Certified Information Systems Security Professional (CISSP) Exam Guide E-Book

Certified Information Systems Security Professional (CISSP) Exam Guide

Become a certified CISSP professional with practical exam-oriented knowledge of all eight domains

Ted Jordan, CISSP

Ric Daza, PhD, CISSP

Hinne Hettema, PhD

Certified Information Systems Security Professional (CISSP) Exam Guide

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Authors: Ted Jordan, Ric Daza, and Hinne Hettema

Reviewers: Prashant Mohan, Navya Lakshmana, and Commander Saurabh Prakash Gupta

Publishing Product Manager: Anindya Sil

Editorial Director: Alex Mazonowicz

Development Editor: Shubhra Mayuri

Digital Editor: M Keerthi Nair

Senior Development Editor: Megan Carlisle

Presentation Designer: Shantanu Zagade

Editorial Board: Vijin Boricha, Megan Carlisle, Simon Cox, Ketan Giri, Saurabh Kadave, Alex Mazonowicz, Gandhali Raut, and Ankita Thakur

First Published: September 2024

Production Reference: 1190924

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN: 978-1-80056-761-0

www.packtpub.com

Contributors

About the Authors

Ted Jordan, M.S., CISSP, Linux+, is a seasoned cybersecurity professional with over 30 years of experience. His career includes work with NASA, General Motors, Silicon Graphics, Sun Microsystems, Fakespace, and AM General. Ted has trained over 2,500 students to achieve their CISSP, Security+, and Linux+ certifications with The Training Camp and Learning Tree. He is also the author of five books on Linux and CISSP.

In his free time, Ted enjoys a good game of tennis or watching the complexities of carom three-cushion billiards. You can follow him at linkedin.com/in/tedjordan and youtube.com/jordanteamlearn.

Ricardo “Ric” Daza, PhD, is a cybersecurity mentor with the Tampa Bay Wave Accelerator, a committee member with West Florida ISACA, and a recipient of two NSA fellowships. He is also an adjunct cybersecurity professor and frequent speaker at regional and international conferences with a doctorate in Information Assurance and holds double CCIE² (R&S, Security), CISSP, CRISC, CISA, ISO 27001 Lead Auditor, PMP, and RHCE certifications.

Dr. Daza builds networks and develops cybersecurity solutions for foreign and domestic government agencies, as well as Fortune 500 companies in the financial, technology, defense, healthcare, and manufacturing sectors. He contributes to the cyber defense of organizations across the Americas. He specializes in an evidence-based approach to tackling process and technology challenges, including networking, risk management, security analysis, incident response, risk communication, vulnerability management, metrics and maturity programs, data science, programming, and more.

In addition to being a seasoned executive cybersecurity consultant, Dr. Daza was an exam content developer, crafting the tests like CISSP for ISC2, the largest cybersecurity certification body in the world.

Hinne Hettema, a PhD in theoretical chemistry and philosophy of science, focuses especially on the implementation of security practices and mentoring others to become proficient security professionals. Working in IT since the early 1990s and focusing on security since the early 2000s, he has held a variety of roles working as a consultant, as part of a team, or as a leader of a security team. With over two decades of experience in the security field, Hinne has also served as an adjunct senior research fellow in cybersecurity at the University of Queensland, Australia.

He has experience in developing, implementing and running security operations, incident response and security service definition and execution. He focuses current engagements primarily on how organizations can optimize current practices, develop improvements, and make sensible decisions about their future direction. To that end, he uses his skills in architecture, security posture management, data science, threat intelligence, risk assessment and situational awareness to ensure an optimal spend of the security dollar.

He also has extensive experience in incident handling and response, including OT and ICS environments. He is a confident public speaker and can present to various audiences, from the general public to boards to cybersecurity experts to people needing training in specific aspects of cybersecurity. Hinne has authored several books including Agile Security Operationby Packt.

About the Reviewers

Prashant Mohan is a seasoned Information Security professional with over 15 years of expertise across sectors like finance, healthcare, and services. He is known for his ability to assess security, improve processes, and mitigate risks, while also mentoring aspiring professionals and sharing his knowledge through webinars and forums. Prashant has authored two acclaimed books, including “Cirrus – 8000 Ft. view of CCSP Exam” and “The Memory Palace – A Quick Refresher For Your CISSP Exam”. Additionally, his role as a technical editor for various publications underscores his commitment to enhancing industry knowledge.

