CISSP For Dummies E-Book

CISSP® For Dummies®, 5th Edition

Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com

Copyright © 2016 by John Wiley & Sons, Inc., Hoboken, New Jersey

Media and software compilation copyright © 2016 by John Wiley & Sons, Inc. All rights reserved.

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. All trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit www.wiley.com/techsupport.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2016931711

ISBN 978-1-119-21023-8 (pbk); 978-1-119-21025-2 (epub); 978-1-119-21024-5 (epdf)

CISSP® For Dummies®

Visit www.dummies.com/cheatsheet/cissp to view this book's cheat sheet.

Table of Contents

Cover

Foreword

Introduction

About This Book

How This Book Is Organized

Icons Used in This Book

Beyond the Book

Getting Started

Part I: Getting Started With CISSP Certification

Chapter 1: (ISC)

2

and the CISSP Certification

About (ISC)

2

and the CISSP Certification

You Must Be This Tall to Ride This Ride (and Other Requirements)

Preparing for the Exam

Registering for the Exam

About the CISSP Examination

After the Examination

Chapter 2: Putting Your Certification to Good Use

Being an Active (ISC)

2

Member

Considering (ISC)

2

Volunteer Opportunities

Becoming an Active Member of Your Local Security Chapter

Spreading the Good Word about CISSP Certification

Using Your CISSP Certification to Be an Agent of Change

Earning Other Certifications

Pursue Security Excellence

Part II: Certification Domains

Chapter 3: Security and Risk Management

Understand and Apply Concepts of Confidentiality, Integrity, and Availability

Apply Security Governance Principles

Compliance

Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context

Understand Professional Ethics

Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines

Understand Business Continuity Requirements

Contribute to Personnel Security Policies

Understand and Apply Risk Management Concepts

Understand and Apply Threat Modeling

Integrate Security Risk Considerations into Acquisition Strategy and Practice

Establish and Manage Information Security Education, Training, and Awareness

Chapter 4: Asset Security

Classify Information and Supporting Assets

Determine and Maintain Ownership

Protect Privacy

Ensure Appropriate Retention

Determine Data Security Controls

Establish Handling Requirements

Chapter 5: Security Engineering

Implement and Manage Engineering Processes Using Secure Design Principles

Understand the Fundamental Concepts of Security Models

Select Controls and Countermeasures based upon Systems Security Evaluation Models

Understand Security Capabilities of Information Systems

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements

Assess and Mitigate Vulnerabilities in Web-Based Systems

Assess and Mitigate Vulnerabilities in Mobile Systems

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems

Apply Cryptography

Apply Secure Principles to Site and Facility Design

Design and Implement Physical Security

Chapter 6: Communication and Network Security

Apply Secure Design Principles to Network Architecture

Secure Network Components

Design and Establish Secure Communication Channels

Prevent or Mitigate Network Attacks

Chapter 7: Identity and Access Management

Control Physical and Logical Access to Assets

Manage Identification and Authentication of People and Devices

Integrate Identity-as-a-Service

Integrate Third-Party Identity Services

Implement and Manage Authorization Mechanisms

Prevent or Mitigate Access Control Attacks

Manage the Identity and Access Provisioning Lifecycle

Chapter 8: Security Assessment and Testing

Design and Validate Assessment and Test Strategies

Conduct Security Control Testing

Collect Security Process Data

Analyze and Report Test Outputs

Conduct or Facilitate Internal and Third Party Audits

Chapter 9: Security Operations

Understand and Support Investigations

Understand Requirements for Investigation Types

Conduct Logging and Monitoring Activities

Secure the Provisioning of Resources

Understand and Apply Foundational Security Operations Concepts

Employ Resource Protection Techniques

Conduct Incident Management

Operate and Maintain Preventative Measures

Implement and Support Patch and Vulnerability Management

Participate in and Understand Change Management Processes

Implement Recovery Strategies

Implement Disaster Recovery Processes

Test Disaster Recovery Plans

Participate in Business Continuity Planning and Exercises

Implement and Manage Physical Security

Participate in Addressing Personnel Safety Concerns

Chapter 10: Software Development Security

Understand and Apply Security in the Software Development Lifecycle

Enforce Security Controls in Development Environments

Assess the Effectiveness of Software Security

Assess Security Impact of Acquired Software

Part III: The Part of Tens

Chapter 11: Ten (Okay, Nine) Test-Planning Tips

Know Your Learning Style

Get a Networking Certification First

Register NOW!

Make a 60-Day Study Plan

Get Organized and READ!

