CISSP For Dummies

CISSP® For Dummies®, 7th Edition

Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com

Copyright © 2022 by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc., and may not be used without written permission. CISSP is a registered certification mark of (ISC)², Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER, READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2022930207

ISBN 978-1-119-80682-0 (pbk); ISBN 978-1-119-80689-9 (ebk); ISBN 978-1-119-80690-5 (ebk)

CISSP® For Dummies®

To view this book's Cheat Sheet, simply go to www.dummies.com and search for CISSP For Dummies Cheat Sheet in the Search box.

Table of Contents

Cover

Title Page

Copyright

Introduction

About This Book

Foolish Assumptions

Icons Used in This Book

Beyond the Book

Where to Go from Here

Part 1: Getting Started with CISSP Certification

Chapter 1: (ISC)² and the CISSP Certification

About (ISC)² and the CISSP Certification

You Must Be This Tall to Ride This Ride (And Other Requirements)

Preparing for the Exam

Registering for the Exam

About the CISSP Examination

After the Examination

Chapter 2: Putting Your Certification to Good Use

Networking with Other Security Professionals

Being an Active (ISC)² Member

Considering (ISC)² Volunteer Opportunities

Becoming an Active Member of Your Local Security Chapter

Spreading the Good Word about CISSP Certification

Using Your CISSP Certification to Be an Agent of Change

Earning Other Certifications

Pursuing Security Excellence

Part 2: Certification Domains

Chapter 3: Security and Risk Management

Understand, Adhere to, and Promote Professional Ethics

Understand and Apply Security Concepts

Evaluate and Apply Security Governance Principles

Determine Compliance and Other Requirements

Understand Legal and Regulatory Issues That Pertain to Information Security

Understand Requirements for Investigation Types

Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines

Identify, Analyze, and Prioritize Business Continuity (BC) Requirements

Contribute to and Enforce Personnel Security Policies and Procedures

Understand and Apply Risk Management Concepts

Understand and Apply Threat Modeling Concepts and Methodologies

Apply Supply Chain Risk Management (SCRM) Concepts

Establish and Maintain a Security Awareness, Education, and Training Program

Chapter 4: Asset Security

Identify and Classify Information and Assets

Establish Information and Asset Handling Requirements

Provision Resources Securely

Manage Data Life Cycle

Ensure Appropriate Asset Retention

Determine Data Security Controls and Compliance Requirements

Chapter 5: Security Architecture and Engineering

Research, Implement, and Manage Engineering Processes Using Secure Design Principles