Recognized as a thought leader in the realm of security architecture, Prashant Mohan leverages modern platforms to educate and empower others. His YouTube channel, “Lazy_Architect”, (http://www.youtube.com/@Lazy_architect) serves as a hub for valuable tutorials, discussions, and insights into security architecture best practices.

In his leisure time, he is an avid explorer of cosmos delving into the mysteries of the Universe. When he is not doing any of these things, he relishes moments with his lovely wife and adoring daughter.

Navya Lakshmana, a cybersecurity professional with a decade of experience in information technology, earned her bachelor’s degree in electronics and communication from Visvesvaraya Technological University (VTU) in Bengaluru, Karnataka, India. She is currently employed at Siemens Healthineers, a renowned healthcare service provider that creates advanced medical technology for everyone, everywhere, sustainably. Navya holds distinguished certifications, including CISSP, CCSP, GIAC Cloud Penetration Tester (GCPN), and GIAC Penetration Tester (GPEN).

Beyond her professional endeavors, Navya is dedicated to cybersecurity education. As the founder of CyberPlatter, a YouTube channel, she educates cybersecurity enthusiasts and professionals alike.

Commander Saurabh Prakash Gupta, CISSP, CCSP, CISM, GCIH, is a military veteran currently employed as a cybersecurity expert with Bosch Global Software Technologies in Bengaluru, India. Having started his journey as a marine engineer, he then developed expertise in the domains of information technology and information security over more than 20 years. He is currently leading the cybersecurity program for providing consulting and testing services to global customers in automotive, embedded, IoT, OT, cloud, and enterprise IT product domains. Previously, for the Indian Navy, he led the program for software induction and enterprise cybersecurity deployment at the Indian Navy headquarters. He loves traveling and is an avid reader.

Table of Contents

Preface

I

Becoming a CISSP

Making the Most Out of This Book – Your Certification and Beyond

The Need for CISSPs

CISSP Exam Overview

CISSP Exam Structure

Information About Becoming a CISSP

Exam Tips and Tricks

Summary

II

Pre-Assessment Test

Security and Risk Management – 16%

Asset Security – 10%

Security Architecture and Engineering – 13%

Communication and Network Security – 13%

Identity and Access Management (IAM) – 13%

Security Assessment and Testing – 12%

Security Operations – 13%

Software Development Security – 10%

Answer Key

Summary

1

Ethics, Security Concepts, and Governance Principles

The ISC2 Code of Professional Ethics

Important Security Concepts

Confidentiality Concepts

Authenticity and Nonrepudiation

Integrity Concepts

Availability Concepts

People Safety Concepts

Evaluating and Applying Security Governance Principles

Organizational Policies and Decision-Making

Mergers, Acquisitions, and Divestitures

Essential Security Frameworks

The Organizational Legal Liability Risk

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

2

Compliance, Regulation, and Investigations

Determining Compliance and Other Requirements

Contractual Requirements

Legal Requirements

Industry Standards

Regulatory Requirements

Privacy Requirements

Understanding Legal and Regulatory Issues

Cybercrimes and Data Breaches

Licensing and Intellectual Property Requirements

Trade Secrets

Software Licensing

Digital Rights Management

Import and Export Controls

Transborder Data Flow

Contracts

Privacy

Understanding the Requirements for Investigation Types

Administrative Investigations

Criminal Investigations

Civil Investigations

Regulatory Investigations

Industry Standards

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

3

Security Policies and Business Continuity

Policies

Characteristics of a Successful Policy

Information Security Policy Life Cycle

Standards

Procedures

Guidelines

Identifying, Analyzing, and Prioritizing BC Requirements

Business Impact Analysis (BIA)