Join a Study Group

Take Practice Exams

Take a CISSP Review Seminar

Take a Breather

Chapter 12: Ten Test-Day Tips

Get a Good Night’s Rest

Dress Comfortably

Eat a Good Breakfast

Arrive Early

Bring a Photo ID

Bring Snacks and Drinks

Bring Prescription and Over-the-Counter Medications

Leave Your Electronic Devices Behind

Take Frequent Breaks

Guess — as a Last Resort

Glossary

About the Authors

Cheat Sheet

Advertisement Page

Connect with Dummies

End User License Agreement

Guide

Cover

Table of Contents

Begin Reading

Pages

i

ii

v

vi

vii

viii

ix

x

xi

xii

xv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

401

402

403

404

405

406

407

408

409

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

483

484

485

486

487

488

Foreword

Let’s face it, those of us who have prepared for the (ISC)2® Certified Information Systems Security Professional (CISSP®) exam know it can be a daunting task. Some candidates spread their preparation out over the course of a year; others take months, and others prepare in a matter of weeks. Then there are those who schedule and take the exam with little to no preparation. There’s really no wrong way to prepare, if your approach leads to the achievement of your professional goals. That said, I am frequently asked "What is the best book to use to prepare for the CISSP exam?" There’s a plethora of choices: the thick official guide book, the CISSP study guide, or independent books written by those in the industry. Suffice it to say, there is no shortage of books available to prepare for the CISSP exam. Which leads me to CISSP For Dummies.

The Wiley For Dummies series has become a wildly successful approach to learning about a broad range of popular topics. With so many topics covered by the popular series, most of us have a For Dummies book on at least one topic. The series presents popular topics in a lighter, more digestible way that hopefully facilitates learning. At (ISC)2, we are proud that our CISSP has become such a popular topic and professional certification that it has earned its own CISSP For Dummies, which we are pleased to endorse.

As you prepare for the CISSP exam, we hope you find the tools that work best for your study methods and maintaining your skills. I wish you the best of luck as you prepare for the (ISC)2 CISSP exam and work toward achieving your professional goals.

Best regards,

David P. Shearer

CEO

(ISC)2, Inc.

Introduction

For more than 20 years security practitioners around the world have been pursuing a well-known and highly regarded professional credential: the Certified Information Systems Security Professional (CISSP) certification. And since 2001, CISSP For Dummies has been helping security practitioners enhance their security knowledge and earn the coveted CISSP certification.

Today, there are more than 100,000 CISSPs worldwide. Ironically, some certification skeptics might argue that the CISSP certification is becoming less relevant because so many people have earned the certification. However, the CISSP certification isn’t less relevant because more people are attaining it — more people are attaining it because it’s now more relevant than ever. Information security is far more important than at any time in the past, with extremely large-scale data security breaches and highly sophisticated cyberattacks becoming all too frequent occurrences in our modern era.

There are many excellent and reputable information security training and education programs available. In addition to technical and industry certifications, there are also many fully accredited postsecondary degree, certificate and apprenticeship programs available for information security practitioners. And there are certainly plenty of self-taught, highly skilled individuals working in the information security field who have a strong understanding of core security concepts, techniques and technologies.

But inevitably, there are also far too many charlatans who are all too willing to overstate their security qualifications and prey on the obliviousness of business and other leaders — who think “wiping” a server, for example, means “like, with a cloth or something” — in order to pursue a fulfilling career in the information security field, or perhaps for dubious purposes.

The CISSP certification is widely held as the professional standard for information security professionals, similar to the Certified Public Accountant (CPA) license for accountants or the Professional Engineer (PE) license for engineers. It enables security professionals to distinguish themselves from others in the information security field by validating both their knowledge and experience. Likewise, it enables businesses and other organizations to identify qualified information security professionals and verify the knowledge and experience of candidates for critical information security roles in their respective organizations. Thus, the CISSP certification is more relevant and important than ever before.

About This Book

Our goal in this book is simple: to help you prepare for and pass the CISSP examination so that you can join the ranks of respected certified security professionals who dutifully serve organizations and industries around the world. Although we’ve stuffed it chock-full of good information, we don’t expect that this book will be a weighty desktop reference on the shelf of every security professional — although we certainly wouldn’t object.

And we don’t intend for this book to be an all-purpose, be-all-and-end-all, one-stop shop that has all the answers to life’s great mysteries. Given the broad base of knowledge required for the CISSP certification, we strongly recommend that you use multiple resources to prepare for the exam and study as much relevant information as your time and resources allow. CISSP For Dummies, 5th Edition, provides the framework and the blueprint for your study effort and sufficient information to help you pass the exam, but it won’t make you an information security expert!

Finally, as a security professional, earning your CISSP certification is only the beginning. Business and technology, which have associated risks and vulnerabilities, require that each of us — as security professionals — constantly press forward, consuming vast volumes of knowledge and information in a constant tug-of-war against the bad guys.

How This Book Is Organized

This book is organized in three parts. We cover the International Information Systems Security Certifications Consortium (ISC)2 and examination basics in Part I, the eight Common Body of Knowledge (CBK) domains in Part II, the Part of Tens in Part III, and the Glossary.

The Glossary is not just any ordinary glossary: The CISSP exam requires you to select the best answer for a given question. You definitely need to know and understand very concise terms and definitions in order to recognize any obviously wrong answers on the exam.

Icons Used in This Book

Throughout this book, you occasionally see icons in the left margin that call attention to important information that’s particularly worth noting. No smiley faces winking at you or any other cute little emoticons, but you’ll definitely want to take note! Here’s what to look for and what to expect:

Instant Answer icons highlight important information to help you answer questions on the actual exam — just add water and stir! To help you succeed on the CISSP exam, look for these icons to highlight critical points that you’re likely to see again.