Understand the Fundamental Concepts of Security Models

Select Controls Based Upon Systems Security Requirements

Understand Security Capabilities of Information Systems

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements

Select and Determine Cryptographic Solutions

Understand Methods of Cryptanalytic Attacks

Apply Security Principles to Site and Facility Design

Design Site and Facility Security Controls

Chapter 6: Communication and Network Security

Assess and Implement Secure Design Principles in Network Architectures

Secure Network Components

Implement Secure Communication Channels According to Design

Chapter 7: Identity and Access Management

Control Physical and Logical Access to Assets

Manage Identification and Authentication of People, Devices, and Services

Federated Identity with a Third-Party Service

Implement and Manage Authorization Mechanisms

Manage the Identity and Access Provisioning Life Cycle

Implement Authentication Systems

Chapter 8: Security Assessment and Testing

Design and Validate Assessment, Test, and Audit Strategies

Conduct Security Control Testing

Collect Security Process Data

Analyze Test Output and Generate Reports

Conduct or Facilitate Security Audits

Chapter 9: Security Operations

Understand and Comply with Investigations

Conduct Logging and Monitoring Activities

Perform Configuration Management

Apply Foundational Security Operations Concepts

Apply Resource Protection

Conduct Incident Management

Operate and Maintain Detective and Preventative Measures

Implement and Support Patch and Vulnerability Management

Understand and Participate in Change Management Processes

Implement Recovery Strategies

Implement Disaster Recovery Processes

Test Disaster Recovery Plans

Participate in Business Continuity Planning and Exercises

Implement and Manage Physical Security

Address Personnel Safety and Security Concerns

Chapter 10: Software Development Security

Understand and Integrate Security in the Software Development Life Cycle

Identify and Apply Security Controls in Software Development Ecosystems

Assess the Effectiveness of Software Security

Assess Security Impact of Acquired Software

Define and Apply Secure Coding Guidelines and Standards

Part 3: The Part of Tens

Chapter 11: Ten Ways to Prepare for the Exam

Know Your Learning Style

Get a Networking Certification First

Register Now

Make a 60-Day Study Plan

Get Organized and Read

Join a Study Group

Take Practice Exams

Take a CISSP Training Seminar

Adopt an Exam-Taking Strategy

Take a Breather

Chapter 12: Ten Test-Day Tips

Get a Good Night’s Rest

Dress Comfortably

Eat a Good Meal

Arrive Early

Bring Approved Identification

Bring Snacks and Drinks

Bring Prescription and Over-the-Counter Medications

Leave Your Mobile Devices Behind

Take Frequent Breaks

Guess — As a Last Resort

Glossary

Index

About the Authors

Connect with Dummies

End User License Agreement

List of Tables

Chapter 3

TABLE 3-1 Data Processing Continuity Planning Site Comparison

Chapter 4

TABLE 4-1 Typical Data Handling Guidelines

TABLE 4-2 Example Facilities Classification Policy

Chapter 5

TABLE 5-1 An Access Matrix Example

TABLE 5-2 TCSEC Classes

TABLE 5-3 ITSEC Functionality (F) Classes and Evaluation (E) Levels Mapped to TC...

TABLE 5-4 The Common Criteria

TABLE 5-5 General Fencing Height Requirements

TABLE 5-6 Fire Classes and Suppression/Extinguishing Methods

TABLE 5-7 Electrical Anomalies

Chapter 6

TABLE 6-1 Connection-Oriented and Connectionless-Oriented Protocols

TABLE 6-2 Bit Position Values in an IPv4 Address

TABLE 6-3 Binary Notation of Octet Values

TABLE 6-4 IP Address Classes

TABLE 6-5 Decimal, Hexadecimal, and Binary Notation

TABLE 6-6 Wireless LAN Standards

TABLE 6-7 Circuit Switching versus Packet Switching

TABLE 6-8 Common Telecommunications Circuits

TABLE 6-9 Common Twisted-Pair Cable Categories

TABLE 6-10 Cable Types and Characteristics

Chapter 7

TABLE 7-1 Generally Accepted Standards for Biometric Systems

TABLE 7-2 General Characteristics of Finger Scan and Hand Geometry Systems

TABLE 7-3 General Characteristics of Retina and Iris Pattern Systems

TABLE 7-4 General Characteristics of Voice Recognition and Signature Dynamics Sy...

List of Illustrations

Chapter 2

FIGURE 2-1: Make your own personal business cards.

Chapter 3

FIGURE 3-1: The CIA triad.

FIGURE 3-2: Attack tree for a mobile banking application.

Chapter 4

FIGURE 4-1: Example document marking.

Chapter 5

FIGURE 5-1: Attack tree for a mobile banking application.

FIGURE 5-2: AWS shared responsibility matrix.

FIGURE 5-3: Azure shared responsibility matrix.

FIGURE 5-4: Protection rings provide layers of defense in a system.

FIGURE 5-5: Encryption and decryption.

FIGURE 5-6: Link encryption.

FIGURE 5-7: Sending a message using asymmetric key cryptography.

FIGURE 5-8: Verifying message authenticity using asymmetric key cryptography.

FIGURE 5-9: Encrypting and signing a message using asymmetric key cryptography....

FIGURE 5-10: Diffie-Hellman key exchange is used to generate a symmetric key fo...

FIGURE 5-11: A fire needs these three elements to burn.

Chapter 6

FIGURE 6-1: The seven layers of the OSI model.

FIGURE 6-2: Data encapsulation in the OSI model.

FIGURE 6-3: The TCP three-way handshake.

FIGURE 6-4: The LLC and MAC sublayers.

FIGURE 6-5: Comparing the OSI model and the TCP/IP Model.

Chapter 7

FIGURE 7-1: Use CER to compare FAR and FRR.

FIGURE 7-2: Typical identity and access management system architecture.