Developing and Documenting the Scope and the Plan

Contributing to and Enforcing Personnel Security Policies and Procedures

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

4

Risk Management, Threat Modeling, SCRM, and SETA

Risk Management

Identify Threats and Vulnerabilities

Risk Assessment/Analysis

Risk Response

Countermeasure Selection and Implementation

Types of Controls

Control Assessments

Monitoring and Measurement

Reporting

Continuous Improvement and Risk Maturity Modeling

Risk Frameworks

Threat Modeling Concepts and Methodologies

Supply Chain Risk Management

Risks Associated with Hardware, Software, and Services

Third-Party Assessment and Monitoring

Minimum Security Requirements

Service-level requirements

SETA Programs

Awareness and Training

Periodic Content Reviews

Program Effectiveness Evaluation

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

5

Asset and Privacy Protection

Identifying and Classifying Information and Assets

Data Classification

Asset Classification

Establishing Information- and Asset-Handling Requirements

Provisioning Resources Securely

Information and Asset Ownership

Asset Inventory

Asset Management

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

6

Information and Asset Handling

Managing the Data Life Cycle

Data Roles

Data Collection

Data Location

Data Maintenance

Data Retention

Data Remanence

Data Destruction

Asset Retention

Data Security Controls and Compliance

Data States

Standards Selection

Scoping and Tailoring

Data Protection Methods

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

7

Secure Design Principles and Controls

Researching, Implementing, and Managing Engineering Processes Securely

Threat Modeling

Least Privilege

Defense in Depth

Secure Defaults

Fail Securely

Separation of Duties

Keep It Simple

Trust but Verify

Zero Trust

Privacy by Design

Shared Responsibility

Understanding the Fundamental Concepts of Security Models

Bell-LaPadula

Biba

Clark-Wilson

Brewer and Nash

Graham-Denning

James Anderson

Harrison, Ruzzo, Ullman

Selecting Controls Based on System Security Requirements

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

8

Architecture Vulnerabilities and Cryptography

Security Capabilities of Information Systems

Security Engineering Standards

Security Engineering Processes

Universal Security Models

Mitigating with Access Control Techniques

Mitigating Threats with Other Techniques

Mitigating Threats in System Virtualization

Assessing and Mitigating the Vulnerabilities of Security Architectures and Designs

Client-Based Systems

Server-Based Systems

Database Systems

Cryptographic Systems

Industrial Control Systems

Cloud-Based Systems

Distributed Systems

IoT

Microservices

Serverless

Containerization

Embedded Systems

High-Performance Computing Systems

Edge Computing Systems

Virtualized Systems

Selecting and Determining Cryptographic Solutions

Portable Device Security

Email Security

Web Application Security

Other Security Methods for Data in Transit

Cryptographic Life Cycle

Different Cryptographic Methods

Symmetric Encryption

Asymmetric Encryption

Symmetric versus Asymmetric Algorithms

Hashing Algorithms

Stronger Encryption with Salts and Initialization Vectors

Public Key Infrastructure

Encryption, Hashing, and Digital Signatures for PKI

Digital Certificates and CAs

Understanding Methods of Cryptanalytic Attacks

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

9

Facilities and Physical Security

Security Principles in Site and Facility Design

External Boundary Security

Personnel Access Security Controls

Site and Facility Alarm Systems

Surveillance Systems

Cabling Wiring and Distribution Facilities

Restricted and Work Area Security

Server Rooms and Data Centers

Media Storage Facilities

Evidence Storage

Utilities and Heating, Ventilation, and Air Conditioning (HVAC)