This icon identifies general information and core concepts that are well worth committing to your non-volatile memory, your gray matter, or your noggin — along with anniversaries, birthdays, and other important stuff! You should certainly understand and review this information before taking your CISSP exam.

Thank you for reading; we hope you enjoy the book; please take care of your writers! (Now, where’s that jar … ?) Seriously, this icon includes helpful suggestions and tidbits of useful information that may save you some time and headaches.

This is the stuff your mother warned you about … well, okay — probably not, but you should take heed nonetheless. These helpful alerts point out easily confused or difficult-to-understand terms and concepts.

Cross Reference icons point you toward other places in this book that have additional information on particular subjects — kind of a low-tech hyperlink!

You won’t find a map of the human genome or the secret to cold fusion in this book (or maybe you will, hmm), but if you’re an insufferable insomniac, take note. This icon explains the jargon beneath the jargon and is the stuff legends — well, at least nerds — are made of. So, if you’re seeking to attain the seventh level of NERD-vana, keep an eye out for these icons!

Beyond the Book

CISSP For Dummies, 5th Edition, is more than a book. A suite of online tools and references are part of the plan to get you ready for game day.

What you’ll find online

The online resources that come free with the book contain a comprehensive, realistic practice exam. This product also comes with an online Cheat Sheet (www.dummies.com/cheatsheet/cissp) and bonus articles (www.dummies.com/extras/cissp) that help you increase your knowledge even further. (No PIN required. You can access this info before you register.)

How to register

To gain access to the online practice test and flash cards, all you have to do is register. Just follow these simple steps:

Find your PIN access code:

Print book:

If you purchased a print copy of this book, turn to the inside front cover of the book to find your access code.

Ebook:

If you purchased this book as an e-book, you can get your access code by registering your ebook at

www.dummies.com/go/getaccess

. Go to this website, find your book and click it, and answer the security questions to verify your purchase. You’ll receive an email with your access code.

Go to

www.dummies.com

and click Activate Now.

Find your product (

CISSP For Dummies

) and then follow the on-screen prompts to activate your PIN.

You can come back to the program as often as you want — simply log on with the username and password you created during your initial login.

For Technical Support, please visit http://wiley.custhelp.com or call Wiley at 1-800-762-2974 (U.S.), +1-317-572-3994 (international).

Getting Started

Chapter 1 may be a good place to start! However, if you see a particular topic that piques your interest, feel free to jump ahead to that chapter. Each chapter is individually wrapped (but not packaged for individual sale) and written to stand on its own, so feel free to start reading anywhere and skip around! Read this book in any order that suits you (though we don’t recommend upside down or backwards). We promise you won’t get lost falling down the rabbit hole!

Part I

Getting Started With CISSP Certification

Visit www.dummies.com for great Dummies content online.

In this part …

Preparing for the exam

Spreading the word

Maximizing your membership

Visit www.dummies.com for great Dummies content online.

Chapter 1

(ISC)2 and the CISSP Certification

In This Chapter

Finding out about (ISC)2 and the CISSP certification

Understanding CISSP certification requirements

Developing a study plan

Registering for the exam

Taking the CISSP exam

Getting your exam results

CISSP For Dummies answers the question, “What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?”

About (ISC)2 and the CISSP Certification

The International Information System Security Certification Consortium (ISC)2 (www.isc2.org, and pronounced “I-S-C-squared”) was established in 1989 as a not-for-profit, tax-exempt corporation chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.

The CISSP was the first information security credential to be accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024 standard. This international standard helps to ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate’s competence for the certification. This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread criticism that has diminished the popularity of many vendor certifications over the years).

The ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) are two organizations that work together to prepare and publish international standards for businesses, governments, and societies worldwide.

The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)2 and defined through eight distinct domains:

Security and Risk Management

Asset Security

Security Engineering

Communication and Network Security

Identity and Access Management

Security Assessment and Testing

Security Operations

Software Development Security

You Must Be This Tall to Ride This Ride (and Other Requirements)

The CISSP candidate must have a minimum of five cumulative years of professional (paid), full-time, direct work experience in two or more of the domains listed in the preceding section. The work experience requirement is a hands-on one — you can’t satisfy the requirement by just having “information security” listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly. Some examples of full-time information security roles that might satisfy the work experience requirement include (but aren’t limited to)

Securit Analyst

Security Architect

Security Auditor

Security Consultant

Security Engineer

Security Manager

Examples of information technology roles for which you can gain partial credit for security work experience include (but aren’t limited to)

Systems Administrator

Network Administrator

Database Administrator

Software Developer

For any of these preceding job titles, your particular work experience might result in you spending some of your time (say, 25 percent) doing security-related tasks. This is perfectly legitimate for security work experience. For example, five years as a systems administrator, spending a quarter of your time doing security-related tasks, earns you 1.25 years of security experience.

Furthermore, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:

A four-year college degree (or regional equivalent)

An advanced degree in information security from a U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE)

A credential that appears on the (ISC)

2

-approved list, which includes more than 40 technical and professional certifications, such as various SANS GIAC certifications, Cisco and Microsoft certifications, and CompTIA Security+ (For the complete list, go to

www.isc2.org/credential_waiver

).