FIGURE 7-3: Role-based access control.

FIGURE 7-4: Kerberos: Login initiation (step 1).

FIGURE 7-5: Kerberos: Client/TGS session key and TGT generation (step 2).

FIGURE 7-6: Kerberos: Login completion (step 3).

FIGURE 7-7: Kerberos: Requesting services (step 4).

FIGURE 7-8: Kerberos: Client/Server session key and service ticket generation (...

FIGURE 7-9: Kerberos: Decrypt Client/Server session key (step 6).

FIGURE 7-10: Kerberos: Client/server communications (step 7).

Chapter 10

FIGURE 10-1: The DevOps life cycle process.

FIGURE 10-2: The concept of Shift Security Left.

FIGURE 10-3: An example of software library attributions for a software applica...

Introduction

Since 1994, security practitioners around the world have been pursuing a well-known and highly regarded professional credential: the Certified Information Systems Security Professional (CISSP) certification. And since 2001, CISSP For Dummies has been helping security practitioners enhance their security knowledge and earn the coveted CISSP certification.

Today, there are approximately 140,000 CISSPs worldwide. Ironically, some skeptics might argue that the CISSP certification is becoming less relevant because so many people have earned it. But the CISSP certification isn’t less relevant because more people are attaining it; more people are attaining it because it’s more relevant now than ever. Information security is far more important than at any time in the past, with extremely large-scale data security breaches and highly sophisticated cyberattacks becoming all too frequent occurrences in our modern era.

Many excellent and reputable information security training and education programs are available. In addition to technical and industry certifications, many fully accredited postsecondary degree, certificate, and apprenticeship programs are available for information security practitioners. And there certainly are plenty of self-taught, highly skilled people working in the information security field who have a strong understanding of core security concepts, techniques, and technologies. But inevitably, there are also far too many charlatans who are all too willing to overstate their security qualifications, preying on the obliviousness of business and other leaders to pursue a fulfilling career in the information security field (or for other, more-dubious purposes).

The CISSP certification is widely regarded as the professional standard for information security professionals. It enables security professionals to distinguish themselves from others by validating both their knowledge and experience. Likewise, it enables businesses and other organizations to identify qualified information security professionals and verify the knowledge and experience of candidates for critical information security roles in their organizations. Thus, the CISSP certification is more relevant and important than ever before.

About This Book

Some people say that a CISSP candidate requires a breadth of knowledge many miles across but only a few inches deep. To embellish on this statement, we believe that a CISSP candidate is more like the Great Wall of China, with a knowledge base extending over 3,500 miles — with maybe a few holes here and there, stronger in some areas than others, but nonetheless one of the Seven Wonders of the Modern World.

The problem with lots of CISSP preparation materials is defining how high (or deep) the Great Wall is. Some material overwhelms and intimidates CISSP candidates, leading them to believe that the wall is as high as it is long. Other study materials are perilously brief and shallow, giving the unsuspecting candidate a false sense of confidence while attempting to step over the Great Wall, careful not to stub a toe. To help you avoid either misstep, CISSP For Dummies answers the question, What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?

Our goal in this book is simple: to help you prepare for and pass the CISSP examination so that you can join the ranks of respected certified security professionals who dutifully serve and protect organizations and industries around the world. Although we’ve stuffed it chock-full of good information, we don’t expect that this book will be a weighty desktop reference on the shelf of every security professional — although we certainly wouldn’t object.

Also, we don’t intend for this book to be an all-purpose, be-all-and-end-all, one-stop shop that has all the answers to life’s great mysteries. Given the broad base of knowledge required for the CISSP certification, we strongly recommend that you use multiple resources to prepare for the exam and study as much relevant information as your time and resources allow. CISSP For Dummies, 7th Edition, provides the framework and the blueprint for your study effort and sufficient information to help you pass the exam, but by itself, it won’t make you an information security expert. That takes knowledge, skills, and experience!

Finally, as a security professional, earning your CISSP certification is only the beginning. Business and technology, which have associated risks and vulnerabilities, require us, as security professionals, to press forward constantly, consuming vast volumes of knowledge and information in a constant tug-of-war against the bad guys. Earning your CISSP is an outstanding achievement and an essential hallmark in a lifetime of continuous learning.