Environmental Issues

Fire Prevention, Detection, and Suppression

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

10

Network Architecture Security

Secure Design Principles in Network Architectures

The Seven Layers of OSI

TCP/IP Model

Implications of Multilayer Protocols

Converged Protocols

Micro-Segmentation

Software Defined Networks and Software-Defined Wide Area Networks

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

11

Securing Communication Channels

Secure Network Components

Operation of Hardware

Transmission Media

Network Access Control Devices

Endpoint Security

Secure Communication Channels

Voice

Multimedia Collaboration

Remote Access

Data Communications

Virtualized Networks

Third-Party Connectivity

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

12

Identity, Access Management, and Federation

Securing Access Control

Securing Data and Information

Access Controls

Device Types

Identity Provisioning

Standard User and Superuser Accounts

User Account Setup and Removal

Identity and Authentication

Components of Identity Management

Authentication Methods

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

13

Identity Management Implementation

Implementing Authentication Systems

SAML

Open Authorization 2.0

OpenID Connect

Authentication, Authorization, and Accounting Systems

RADIUS

TACACS+

Kerberos

Risk-Based Access Controls

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

14

Designing and Conducting Security Assessments

Designing and Validating Assessment, Test, and Audit Strategies

Internal Audits

External Audits

Third-Party Audits

Advantages of Third-Party, External, and Internal Audits

Conducting Security Control Testing

Vulnerability Assessment

Penetration Testing

Log Reviews

Synthetic Transactions

Code Review and Testing

Misuse Case Testing

Test Coverage Analysis

Interface Testing

Breach and Attack Simulations

Compliance Checks

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

15

Designing and Conducting Security Testing

Collecting Security Process Data

Management Review and Approval

Account Management

Key Performance and Risk Indicators

Backup Verification Data

Training and Awareness

Disaster Recovery and Business Continuity

Analyzing Test Output and Generating a Report

Remediation

Exception Handling

Ethical Disclosure

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

16

Planning for Security Operations

Understanding and Complying with Investigations

Evidence Collection and Handling

Locard’s Exchange Principle

Reporting and Documentation

Investigative Techniques

Extended Detection and Response

Digital Forensics Tactics, Techniques, and Procedures

Artifacts

Conducting Logging and Monitoring Activities

Intrusion Detection and Prevention

Continuous Monitoring

Egress Monitoring

Log Management

SIEM

Threat Intelligence

Strategy and Threat Intelligence

UEBA

Performing Configuration Management

Provisioning

Baselining

Automation

Applying Foundational Security Operations Concepts

Need to Know and Least Privilege

Separation of Duties and Responsibilities

Privileged Account Management

Job Rotation

Service-Level Agreements

Applying Resource Protection

Media Management

Media Protection Techniques

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

17

Security Operations

Conducting Incident Management

Detection

Response

Mitigation or Containment

Eradication

Recovery

Reporting

Lessons Learned

Operating and Maintaining Detective and Preventive Measures

Endpoint Security and Anti-Malware

Network Security and Firewalls

Intrusion Detection and Prevention Systems

Whitelisting and Blacklisting

Third-party Security Services

Sandboxing

Honeypots and Honeynets

Machine Learning and Artificial Intelligence (AI)-Based Tools

The Zero Trust Concept

Implementing and Supporting Patch and Vulnerability Management

Change Management Processes

Architecture

Change Management

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

18

Disaster Recovery

Implementing Disaster Recovery Strategies

Backup Storage Strategies

Recovery Site Strategies

Virtualization

Multiple Processing Sites

Comparing Security and Resilience in Systems

Implementing Disaster Recovery Processes

Testing Disaster Recovery Plans

Tabletop Exercise

Walk-Through

Simulation of a Disaster

Parallel Testing

Full Interruption

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

19

Business Continuity, Personnel, and Physical Security

Planning and Exercises

Security Infrastructure Engineering and Business Continuity

Maintain Security Posture During Failover

Key Management During Failover

Implement and Manage Physical Security

Perimeter Security Controls

Internal Security Controls

Personnel Safety and Security Concerns

Travel

Security Training and Awareness

Social Media Policy

Emergency Management

Duress

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

20

Software Development Life Cycle Security

Software Development Methodologies

Waterfall

Agile

DevOps and DevSecOps

Maturity Models

CMMI

SAMM

Operations and Maintenance

Change Management

Integrated Product Team

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

21

Software Development Security Controls

Computer Programming

Programming Languages

Libraries

Tool Sets

Integrated Development Environments

Runtime

Continuous Integration and Continuous Delivery

Application Security Testing

Software Security Automation

Security Orchestration, Automation, and Response

Software Configuration Management

Code Repositories

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

22

Securing Software Development

Assessing the Effectiveness of Software Security

Auditing and Logging of Changes

Race Conditions

Assess the Security Impact of Acquired Software

COTS

Open Source Software

Third-Party

Managed Services

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

23

Secure Coding Guidelines, Third-Party Software, and Databases

Security Vulnerabilities at the Source Code Level

Testing

Security Weaknesses

Security of APIs

Secure Coding Practices

Software-Defined Security

Establishing Secure Databases

Database Models

Hierarchical Database Model

Relational Database Model

Centralized/Decentralized Models

Processing Database Transactions

Database Security

Aggregation Attacks

Inference Attacks

Concurrency Attacks

Concurrency Control

Polyinstantiation

Open Database Connectivity

NoSQL

Knowledge-Based AI

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

Exam Readiness Drill

Working On Timing

24

Accessing the Online Practice Resources

Other Books You May Enjoy

Download a Free PDF Copy of This Book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781800567610

I

Becoming a CISSP

You have begun the journey to obtain the most prized cybersecurity certification in the world. The Certified Information Systems Security Professional (CISSP) is said to be 10 miles wide and an inch deep. The eight domains of the CISSP cover a vast amount of information. However, despite the previous quote, you still need to understand the underlying concepts. This is because the exam does not just test your memory of concepts but also their application in scenarios to solve problems.

One of the reasons the CISSP is as broad and respected as it is is because it is built and maintained by experts from around the world and diverse industries. These experts (all of whom hold a CISSP certification) gather every three years to review and revise the exam outline during the job task analysis (JTA) portion of the certification’s life cycle. During the JTA process, experts ensure that the knowledge embodied by the outline represents what a cybersecurity practitioner needs to know to perform their job effectively. This chapter will discuss why this is so critical. You’ll review the CISSP exam itself, its structure, and the new CISSP Computerized Adaptive Testing (CAT) version of the exam. You’ll also be provided with the best exam tips and tricks. Finally, you’ll learn what it takes to become a CISSP.