See Chapter 2 to learn more about relevant certifications on the (ISC)2-approved list for an experience waiver.

In the U.S., CAE/IAE programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/ia/academic_outreach/nat_cae.

Preparing for the Exam

Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or training environment, (ISC)2 offers CISSP review seminars.

We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of two hours a day for 60 days. If you’re a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this study out over a six-month period for two hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you’ll likely find yourself studying only as much as you would have in a 60-day period anyway.

Studying on your own

Self-study might include books and study references, a study group, and practice exams.

Begin by downloading the free official CISSP Candidate Information Bulletin (CIB) from the (ISC)2 website at www.isc2.org/exam-outline. This booklet provides a good basic outline of the exam and the subjects on which you’ll be tested.

Next, read this book, take the online practice exam and review the additional study materials on the Dummies website (www.dummies.com). CISSP For Dummies is written to provide a thorough and essential review of all the topics covered on the CISSP exam. Then, read any additional study resources you can to further your knowledge and reinforce your understanding of the exam topics. You can find several excellent study resources in the official CISSP Candidate Information Bulletin (CIB) and online at www.cccure.org and http://resources.infosecinstitute.com. Finally, rinse and repeat: Do another quick read of CISSP For Dummies as a final review before you take the actual CISSP exam.

Don’t rely on CISSP For Dummies (as awesome and comprehensive as it is!), or any other book — no matter how thick it is — as your single resource to prepare for the CISSP exam.

Joining a study group can help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals. It’s also an excellent networking opportunity (the talking-to-real-people type of network, not the TCP/IP type of network)! Study groups or forums can be hosted online or at a local venue. Find a group that you’re comfortable with and that is flexible enough to accommodate your schedule and study needs. Or create your own study group!

Finally, answer lots of practice exam questions. There are many resources available for CISSP practice exam questions. Some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don’t despair! The repetition of practice questions helps reinforce important information that you need to know in order to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Start with the Practice Exam on the Dummies website (www.dummies.com) and try the practice questions at Clément Dupuis and Nathalie Lambert’s CCCure website (www.cccure.org).

No practice exams exactly duplicate the CISSP exam (and forget about brain dumps — using or contributing to brain dumps is unethical and is a violation of the (ISC)2 non-disclosure agreement which could result in losing your CISSP certification permanently).

Getting hands-on experience

Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam.

For example, if you’re weak in networking or applications development, talk to the networking group or programmers in your company. They may be able to show you a few things that can help make sense of the volumes of information that you’re trying to digest.

Your company or organization should have a security policy that’s readily available to its employees. Get a copy and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn’t have a security policy, perhaps now is a good time for you to educate management about issues of due care and due diligence as they relate to information security. For example, review your company’s plans for business continuity and disaster recovery. They don’t exist? Perhaps you can lead this initiative to help both you and your company.

Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar

The (ISC)2 also administers five-day CISSP CBK Review Seminars and Live OnLine seminars to help the CISSP candidate prepare. You can find information, schedules and registration forms for the CBK Review Seminar and Live OnLine on the (ISC)2 website at www.isc2.org/cissp-training.

If you generally learn better in a classroom environment or find that you have knowledge or actual experience in only two or three of the domains, you might seriously consider attending a review seminar.

If it’s not convenient or practical for you to travel to a seminar, Live Online provides the benefit of learning from an (ISC)2 Authorized Instructor on your computer. Live OnLine provides all the features of classroom-based seminars, real-time delivery, access to archived modules, and all official courseware.

Attending other training courses or study groups

Other reputable organizations offer high-quality training in both classroom and self-study formats. Before signing up and spending your money, we suggest that you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends on the instructor; for this reason, try to find out from others whether the proposed instructor is as helpful as he or she is reported to be.

Many cities have self-study groups, usually run by CISSP volunteers. You may find a study group where you live; or, if you know some CISSPs in your area, you might ask them to help you organize a self-study group.

Always confirm the quality of a study course or training seminar before committing your money and time.

Take the testing tutorial and practice exam

If you are not familiar with computer-based testing, you may want to take a practice exam. Go to the Pearson VUE website and look for the Pearson VUE Tutorial and Practice Exam (at www.pearsonvue.com/athena).

To successfully study for the CISSP exam, you need to know your most effective learning styles. “Boot camps” are best for some people, while others learn better over longer periods of time. Furthermore, some people get more value from group discussions, while reading alone works for others. Know thyself, and use what works best for you.

Are you ready for the exam?

Are you ready for the big day? We can’t answer this question for you. You must decide, on the basis of your individual learning factors, study habits, and professional experience, when you’re ready for the exam. Unfortunately, there is no magic formula for determining your chances of success or failure on the CISSP examination.

In general, we recommend a minimum of two months of focused study. Read this book and continue taking the practice exam on the Dummies website until you can consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information you need to know if you want to pass the CISSP examination. Read this book (and reread it) until you’re comfortable with the information presented and can successfully recall and apply it in each of the eight domains. Continue by reviewing other study materials (particularly in your weak areas) and actively participating in an online or local study group and take as many practice exams from as many different sources as possible.