Foolish Assumptions

It’s been said that most assumptions have outlived their uselessness, but we assume a few things nonetheless! Mainly, we assume the following:

You have at least five years of professional experience in two or more of the eight domains covered on the CISSP exam (corresponding to chapters 3 through 10 of this book). Actually, this is more than an assumption; it’s a requirement for CISSP certification. Even if you don’t have the minimum experience, however, some experience waivers are available for certain certifications and college education (we cover the specifics in Chapter 1), and you can still take the CISSP exam and apply for certification after you meet the experience requirement.

You have general IT experience, perhaps even many years of experience. Passing the CISSP exam requires considerable knowledge of information security and underlying IT technologies and fundamentals such as networks, operating systems, and programming.

You have access to the Internet. Throughout this book, we provide lots of URLs for websites about technologies, standards, laws, tools, security associations, and other certifications that you’ll find helpful as you prepare for the CISSP exam.

You are a white hat security professional. By this, we mean that you act lawfully and will have no problem abiding by the (ISC)² Code of Ethics (which is a requirement for CISSP certification).

Icons Used in This Book

Throughout this book, you occasionally see icons in the left margin that call attention to important information that’s particularly worth noting. You won’t see smiley faces winking at you or any other cute little emoticons, but you’ll definitely want to take note! Here’s what to look for and what to expect.

Crossreference This icon identifies the CISSP Common Body of Knowledge (CBK) objective that is covered in each section.

Remember This icon identifies general information and core concepts that are well worth committing to your nonvolatile memory, your gray matter, or your noggin — along with anniversaries, birthdays, and other important stuff. You should certainly understand and review this information before taking your CISSP exam.

Tip Tips are never expected but always appreciated, and we sure hope that you’ll appreciate these tips! This icon flags helpful suggestions and tidbits of useful information that may save you some time and headaches.

Warning This icon marks the stuff your mother warned you about. Well, okay, probably not, but you should take heed nonetheless. These helpful alerts point out confusing or difficult-to-understand terms and concepts.

Technicalstuff You won’t find a map of the human genome or the secret to cold fusion in this book (or maybe you will), but if you’re an insufferable insomniac, take note. This icon explains the jargon beneath the jargon and is the stuff that legends — or at least nerds — are made of. So if you’re seeking to attain the seventh level of NERD-vana, keep an eye out for these icons!

Beyond the Book

In addition to what you’re reading right now, this book comes with a free, access-anywhere Cheat Sheet that includes tips to help you prepare for the CISSP exam and your date with destiny (your exam day). To get this Cheat Sheet, simply go to www.dummies.com and type CISSP For Dummies Cheat Sheet in the Search box.

You also get access to hundreds of practice CISSP exam questions, as well as dozens of flash cards. Use the exam questions to identify specific topics and domains that you may need to spend a little more time studying and to become familiar with the types of questions you’ll encounter on the CISSP exam (including multiple-choice, drag-and-drop, and hotspot). To gain access to the online practice, all you have to do is register. Just follow these simple steps:

Register your book or e-book at Dummies.com to get your personal identification number (PIN).

Go to www.dummies.com/go/getaccess.

Choose your product from the drop-down list on that page.

Follow the prompts to validate your product.

Check your email for a confirmation message that includes your PIN and instructions for logging in.

If you don’t receive this email within two hours, please check your spam folder before contacting us through our support website at http://support.wiley.com or by phone at +1 (877) 762-2974.

Now you’re ready to go! You can come back to the practice material as often as you want. Simply log in with the username and password you created during your initial login; you don’t need to enter the access code a second time.

Your registration is good for one year from the day you activate your PIN.

Where to Go from Here

If you don’t know where you’re going, any chapter will get you there, but Chapter 1 may be a good place to start. If you see a particular topic that piques your interest, however, feel free to jump ahead to that chapter. Each chapter is individually wrapped (but not packaged for individual sale) and written to stand on its own, so feel free to start reading anywhere and skip around! Read this book in any order that suits you (though we don’t recommend upside down or backward).

Part 1

Getting Started with CISSP Certification

IN THIS PART …

Get acquainted with (ISC)² and the CISSP certification.