Making the Most Out of This Book – Your Certification and Beyond

This book and its accompanying online resources are designed to be a complete preparation tool for your CISSP Exam.

The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, interactive flashcards, and exam tips to help you work on your exam readiness from now till your test day.

Before You Proceed

To learn how to access these resources, head over to Chapter 24, Accessing the Online Practice Resources, at the end of the book.

Figure 1.1: Dashboard interface of the online practice resources

Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:

In this section, we will cover the following topics:

The Need for CISSPs

One of the challenges facing the cybersecurity profession is satisfying the necessity for qualified cybersecurity practitioners to meet the demand. According to the Bureau of Labor Statistics, the rate of growth for jobs in information security is projected at 37% from 2012-2022 (https://packt.link/FNAup). That’s much faster than the average for all other occupations. The Human Resources (HR) professionals who are on the front lines dealing with this challenge rarely possess the ability to quantify the expertise of a cybersecurity job candidate. Therefore, a respected, unbiased standard is necessary to help potential employers more easily determine qualified candidates from unqualified candidates. Enter ISC2 and their CISSP certification.

The International Information System Security Certification Consortium (ISC2) was established as a non-profit organization in 1989. Five years later, ISC2 launched its first certification, the CISSP, in 1994. At the time, the cybersecurity market was in desperate need of a baseline of cybersecurity knowledge to aid both the industry in standardizing the profession and those seeking to hire cybersecurity professionals. Since its founding, ISC2, through the CISSP and its other eight certifications, has established and maintained that standard.

In 2005, the United States Department of Defense (DoD) created the 8570 directive to assess and manage its cybersecurity workforce. The CISSP provides independent verification of a reliable baseline of knowledge and experience in cybersecurity of a practitioner. The CISSP tells the world that you know something about cybersecurity—not just something, but the right something about cybersecurity, as determined by industry experts who hold a CISSP certification. As per the 8570 directive and its current successor, the 8140 directive, many job roles in cybersecurity within the DoD require a CISSP certification to qualify.

In addition to helping HR professionals validate a baseline level of knowledge, the CISSP certification also validates experience. The CISSP certification requires not just a passing score but a minimum of five years of experience. ISC2 verifies this requisite experience before conferring the certification on any candidate who has achieved a passing score on the exam. You will learn more about this experience requirement in the Information about Becoming a CISSP section. This additional benefit of experience verification is of great value to employers.

The CISSP certification also comes with a 40-hour annual Continuing Professional Education (CPE) requirement to maintain the currency of your CISSP certification. See https://packt.link/6EFMh for more information. While ISC2 is a non-profit organization, they don’t just track your CPE and maintain your currency for free; there is an annual maintenance fee of 125 USD per year. The bright side is that if you choose to pursue any of the other eight ISC2 certifications, you will pay only 85 USD per year, unlike other cybersecurity certification organizations.

CISSP Exam Overview

The CISSP exam outline is the most important tool when preparing for the certification. It is no exaggeration to say it is the roadmap of the test. This section will explain why it is so important to know it well. First and foremost, it is what ISC2 uses to build the test questions. The certification industry (organizations such as ISC2, ISACA, SANS, and CompTIA) calls exam questions items. The process of building test questions is called item writing, which for the CISSP exam and ISC2 is done by volunteer CISSPs in an item writing workshop.

If you search the web for item writing, you’ll find many first-hand accounts from volunteers about their experiences of participating in an item writing workshop. There are some excellent ones on ISC2 where volunteers share their workshop experiences and details about the item writing process: https://packt.link/SvggM. ISC2 works very hard to protect the confidentiality and efficacy of their item bank (their database of exam questions). So, don’t waste your time trying to find or use brain-dumps or allegedly real questions (most likely fake).

Your study time is much better spent understanding the material covered in the exam outline and how ISC2 uses it to build items. The exam outline is the product of another kind of volunteer workshop, known as a JTA. In this workshop, the volunteer CISSPs review the current outline and update it to more accurately reflect the knowledge and skills a CISSP should have today and over the next three-year cycle. Once this crucial step is complete, the existing items in the bank must be mapped to the new outline. This is also done by volunteer CISSPs in a workshop called an item mapping workshop.