Then, when you feel like you’re ready for the big day, find a romantic spot, take a knee, and — wait, wrong big day! Find a secure Wi-Fi hot spot (or other Internet connection), take a seat, and register for the exam!

Registering for the Exam

The CISSP exam is administered via computer-based testing (CBT) at local Pearson VUE testing centers worldwide. To register for the exam, go to the (ISC)2 website (www.isc2.org/certification-register-now) and click the “Register” link, or go directly to the Pearson VUE website (www.pearsonvue.com/isc2).

On the Pearson VUE website, you first need to create an account for yourself; then you can register for the CISSP exam, schedule your test, and pay your testing fee. You can also locate a nearby test center, take a Pearson VUE testing tutorial, practice taking the exam (which you should definitely do if you’ve never taken a CBT), and then download and read the (ISC)2 non-disclosure agreement (NDA).

Download and read the (ISC)2 NDA when you register for the exam. Sure, it’s boring legalese, but it isn’t unusual for CISSPs to be called upon to read contracts, license agreements, and other “boring legalese” as part of their information security responsibilities — so get used to it (and also get used to not signing legal documents without actually reading them)! You’re given five minutes to read and accept the agreement at the start of your exam, but why not read the NDA in advance so you can avoid the pressure and distraction on exam day, and simply accept the agreement. If you don’t accept the NDA in the allotted five minutes, your exam will end and you forfeit your exam fees!

When you register, you’re required to quantify your relevant work experience, answer a few questions regarding any criminal history and other potentially disqualifying background information, and agree to abide by the (ISC)2 Code of Ethics.

The (ISC)2 Code of Ethics is covered in Chapter 3.

The current exam fee in the U.S. is $599. You can cancel or re-schedule your exam by contacting VUE by telephone at least 24 hours in advance of your scheduled exam or online at least 48 hours in advance. The fee to re-schedule is $50. The fee to cancel your exam appointment is $100.

If you fail to show up for your exam or you’re more than 15 minutes late for your exam appointment, you’ll forfeit your entire exam fee!

Great news! If you’re a U.S. military veteran and are eligible for Montgomery GI Bill benefits, the Veteran’s Administration (VA) will reimburse you for the full cost of the exam, regardless of whether you pass or fail.

About the CISSP Examination

The CISSP examination itself is a grueling six-hour, 250-question marathon. To put that into perspective, in six hours, you could almost run a back-to-back marathon and mini marathon, watch a good movie 3½ times, or play “Slow Ride” 91 times on Guitar Hero. Each of these feats, respectively, closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.

There are three types of questions on the CISSP exam:

Multiple-choice.

Select the

best

answer from four possible choices. For example:

Which of the following is the FTP control channel?

A TCP port 21

B UDP port 21

C TCP port 25

D IP port 21

The FTP control channel is port 21, but is it TCP, UDP, or IP?

Drag and drop. Drag and drop the correct answer (or answers) from a list of possible answers on the left side of the screen to a box for correct answers on the right side of the screen. For example:

Which of the following are message authentication algorithms? Drag and drop the correct answers from left to right.

MD5, SHA-2, and HMAC are all correct. You must drag and drop all three answers to the box on the right for the answer to be correct.

Hotspot. Select the object in a diagram that best answers the question. For example:

Which of the following diagrams depicts a relational database model?

Click one of the four panels above to select your answer choice.

As described by (ISC)2, you need a scaled score of 700 (out of 1000) or better to pass the examination. All three question types are weighted equally, but not all questions are weighted equally, so we can’t absolutely state the number of correct questions required for a passing score.

All 250 questions on the CISSP exam require you to select the best answer (or answers) from the possible choices presented. The correct answer isn’t always a straightforward, clear choice. (ISC)2 goes to great pains to ensure that you really, really know the material.

A common and effective test-taking strategy for multiple-choice questions is to carefully read each question and then eliminate any obviously wrong choices. The CISSP examination is no exception.

Wrong choices aren’t necessarily obvious on the CISSP examination. You may find a few obviously wrong choices, but they only stand out to someone who has studied thoroughly for the exam.

Only 225 questions are actually counted toward your final score. The other 25 are trial questions for future versions of the CISSP examination. However, the exam doesn’t identify these questions for the test-taker, so you have to answer all 250 questions as if every one of them is the real thing.

The CISSP examination is currently available in English, Portuguese, Chinese (simplified), French, German, Japanese, Korean, and Spanish. You’re permitted to bring a foreign language dictionary (non-electronic and non-technical) for the exam, if needed. Testing options are also available for the visually impaired. You need to indicate your preferences when you register for the exam.

Chapter 12 has additional important information about the exam format and suggestions to help you prepare for the day of your exam.

After the Examination

In most cases, you’ll receive your unofficial test results at the testing center as soon as you complete your exam, followed by an official email from (ISC)2.

In some rare instances, your unofficial results may not be immediately available. (ISC)2 analyzes score data during each testing cycle; if they don’t have enough test results early in the testing cycle, your results could be delayed up to eight weeks.