Advance your security career as a CISSP.

Chapter 1

(ISC)² and the CISSP Certification

IN THIS CHAPTER

Bullet Learning about (ISC)2 and the CISSP certification

Bullet Understanding CISSP certification requirements

Bullet Developing a study plan

Bullet Registering for the exam

Bullet Taking the CISSP exam

Bullet Getting your exam results

In this chapter, you get to know the (ISC)² and learn about the CISSP certification, including professional requirements, how to study for the exam, how to get registered, what to expect during the exam, and (of course) what to expect after you pass the CISSP exam!

About (ISC)² and the CISSP Certification

The International Information System Security Certification Consortium (ISC)² (https://www.isc2.org) was established in 1989 as a not-for-profit, tax-exempt corporation chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.

The CISSP was the first information security credential accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024 standard. This international standard helps ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate’s competence for the certification. This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread criticism that has diminished the popularity of many vendor certifications over the years).

Technicalstuff The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) are two organizations that work together to prepare and publish international standards for businesses, governments, and societies worldwide.

The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)² and defined through eight distinct domains:

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

Security Assessment and Testing

Security Operations

Software Development Security

You Must Be This Tall to Ride This Ride (And Other Requirements)

The CISSP candidate must have a minimum of the equivalent of five cumulative years of professional (paid), full-time, direct work experience in two or more of the domains listed in the preceding section. Full-time experience is accrued monthly and requires full-time employment for a minimum of 35 hours per week and 4 weeks per month to get credit for 1 month of full-time work experience. Part-time experience can also be credited if you are employed fewer than 35 hours per week but at least 20 hours per week; 1,040 hours of part-time experience would be the equivalent of 6 months of full-time experience. Credit for work experience can also be earned for paid or unpaid internships. You’ll need documentation from the organization confirming your experience or from the registrar if you’re interning at a school.

The work experience requirement is a hands-on one; you can’t satisfy the requirement just by having information security listed as one of your job responsibilities. You need to have specific knowledge of information security and to perform work that requires you to apply that knowledge regularly. Some examples of full-time information security roles that might satisfy the work experience requirement include (but aren’t limited to)

Security analyst

Security architect

Security auditor

Security consultant

Security engineer

Security manager

Examples of information technology roles for which you can gain partial credit for security work experience include (but aren’t limited to)

Systems administrator

Network administrator

Database administrator

Software developer

For any of these preceding job titles, your particular work experience might result in your spending some of your time (say, 25 percent) doing security-related tasks. This is legitimate for security work experience. Five years as a systems administrator, for example, spending a quarter of your time doing security-related tasks, earns you 1.25 years of security experience.

Furthermore, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:

A four-year college degree (or regional equivalent)

An advanced degree in information security from one of the National Centers of Academic Excellence in Cyber Defense (CAE-CD)

A credential that appears on the (ISC)²-approved list, which includes more than 45 technical and professional certifications, such as various SANS GIAC certifications, Cisco and Microsoft certifications, and CompTIA Security+ (For the complete list, go to https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway.)

See Chapter 2 to learn more about relevant certifications on the (ISC)²-approved list for an experience waiver.

Tip In the U.S., CAE-CD programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/resources/educators/centers-academic-excellence/cyber-defense.

If you don’t have the minimum required experience to become a CISSP, you can still take the CISSP certification exam and become an associate of (ISC)². Then you’ll have six years to meet the minimum experience requirement and become a fully certified CISSP.

Preparing for the Exam

Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or online training environment, (ISC)² offers CISSP training seminars.

We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your personal experience and learning ability, but plan on a minimum of 2 hours a day for 60 days. If you’re a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you need 360 hours of study, you may be tempted to spread this study over a 6-month period for 2 hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you’ll likely find yourself studying only as much as you would have in a 60-day period anyway.

Studying on your own

Self-study might include books and study references, a study group, and practice exams.

Begin by downloading The Ultimate Guide to the CISSP from the (ISC)² website at https://www.isc2.org/Certifications/CISSP. This guide provides a good overview of the CISSP certification and the exam, as well as links to several helpful CISSP study resources.

