years of paid full-time professional security work experience in two or more of the eight domains in the Common Body of Knowledge. You may receive a one-year experience waiver with a four-year college degree or additional credential from the approved list, available at the (ISC)2 website, thus requiring four years of direct full-time professional security work experience in two or more of the eight domains of the CISSP.
If you lack this experience, you can become an Associate of (ISC)2 by successfully passing the CISSP exam. You’ll then have six years to earn your experience to become a CISSP.
The steps required to sign up for the CISSP are as follows:
Create a Pearson Vue account and schedule your exam.
Complete the Examination Agreement, attesting to the truth of your assertions regarding professional experience and legally committing to the adherence of the (ISC)2 Code of Ethics.
Review the Candidate Background Questions.
Submit the examination fee.
Once you are notified that you have successfully passed the examination, you will be required to subscribe to the (ISC)2 Code of Ethics and have your application endorsed before the credential can be awarded. An endorsement form for this purpose must be completed and signed by an (ISC)2 certified professional who is an active member, and who is able to attest to your professional experience.
The CISSP exam is a computer-based test that the candidate can spend up to 3–6 hours completing (depending on whether you take the CAT version that is available in English only or the linear format that is available in all other languages). There are no formal breaks, but you are allowed to bring a snack and eat it at the back of the test room, but any time used for that counts toward the 3–6 hours. You must bring a government-issued identification card. No other forms of ID will be accepted. You may be required to submit to a palm vein scan.
The CAT test consists of a maximum 150 questions, while the linear format consists of 250 questions. As of December 2017, the CISSP exam will be in a computerized adaptive testing (CAT) format for those who take the English-language version, while all other languages only have the linear format. With the CAT format, the computer evaluates the certification candidate’s ability to get the next question right based on his or her previous answers and the difficulty of those questions. The questions get harder as the certification candidate answers questions correctly, and the questions get easier as the certification candidate answers questions incorrectly. Each answer affects the questions that follow. Therefore, unlike the linear test format where the certification candidate can go back and forth in the question pool and change answers, a CAT format exam does NOT allow the certification candidate to change the answer or even view a previously answered question. The certification candidate may receive a pass or fail score without seeing 150 questions. To find out more about the CAT format, please go to https://www.isc2.org/Certifications/CISSP/CISSP-CAT#.
While the majority of the questions will be multiple-choice questions with four options, test candidates may also encounter drag-and-drop and hotspot questions. The passing grade is 700 out of a possible 1,000 points. Candidates will receive the unofficial results at the test center from the test administrator. (ISC)2 will then follow up with an official result via email.
This book maps to the topic areas of the (ISC)2 Certified Information Systems Security Professional (CISSP) exam and uses a number of features to help you understand the topics and prepare for the exam.
This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. This book does not try to help you pass the exam only by memorization; it seeks to help you to truly learn and understand the topics. This book is designed to help you pass the CISSP exam by using the following methods:
Helping you discover which exam topics you have not mastered
Providing explanations and information to fill in your knowledge gaps
Supplying exercises that enhance your ability to recall and deduce the answers to test questions
Providing practice exercises on the topics and the testing process via test questions on the companion website
To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time:
Foundation Topics: These are the core sections of each chapter. They explain the concepts for the topics in that chapter.
Exam Preparation Tasks: After the “Foundation Topics” section of each chapter, the “Exam Preparation Tasks” section lists a series of study activities that you should do at the end of the chapter:
Review All Key Topics: The Key Topic icon appears next to the most important items in the “Foundation Topics” section of the chapter. The Review All Key Topics activity lists the key topics from the chapter, along with their page numbers. Although the contents of the entire chapter could be on the exam, you should definitely know the information listed in each key topic, so you should review these.
Define Key Terms: Although the CISSP exam may be unlikely to ask a question such as “Define this term,” the exam does require that you learn and know a lot of information systems security terminology. This section lists the most important terms from the chapter, asking you to write a short definition and compare your answer to the glossary at the end of the book.
Review Questions: Confirm that you understand the content that you just covered by answering these questions and reading the answer explanations.
Web-based practice exam: The companion website includes the Pearson Cert Practice Test engine that allows you to take practice exam questions. Use it to prepare with a sample exam and to pinpoint topics where you need more study.
This book contains eight core chapters—Chapters 1 through 8. Chapter 9 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the CISSP exam. The core chapters map directly to the CISSP exam topic areas and cover the concepts and technologies that you will encounter on the exam.
Register this book to get access to the Pearson IT Certification test engine and other study materials plus additional bonus content. Check this site regularly for new and updated postings written by the authors that provide further insight into the more troublesome topics on the exam. Be sure to check the box that you would like to hear from us to receive updates and exclusive discounts on future editions of this product or related products.
To access this companion website, follow the steps below:
Step 1. Go to www.pearsonitcertification.com/register and log in or create a new account.
Step 2. Enter the ISBN: 9780789759696.
Step 3. Answer the challenge question as proof of purchase.