If, for some reason, you don’t pass the CISSP examination — say, for example, you only read this chapter of CISSP For Dummies —, you’ll have to wait 30 days to try again. If that happens, we strongly recommend that you read the rest of this book during those 30 days! If you fail a second time, you’ll have to wait 90 days to try again. If that happens, we most strongly recommend and highly urge you to read the rest of this book — perhaps a few times — during those 90 days! Finally, if you fail on your third attempt, you’ll have to wait 180 days — no more excuses, you definitely need to read, re-read, memorize, recite, ingest, and regurgitate this book several times if that happens!

After you earn your CISSP certification, you must remain an (ISC)2 member in good standing and renew your certification every three years. You can renew the CISSP certification by accumulating 120 Continuing Professional Education (CPE) credits or by retaking the CISSP examination. You must earn a minimum of 40 CPE credits during each year of your three-year recertification cycle. You earn CPE credits for various activities, including taking educational courses or attending seminars and security conferences, belonging to association chapters and attending meetings, viewing vendor presentations, completing university or college courses, providing security training, publishing security articles or books, serving on relevant industry boards, taking part in self-study, and doing related volunteer work. You must document your annual CPE activities on the secure (ISC)2 website to receive proper credit. You also have to pay a U.S. $85 annual maintenance fee, payable to (ISC)2. Maintenance fees are billed in arrears for the preceding year, and you can pay them online, also in the secure area of the (ISC)2 website.

Be sure to be absolutely truthful on your CPE reporting. (ISC)2 audits some CPE submissions.

As soon as you receive your certification, register on the (ISC)2 website and provide your contact information. (ISC)2 reminds you of your annual maintenance fee, Board of Directors elections, annual meetings, and events, but only if you maintain your contact info — particularly your email address.

Chapter 2

Putting Your Certification to Good Use

In This Chapter

Staying active as an (ISC)2 member

Discovering the joy of giving back

Working with others in your local security community

Getting the word out about CISSP certification

Bringing about change in your organization

Advancing your career with other certifications

Achieving security excellence

Although this book is devoted to helping you earn your CISSP certification, we thought it would be a good idea to include a few things you might consider doing after you’ve earned your CISSP.

So what do you do after you earn your CISSP? There are plenty of things you can do to enhance your professional career and the global community. Here are just a few ideas!

Being an Active (ISC)2 Member

Being an active (ISC)2 member is easy! Besides volunteering (see the following section), you can participate in several other activities including:

Vote in (ISC)

2

elections.

Every year, one-third of the (ISC)

2

Board of Directors is elected to serve three-year terms. As a CISSP in good standing, you’ve earned the right to vote in the (ISC)

2

elections. Exercise your right!

Attend (ISC)

2

events.

(ISC)

2

conducts several events each year, from networking receptions to conferences and educational events. Check back regularly on the (ISC)

2

website to find out more about events in your area.

Join an (ISC)

2

chapter.

(ISC)

2

has chapters around the world. You can find out more at

www.isc2.org/chapters

. There are many great opportunities to get involved in local chapters, including chapter leadership, participation in chapter activities, and participation in community outreach projects.

Considering (ISC)2 Volunteer Opportunities

(ISC)2 is much more than a certifying organization: It’s a cause. It’s security professionals’ raison d’être, the reason we exist — professionally, anyway. As one of us, consider throwing your weight into the cause.

Volunteers have made (ISC)2 what it is today and contribute toward your certification. You can’t stand on the sidelines and watch others do the work. Use your talents to help those who’ll come after you. You can help in many ways. For information about volunteering, see the (ISC)2 website (www.isc2.org).

Most sanctioned (ISC)2 volunteer activities are eligible for CPE credits. Check with (ISC)2 for details.

Writing certification exam questions

The state of technology, laws, and practices within the (ISC)2 Common Body of Knowledge (CBK) is continually changing and advancing. In order to be effective and relevant, CISSP exams need to have exam questions that reflect how security is done today. Therefore, people working in the industry — such as you — need to write new questions. If you’re interested in being a question writer, visit the (ISC)2 website and apply.

Speaking at events

(ISC)2 now holds more security-related events around the world than it has at any other time in its history. More often than not, (ISC)2 speakers are local volunteers — experts in their professions who want to share with others what they know and have learned. If you have an area of expertise or a unique perspective on CISSP-related issues, consider educating others with a speaking engagement. For more information, visit the (ISC)2 website.

Read and contribute to (ISC)2 publications

The InfoSecurity Professional digital magazine benefits from articles submitted by (ISC)2 members. The entire security community benefits by reading about what others have discovered. Find the magazine at www.isc2.org/infosecurity_professional.

(ISC)2 publishes a quarterly online magazine called INSIGHTS that is associated with InfoSecurity Professional. You can find out more at https://www.isc2.org/infosecurity-professional-insights.aspx?terms=INSIGHTS.

The (ISC)2 Blog is a free online publication for all (ISC)2 members. Find the blog, as well as information about writing articles, at http://blog.isc2.org/isc2_blog.

The (ISC)2 Journal is a fee-based publication that’s published bimonthly. Find information about subscribing and writing articles on the journal’s home page (www.isc2.org/isc2-journal.aspx). The annual subscription is currently U.S. $45.