Next, read this (ISC)²-approved book, and review the online practice at www.dummies.com. (See the introduction for more information.) CISSP For Dummies is written to provide a thorough and essential review of all the topics covered on the CISSP exam. Then read any additional study resources to further your knowledge and reinforce your understanding of the exam topics. You can find several excellent study resources in the official CISSP Certification Exam Outline. Finally, rinse and repeat: Do another quick read of CISSP For Dummies as a final review before you take the actual CISSP exam.

Warning Don’t rely on CISSP For Dummies (as awesome and comprehensive as it is!) or any other book — no matter how thick it is — as your sole resource to prepare for the CISSP exam.

Joining a study group can help you stay focused and provide a wealth of information from other security professionals' broad perspectives and experiences. It’s also an excellent networking opportunity (the talking-to-real-people type of network, not the TCP/IP type of network)! Study groups or forums can be hosted online or at a local venue. Find a group that you’re comfortable with and flexible enough to accommodate your schedule and study needs. Or create your own study group!

Finally, answer lots of practice exam questions. Many resources are available for CISSP practice exam questions. Some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don’t despair! The repetition of practice questions helps reinforce important information that you need to know to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Start with the online practice at www.dummies.com (see the introduction for more information).

Warning No practice exams exactly duplicate the CISSP exam. And forget about brain dumps. Using or contributing to brain dumps is unethical and is a violation of the (ISC)² nondisclosure agreement, which could result in your losing your CISSP certification permanently.

Getting hands-on experience

Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam.

If you’re weak in networking or applications development, for example, talk to the networking group or developers in your company. They may be able to show you a few things that can help you make sense of the volumes of information that you’re trying to digest.

Tip Your company or organization should have a security policy that’s readily available to its employees. Get a copy, and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn’t have a security policy, perhaps now is a good time for you to educate management about issues of due care and due diligence as they relate to information security. Review your company’s plans for business continuity and disaster recovery, for example. Those plans don’t exist? Perhaps you can lead this initiative to help both yourself and your company.

Getting official (ISC)² CISSP training

Classroom-based CISSP training is available as a five-day, eight-hours-a-day seminar led by (ISC)²-Authorized Instructors at (ISC)² facilities and (ISC)² Official Training Providers worldwide. Private onsite training is also available, led by (ISC)²-Authorized Instructors and taught in your office space or a local venue. This option is convenient and cost-effective if your company sponsors your CISSP certification and has 10 or more employees taking the CISSP exam. If you generally learn better in a classroom environment or find that you have knowledge or experience in only two or three of the domains, you might seriously consider classroom-based training or private onsite training.

If it’s not convenient or practical for you to travel to a seminar, online training seminars provide the benefits of learning from an (ISC)²-Authorized Instructor at your computer. Online training seminars include real-time, instructor-led seminars offered on a variety of schedules, with weekday, weekend, and evening options to meet your needs, as well as access to recorded course sessions for 60 days. Self-paced training is another convenient online option that provides virtual lessons taught by authorized instructors with modular training and interactive study materials. Self-paced online training can be accessed from any web-enabled device for 120 days and is available any time and as often as you need.

You can find information, schedules, and registration forms for official (ISC)² training at https://www.isc2.org/Certifications/CISSP.

Tip The American Council on Education’s College Credit Recommendation Service has evaluated and recommended three college credit hours for completing an Official (ISC)² CISSP Training Seminar. Check with your college or university to find out whether these credits can be applied to your degree requirements.

Attending other training courses or study groups

Other reputable organizations offer high-quality training in both classroom and self-study formats. Before signing up and spending your money, we suggest you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends on the instructor; for this reason, try to find out from others whether the proposed instructor is as helpful as they are reported to be.

Many cities have self-study groups, usually run by CISSP volunteers. You may find a study group where you live, or if you know some CISSPs in your area, you might ask them to help you organize a self-study group.

Tip Always confirm the quality of a study course or training seminar before committing your money and time.