The item mapping process is important for two reasons. First, categorizing items into the appropriate part of the outline is necessary to build every test with an exact balance of items from the appropriate part of the outline, as determined by the JTA. The weighting of the outline will be discussed in detail later. Second, item mapping is necessary to determine where and how big the holes are in the item bank. These holes are then assigned to subsequent item writing workshops to be filled with new items based on the new exam outline. See https://packt.link/IqXal to view the outline.

This aspect will be of particular interest to you as you prepare for the CISSP exam. Each item must map to a specific topic in the exam outline. No surprise items on topics not covered by the exam outline are allowed. So, the exam items are fixed by the exam outline—this is an unbreakable rule. That being said, the outline is divided into eight domains or areas of knowledge, which you will soon see can be quite broad.

Domains

A domain is a broad collection of related information. In this section, you will become more familiar with the exam outline. The top level of the outline represents the eight domains. The second level represents the subject areas within the domain that CISSP candidates need to be familiar with related to that domain. Many second-level subject areas have a third level to further clarify the knowledge that is to be tested in the exam at the level above it. Any concept under the umbrella of a domain is fair game as a potential exam item.

It is no coincidence that this book is laid out exactly like the CISSP exam’s outline, as that is the information you need to know. Each domain in the exam outline will be covered by one or more chapters in this book. The goal is to introduce and explain each concept in the exam outline. Not only do you need to memorize this, but you also need to understand it as the exam tests your ability to correctly apply concepts to solve situations. It is not possible to capture every bit of potential information contained within a domain. This book will at least introduce every concept in the outline and delve deeper into those areas that are understood to have a high probability of showing up on your test.

CISSP CAT Examination Weightage

As mentioned earlier, each domain in the exam outline has a weight assigned. This means the Pearson VUE testing software must build your test with the exact percentage weights that are prescribed in the exam outline. So, if your test has 100 scored items, 16% or 16 items will be about concepts in Domain 1, Security and Risk Management.

While all ISC2 exam outlines provide domain-level weights, the CISSP exam outline provides weights for both linear testing and CAT. See https://packt.link/UCB05 for more information. The following table shows the domain level (the top level) of the exam outline, along with its corresponding weights:

Domain

Weight

1. Security and Risk Management

16%

2. Asset Security

10%

3. Security Architecture and Engineering

13%

4. Communication and Network Security

13%

5. Identity and Access Management (IAM)

13%

6. Security Assessment and Testing

12%

7. Security Operations

13%

8. Software Development Security

10%

Table 1.1: CISSP CAT examination weights

The weights are the same for both versions (linear testing and CAT) of the test. ISC2 publishes item weight information for both linear testing and CAT in case you plan on taking a non-English version of the CISSP exam. All ISC2 exams besides the English CISSP exam are linear. See https://packt.link/oNM7u for the other languages available. While the domain weights are fairly evenly balanced, they do have a little difference among them. This may help you budget your time and help you decide where you want to focus your study efforts. This information, combined with the pre-assessment test in the next chapter, can provide insights into where and how to focus your time.

CISSP CAT Examination Information

In 2017, ISC2 began using CAT for all English CISSP exams worldwide. This version of the test covers the same material from the exam outline as the traditional test (linear testing). According to ISC2, “CISSP CAT is a more precise and efficient evaluation of your competency” (https://packt.link/TxPI2). Translation—it is a little less painful. If you know the material, the CAT exam can determine that in fewer items. You go from the linear test, which is 6 hours long and contains 250 items, to a 3-hour test with potentially as few as 100 items in the CAT exam.

Overall, the CAT exam is much nicer than the linear version. That being said, there are a few things about the CAT exam you should know so that you are not surprised. First, the CAT scoring algorithm is much more efficient. This means that you never really know when the test is going to end.

You know the absolute minimum (100 items) and the absolute maximum (3 hours), although it is unlikely that you will finish at either of those two extremes. The test ends as soon as the algorithm is confident you either know your stuff or you don’t. If you don’t know your stuff, the algorithm will not just let you run down the clock while exposing more items to you if it already knows you are not going to pass.

CISSP Exam Structure

The exam is made up of three types of items: multiple-choice questions, innovative questions, and scenario questions. The last two types of questions are legacy, meaning ISC2 will not be making any more questions of that type. The bulk of the questions are multiple-choice, and that is what this book will be focusing on. The other two types have been mentioned because you may see one or two in your exam.

“Innovative questions” is a fancy term for drag and drop. Imagine a graphic with four or five different boxes, where you have to drag the concept or term from one side of the screen to the other to match it up with an appropriate concept. If you know the material in this book, you should have no problem with this type of question. Another rare type of question is scenario questions. These questions have a long introduction scenario, followed by two to five questions based on that scenario.