Support the (ISC)2 Center for Cyber Safety and Education

The (ISC)2 Foundation, now known as the Center for Cyber Safety and Education, is a non-profit charity formed by (ISC)2 in 2011. The Center is a conduit through which security professionals can reach society and empower students, teachers, and the general public to secure their online life with cybersecurity education and awareness programs in the community. The Center for Cyber Safety and Education was formed to meet those needs, and to expand altruistic programs, such as Safe and Secure Online, the Information Security Scholarship Program, and industry research — the Center’s three core programs.

Participating in (ISC)2 focus groups

(ISC)2 has developed focus groups and quality assurance (QA) testing opportunities. (ISC)2 is developing new services, and it needs to receive early feedback during the requirements and design phases of its projects. By participating in these groups and tests, you can influence future (ISC)2 services that will aid current and future certification holders.

Get involved with a CISSP study group

Many communities have CISSP study groups that consist of volunteer mentors and instructors who help those who want to earn the certification.

If your community doesn’t have a CISSP study group, consider starting one. Many communities have them already, and the organizers there can give you advice on how to start your own.

Help others learn more about data security

In no way are we being vain or arrogant when we say that we (the writers of this book, and you the readers) know more about data security and safe Internet usage than perhaps 99 percent of the general population. There are two main reasons for this:

Security is our profession

Security is not always easy to do

A legion of volunteer opportunities is available out there to help others keep their computers (and mobile computing devices) secure and to use the Internet safely. Here is a very short list of places where you can help:

Service clubs

Senior centers

Schools (be sure to read about Safe and Secure Online earlier in this chapter)

Your place of employment

Using a little imagination, you can certainly come up with additional opportunities. The world is hungry for the information you possess!

Becoming an Active Member of Your Local Security Chapter

Many security organizations around the world have local chapters, perhaps in or near your community. Here’s a short list of some organizations that you may be interested in:

International Systems Security Association (ISSA):

www.issa.org

Information Systems Audit and Control Association (ISACA):

www.isaca.org

Society for Information Management (SIM):

www.simnet.org

InfraGard:

www.infragard.net

Open Web Application Security Project (OWASP):

www.owasp.org

ASIS International:

www.asisonline.org

High Technology Crime Investigation Association (HTCIA):

www.htcia.org

Risk and Insurance Management Society (RIMS):

www.rims.org

The Institute of Internal Auditors (IIA):

www.theiia.org

Disaster Recovery Institute International (DRII):

www.drii.org

Computer Technology Investigators Network (CTIN):

www.ctin.org

Local security groups provide excellent opportunities to find peers in other organizations and to discover more about your profession. Many people find that the contacts they make as part of their involvement with local security organizations can be especially valuable when looking for new career opportunities.

You certainly can find many, many more security organizations that have local chapters, beyond the ones we include in the preceding list. Ask your colleagues and others about security organizations and clubs in your community.

Spreading the Good Word about CISSP Certification

As popular as the CISSP certification is, there are people who still don’t know about it. And many who may have heard of it don’t understand what it’s all about. Tell people about your CISSP certification and explain the certification process to your peers. Here are some facts that you can share with anyone and everyone you meet:

CISSP is the top-tier information security professional certification.

Over 110,000 security professionals around the world have the CISSP certification.

The CISSP certification started in 1994.

CISSP was the first credential to be accredited by the ANSI (American National Standards Institute) to ISO (International Organization for Standardization) Standard 17024.

The organization that manages the CISSP certification has other certifications for professionals who specialize in various fields of information security. The organization also promotes information security awareness through education programs and events.

Promote the fact that you’re certified. How can you promote it? After you earn your CISSP, you can simply put the letters CISSP after your name on your business cards, stationery, email signature, resume, blog, and website. While you’re at it, put the CISSP logo on there, too (just be sure to abide by any established terms of use).

Promoting other certifications

Some of your peers may not be ready to pursue the CISSP certification. They may not have the career experience or knowledge required to go for the CISSP now. These certifications may be suitable for your friends:

Associate of (ISC)

2

:

If you can pass the CISSP or SSCP certification exams but don’t yet possess the required professional experience, you can become an Associate of (ISC)

2

. Read about this option on the (ISC)

2

website.

SSCP (Systems Security Certified Practitioner):

This mid-level certification is for hands-on security techs and analysts.

Your colleagues can use these two certs as stepping stones, and eventually, they may be ready for the CISSP.

There are many other certifications available from (ISC)2 that are described in the next section.

Wear the colors proudly

The (ISC)2 online store has a lot of neat stuff, from jackets to shirts to mugs to caps. There’s something for everyone there. The organization introduces new items now and again, and it runs closeout specials. http://isc2education.org/shop/new.html.

Consider adding a few nice polo shirts that sport the (ISC)2 and CISSP logos to your wardrobe. Or really splurge and consider buying a CISSP backpack!

Lead by example

Like it or not, security professionals, particularly those with the CISSP, are role models for those around them. From a security perspective, whatever we do — and how we do it — is seen as the standard for correct behavior.