Step 4. Click the Access Bonus Content link in the Registered Products section of your account page, to be taken to the page where your downloadable content is available.
Please note that many of our companion content files can be very large, especially image and video files.
If you are unable to locate the files for this title by following the steps at left, please visit www.pearsonITcertification.com/contact and select the Site Problems/Comments option. Our customer service representatives will assist you.
As noted previously, this book comes complete with the Pearson Test Prep practice test software containing two full exams. These practice tests are available to you either online or as an offline Windows application. To access the practice exams that were developed with this book, please see the instructions in the card inserted in the sleeve in the back of the book. This card includes a unique access code that enables you to activate your exams in the Pearson Test Prep software.
The online version of this software can be used on any device with a browser and connectivity to the Internet, including desktop machines, tablets, and smartphones. To start using your practice exams online, simply follow these steps:
Step 1. Go to https://www.PearsonTestPrep.com.
Step 2. Select Pearson IT Certification as your product group.
Step 3. Enter your email/password for your account. If you don’t have an account on PearsonITCertification.com or CiscoPress.com, you will need to establish one by going to PearsonITCertification.com/join.
Step 4. In the My Products tab, click the Activate New Product button.
Step 5. Enter the access code printed on the insert card in the back of your book to activate your product.
Step 6. The product will now be listed in your My Products page. Click the Exams button to launch the exam settings screen and start your exam.
If you wish to study offline, you can download and install the Windows version of the Pearson Test Prep software. There is a download link for this software on the book’s companion website, or you can just enter this link in your browser:
http://www.pearsonitcertification.com/content/downloads/pcpt/engine.zip
To access the book’s companion website and the software, simply follow these steps:
Step 1. Register your book by going to PearsonITCertification.com/register and entering the ISBN: 9780789759696.
Step 2. Answer the challenge questions.
Step 3. Go to your account page and click the Registered Products tab.
Step 4. Click the Access Bonus Content link under the product listing.
Step 5. Click the Install Pearson Test Prep Desktop Version link under the Practice Exams section of the page to download the software.
Step 6. After the software finishes downloading, unzip all the files on your computer.
Step 7. Double-click the application file to start the installation, and follow the onscreen instructions to complete the registration.
Step 8. After the installation is complete, launch the application and click the Activate Exam button on the My Products tab.
Step 9. Click the Activate a Product button in the Activate Product Wizard.
Step 10. Enter the unique access code found on the card in the sleeve in the back of your book and click the Activate button.
Step 11. Click Next and then click Finish to download the exam data to your application.
Step 12. Start using the practice exams by selecting the product and clicking the Open Exam button to open the exam settings screen.
Note that the offline and online versions will sync together, so saved exams and grade results recorded on one version will be available to you on the other as well.
Once you are in the exam settings screen, you can choose to take exams in one of three modes:
Study mode: Allows you to fully customize your exams and review answers as you are taking the exam. This is typically the mode you would use first to assess your knowledge and identify information gaps.
Practice Exam mode: Locks certain customization options, as it is presenting a realistic exam experience. Use this mode when you are preparing to test your exam readiness.
Flash Card mode: Strips out the answers and presents you with only the question stem. This mode is great for late-stage preparation when you really want to challenge yourself to provide answers without the benefit of seeing multiple-choice options. This mode does not provide the detailed score reports that the other two modes do, so you should not use it if you are trying to identify knowledge gaps.
In addition to these three modes, you will be able to select the source of your questions. You can choose to take exams that cover all of the chapters or you can narrow your selection to just a single chapter or the chapters that make up specific parts in the book. All chapters are selected by default. If you want to narrow your focus to individual chapters, simply deselect all the chapters; then select only those on which you wish to focus in the Objectives area.
You can also select the exam banks on which to focus. Each exam bank comes complete with a full exam of questions that cover topics in every chapter. You can have the test engine serve up exams from all banks or just from one individual bank by selecting the desired banks in the exam bank area.
There are several other customizations you can make to your exam from the exam settings screen, such as the time of the exam, the number of questions served up, whether to randomize questions and answers, whether to show the number of correct answers for multiple-answer questions, and whether to serve up only specific types of questions. You can also create custom test banks by selecting only questions that you have marked or questions on which you have added notes.
If you are using the online version of the Pearson Test Prep software, you should always have access to the latest version of the software as well as the exam data. If you are using the Windows desktop version, every time you launch the software while connected to the Internet, it checks if there are any updates to your exam data and automatically downloads any changes that were made since the last time you used the software.
Sometimes, due to many factors, the exam data may not fully download when you activate your exam. If you find that figures or exhibits are missing, you may need to manually update your exams. To update a particular exam you have already activated and downloaded, simply click the Tools tab and click the Update Products button. Again, this is only an issue with the desktop Windows application.
If you wish to check for updates to the Pearson Test Prep exam engine software, Windows desktop version, simply click the Tools tab and click the Update Application button. This ensures that you are running the latest version of the software engine.