As mentioned previously, today’s CISSP exam is predominantly made up of multiple-choice questions (MCQs). These questions have a to-the-point question portion (known as the item stem) and they have four options (A, B, C, and D). Only one option is the key or the correct answer; there cannot be more than one correct answer. The other three options are called distractors; they are incorrect answers.

To pass the exam, you need 700 out of 1,000 points. These points are scaled, which means that not all the questions are worth the same. Additionally, 25 questions are worth zero points. These are known as pre-test questions. If a pre-test question performs well, it will be promoted to a scored item in a future exam. Obviously, ISC2 does not indicate which questions are pre-test and which are scored, so try your best on all the questions.

So, what makes one question worth more than another? The more cognitively difficult the question, the more points it is worth. This cognitive difficulty is based on Bloom’s Taxonomy. See https://packt.link/eLxTU for more information on Bloom’s Taxonomy. In short, Bloom explains that there are different levels of understanding regarding concepts, with the most basic being Knowledge and the highest being Evaluation. For the CISSP exam, you only need to learn Knowledge, Application, and Analysis, as shown in the following diagram:

Figure 1.2: Bloom’s Taxonomy

You can think of a knowledge-level question as pure memorization of a term or a concept you read. Application-level questions can be thought of as a deeper understanding of the underlying concept. Finally, the most challenging of cognitive levels is Analysis. It requires a deep understanding of multiple concepts; in particular, applying multiple concepts to solve a specific problem.

The idea of cognitive difficulty is best made clear with a few examples. Consider a concept from Domain 4, Communication and Network Security; specifically, 4.1:

This is an example of a knowledge-level item. You only need to remember from reading or seeing an OSI model graphic that ARP is a layer 2 protocol. You need not know what it does, how it does it, about security issues with ARP, or how to fix them.

This is an example of an application-level item. It requires a deeper understanding of what the ARP does, why it is needed, and where it fits into the OSI and Transmission Control Protocol/Internet Protocol (TCP/IP) models.

This is an example of an analysis-level item. Here, the exam is still just talking about ARP, but each question requires a progressively deeper understanding of the underlying ARP concept. For this item, you must understand what ARP is, how ARP works, and the cybersecurity attacks that use it. Notice that all the items are single sentences. Note that there is no correlation between the length of a question’s portion (item stem) and its cognitive difficulty.

Information About Becoming a CISSP

What does it take to become a CISSP? Two things. First, you must demonstrate mastery of the knowledge encompassed in the CISSP exam outline, which this book and your diligent efforts will help you with. Second, you must meet the CISSP experience requirement. See https://packt.link/OkYeS for more details. Upon passing the exam, you must furnish ISC2 with proof of at least five years of cumulative paid work experience in at least two of the eight domains in the CISSP exam outline.

ISC2 is very specific regarding how much experience it takes to satisfy this requirement. By five years, they mean throughout your career, including full-time (35+ hours/week), part-time (20–34 hours/week), and internships. One year of experience equals 2,080 hours. So, a total of 10,400 hours is required.

At the time you pass the exam, you are not a full CISSP yet. A four-year college degree or a certification from an ISC2-approved list will satisfy one year of experience. If you do not currently meet the experience requirement yet, don’t worry—you will be designated as an Associate CISSP and will be given six years to meet the job experience requirement.

Exam Tips and Tricks

This section will present some tried and tested exam tips and tricks to help you study for the CISSP exam, as well as some tips on how to approach the questions. First, consider the ISC2 website. There is a wealth of resources there, two of which you should be familiar with. The first is the ISC2 Community (https://packt.link/OT5sN), where you can explore the community you are trying to join. Be sure to check out the CISSP study group at https://packt.link/mEwXi.

The second resource is the ISC2 official acronym list, which is made available to you during the exam. However, you can preview it here: https://packt.link/AZxpN. Every acronym used anywhere in an ISC2 item bank is made public here. The item bank is a sneak peek into the concepts the items cover. Note that this covers all the acronyms for all nine of the tests that ISC2 offers (CISSP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, SSCP, CCSP, CAP, CSSLP, and HCISPP); they are not broken down by certification.

The goal of ISC2 is to ensure that exam candidates have a true command of the exam’s material, thus avoiding on-paper CISSPs. These are people who have their certification, but once they are in a professional setting, they do not understand the CISSP Common Body of Knowledge (CBK), which would threaten ISC2 and its CISSP certification’s hard-fought reputation as the best in cybersecurity. To that end, this section will discuss your study strategy. Unlike other tests you may have taken in the past, the CISSP exam will require more than just memorization to pass. It is important to keep this in mind. With each concept you are exposed to as you prepare, ask yourself: Why is this important?How does it work?What other concepts does it relate to?