Being mindful of this, we need to conduct ourselves as though someone were looking — even if no one is — in everything we do.

Using Your CISSP Certification to Be an Agent of Change

As a certified security professional, you’re an agent of change in your organization: The state of threats and regulations is ever-changing, and you must respond by ensuring that your employer’s environment and policies continue to defend your employer’s assets against harm. Here are some of the important principles regarding successful agents of change:

Identify and promote only essential changes.

Promote only those changes that have a chance to succeed.

Anticipate sources of resistance.

Distinguish resistance from well-founded criticism.

Involve all affected parties the right way.

Don’t promise what you can’t deliver.

Use sponsors, partners, and collaborators as co-agents of change.

Change metrics and rewards to support the changing world.

Provide training.

Celebrate all successes.

Your job as a security professional doesn’t involve preaching; instead, you need to recognize opportunities for improvement and lower risks to the business. Work within your organization’s structure to bring about change in the right way. That’s the best way to reduce security risks.

Earning Other Certifications

In business and technology, no one’s career stays in one place. You’re continuously growing and changing, and ever-changing technology also influences organizations and your role within them.

You shouldn’t consider your quest for certifications finished when you earn your CISSP — even if it is the highest-level information security certification out there! Security is a journey, and your CISSP certification isn’t the end goal, but a (major) milestone along the way.

Other (ISC)2 certifications

(ISC)2 has several other certifications, including some that you may aspire to earn after (or instead of) receiving your CISSP. These certifications are

CCFP

®

(Certified Cyber Forensics Professional):

This is a certification for forensics and security incident responders.

CCSP

sm

(Certified Cloud Security Professional ):

This certification on cloud controls and security practices was co-developed by (ISC)

2

and the Cloud Security Alliance.

CSSLP

®

(Certified Secure Software Lifecycle Professional ):

Designed for software development professionals, the CSSLP recognizes software development in which security is a part of the software requirements, design, and testing — so that the finished product has security designed in and built in, rather than added on afterward.

HCISPP

®

(HealthCare Information Security and Privacy Practitioner):

Designed for information security in the healthcare industry, the HCISPP recognizes knowledge and experience related to healthcare data protection regulations and the protection of patient data.

JGISP (Japanese Government Information Security Professional):

A country-specific certification that validates a professional’s knowledge, skills, and experience related to Japanese government regulations and standards.

CAP

®

(Certification and Accreditation Professional):

Jointly developed by the U.S. Department of State’s Office of Information Assurance and (ISC)

2

, the CAP credential reflects the skills required to assess risk and establish security requirements for complex systems and environments.

CISSP concentrations

(ISC)2 has developed follow-on certifications (think accessories) that accompany your CISSP. (ISC)2 calls these certifications concentrations because they represent the three areas you may choose to specialize in:

ISSAP

®

(Information Systems Security Architecture Professional):

Suited for technical systems security architects

ISSEP

®

(Information Systems Security Engineering Professional):

Demonstrates competence for security engineers

ISSMP

®

(Information Systems Security Management Professional):

About security management (of course!)

All the concentrations require that you first be a CISSP in good standing, and each has its own exam. Read about these concentrations and their exams on the (ISC)2 website.

Non-(ISC)2 certifications

Organizations other than (ISC)2 have security-related certifications, one or more of which may be right for you. None of these certifications directly compete with CISSP, but some of them do overlap with CISSP somewhat.

Non-technical/non-vendor certifications

There are many other certifications available that are not tied to specific hardware or software vendors. Some of the better ones include

CISA (Certified Information Systems Auditor):

Consider this certification if you work as an internal auditor or your organization is subject to one or more security regulations, such as Sarbanes-Oxley, HIPAA, GLBA, PCI, and so on. The Information Systems Audit and Control Association and Foundation (ISACA) manages this certification. Find out more about CISA at

www.isaca.org/cisa

.

CISM (Certified Information Security Manager):

Similar to (ISC)

2

’s Information Systems Security Management Professional (ISSMP) certification (which we talk about in the section “

CISSP concentrations

,” earlier in this chapter), you may want the CISM certification if you’re in security management. Like CISA, ISACA manages this certification. Read more about it at

www.isaca.org/cism

.

CRISC (Certified in Risk and Information Systems Control):

This is a relatively new certification that concentrates on organization risk management. Learn more at

www.isaca.org/crisc

.

CGEIT (Certified in the Governance of Enterprise IT):

Look into this certification if you want to demonstrate your skills and knowledge in the areas of IT management and governance. Effective security in an IT organization definitely depends on

governance,

which involves the management and control of resources to meet long-term objectives. You can find out more about CGEIT at

www.isaca.org/cgeit

.

CPP (Certified Protection Professional):

Primarily a security management certification, CPP is managed by ASIS International, at

www.asisonline.org/certification

. The CPP certification designates individuals who have demonstrated competency in all areas constituting security management.

PSP (Physical Security Professional):

ASIS International also offers this certification, which caters to those professionals whose primary responsibility focuses on threat surveys and the design of integrated security systems. Read more at

www.asisonline.org/certification

.

CIPP (Certified Information Privacy Professional):