A good example of the axiom understand, don’t memorize is aptly illustrated concerning security frameworks such as ISO 27001, NIST 800-53, and COBIT. While it is important to be familiar with these and other fundamental documents, these three frameworks all cover the same concepts—it is just that they are published by three different organizations: ISO, NIST, and ISACA, respectively. You do not want to spend your precious study time memorizing which framework says what or how it says it. Rather, focus your efforts on understanding the concepts contained within, why they are important, and who tends to use one framework over another and why.

Moving on to the test itself, take a look at some strategies to use during the test. Remember that the bulk of the exam questions will be in multiple-choice format, that is, the format where the question portion of the item is known as the item stem, and the four potential answers are known as options. Each part of these items is discussed next. First, keep in mind that the length of the item stem can mislead you into a false sense of security.

As mentioned earlier in this chapter, the length of the item stem is not representative of its underlying complexity. So, be sure you understand the nuance of what is being asked. It can be easy to quickly read a question, especially one with a short item stem, and assume you know what they are asking. The best way to avoid this pitfall is to read the question slowly and carefully. Your eyes can play tricks on you when you speed read. Missing or misreading just one word can change its meaning. Anxious test-takers tend to rush, afraid they will run out of time. If you know the material, then there will be plenty of time.

Now, take a look at the options portion of an item. Remember that there are only four options (A, B, C, and D). Only one of those options is the correct answer or the key. The other three options are aptly named distractors. ISC2 does not set out to trick you but to test how well you know the material. Sometimes, the difference between one answer option and another is one word or the sequence of a list. So, the wrong answer will look right to someone who only slightly knows the concept being tested. That is the mark of a good distractor: not to trick someone who understands the concept but to distinguish between the ones who do and do not know the concept well.

Sometimes, you can know the material too well. This can happen in a couple of ways. One way is that you work or have worked in the domain that is being tested so you have real-world experience. This can cause you to overthink the question. Keep in mind that every item on the CISSP exam must be backed up with a valid reference. Exam items are never based solely on an item writer’s personal experience unless their personal experience is common practice. It would be unfair to expect any CISSP candidate to have knowledge that is not publicly available, such as from non-proprietary sources such as books, journals, and websites.

If you find yourself facing an item where, after reading the stem, you cannot find the right answer among the options, here are a few tips. First, look for the best answer from the given choices. Next, all else being equal, choose your answer while wearing your manager hat and not as a technical person. Remember that the CISSP is meant to be broad, not deep—a perspective prized among managers. Finally, if those two tips do not illuminate the best choice, try to understand the differences among and between all the options given. If all else fails, guess. In the CAT version of the CISSP exam, you cannot mark questions or go back to a question later, so never leave a question unanswered.

Summary

In this chapter, we discussed the CISSP certification and why it is so valuable in the cybersecurity industry. You also learned how it is built and maintained by CISSP-certified experts from around the world. You were introduced to the all-important CISSP exam outline provided by ISC2 and the foundation of how this book is organized and dug deeper into the CISSP exam’s structure. You got some exam tips and tricks and learned about the experience requirements to fully become a CISSP.

The next chapter will give you a pre-assessment test to help you gauge your strengths and weaknesses in the exam outline.

II

Pre-Assessment Test

To successfully begin any journey, you need two things. First, you must know where you are starting from. Second, you must know where you are going (your destination). The second part is easy: your goal is to pass the CISSP exam. On every journey, it is usually desirable to take the most direct path. To that end, the purpose of this chapter is to help you determine where your knowledge might be stronger and where it might be weaker.

This does not mean that if you pass all the pre-assessment questions from a given domain, it is safe to skip that domain entirely. If you plan to go through this book sequentially, chapter by chapter, then you can skip the questions in this chapter and jump right into Chapter 1, Ethics, Security Concepts, and Governance Principles. When you are done with the material in this book, you can use the questions in this chapter to help you prepare for the exam. However, if your particular study style is where you like to jump around using either the domain weights (see the previous chapter) or the results of this pre-assessment test as a guide, that strategy works as well. This pre-assessment test is weighted by domain, just like the actual test. So, get started by discovering your strengths and weaknesses.

Security and Risk Management – 16%

Asset Security – 10%

Security Architecture and Engineering – 13%

Communication and Network Security – 13%