Taking practice exams

Taking practice exams is a great way to get familiar with the types of questions and topics you’ll need to be familiar with for the CISSP exam. Be sure to take advantage of the online practice exam questions that are included with this book. (See the introduction for more information.) Although the practice exams don’t simulate the adaptive testing experience, you can simulate a worst-case scenario by configuring the test engine to administer 150 questions (the maximum number you might see on the CISSP exam) with a time limit of 3 hours (the maximum amount of time you’ll have to complete the CISSP exam). Learn more about computer-adaptive testing for the CISSP exam in the "About the CISSP Examination" section later in this chapter and on the (ISC)² website at https://isc2.org/Certifications/CISSP/CISSP-CAT.

Remember To study for the CISSP exam successfully, you need to know your most effective learning styles. Boot camps are best for some people, for example, whereas others learn better over longer periods. Furthermore, some people get more value from group discussions, whereas reading alone works better for others. Know thyself, and use what works best for you.

Are you ready for the exam?

Are you ready for the big day? We can’t answer this question for you. You must decide, based on your learning factors, study habits, and professional experience, when you’re ready for the exam. Unfortunately, there is no magic formula for determining your chances of success or failure on the CISSP examination.

In general, we recommend a minimum of two months of focused study. Read this book, and continue taking the practice exam on the Dummies.com website until you consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information you need to know to pass the CISSP examination. Read this book (and reread it) until you’re comfortable with the information presented and can successfully recall and apply it in each of the eight domains. Continue by reviewing other study materials (particularly in your weak areas), actively participating in an online or local study group, and taking as many practice exams from as many sources as possible.

Then, when you feel like you’re ready for the big day, find a romantic spot, take a knee, and — wait, wrong big day! Find a secure Wi-Fi hotspot (or other Internet connection), take a seat, and register for the exam!

Registering for the Exam

The CISSP exam is administered via computer-adaptive testing at local Pearson VUE testing centers worldwide. To register for the exam, go to the (ISC)² website (https://www.isc2.org/Register-For-Exam) and click the Register link, or go directly to the Pearson VUE website (www.pearsonvue.com/isc2).

On the Pearson VUE website, you first need to create an account for yourself; then you can register for the CISSP exam, schedule your test, and pay your testing fee. You can also locate a nearby test center, take a Pearson VUE testing tutorial, practice taking the exam (which you should definitely do if you’ve never taken a computer-based test, and then download and read the (ISC)² nondisclosure agreement (NDA).

Tip Download and read the (ISC)² NDA when you register for the exam. Sure, the text is legalese, but it isn’t unusual for CISSPs to be called upon to read contracts, license agreements, and other boring legalese as part of their information security responsibilities, so get used to reading it (and also get used to not signing legal documents without actually reading them)! You’re given five minutes to read and accept the agreement at the start of your exam, but why not read the NDA in advance so that you can avoid the pressure and distraction on exam day and simply accept the agreement? If you don’t accept the NDA in the allotted five minutes, your exam will end, and you’ll forfeit your exam fees!

When you register, you’re required to quantify your relevant work experience, answer a few questions regarding any criminal history and other potentially disqualifying background information, and agree to abide by the (ISC)² Code of Ethics.

The current exam fee in the United States is $749. You can cancel or reschedule your exam by contacting Pearson VUE by telephone at least 24 hours in advance of your scheduled exam or online at least 48 hours in advance. The fee to reschedule is $50. The fee to cancel your exam appointment is $100.

Warning If you fail to show up for your exam or you’re more than 15 minutes late for your exam appointment, you’ll forfeit your entire exam fee!

Tip Great news! If you’re a U.S. military veteran and are eligible for Montgomery GI Bill or Post-9/11 GI Bill benefits, the Veterans Administration will reimburse you for the full cost of the exam, whether you pass or fail. In some cases, (ISC)² Official Training Providers also accept the GI Bill for in-person certification training.

About the CISSP Examination

The CISSP examination itself is a grueling 3-hour, 100- to 150-question marathon. To put that into perspective, in three hours, you could run an actual (mini) marathon, watch Gone with the Wind, Titanic, or one of the Lord of the Rings movies, or cook a 14 pound turkey. Each of these feats, respectively, closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.

The CISSP exam is an adaptive exam, which means that the test changes based on how you’re doing. The exam starts out relatively easy and gets progressively harder as you answer questions correctly. That’s right; The better you do on the exam, the harder it gets. But that’s not a bad thing! Think of it as being like skipping a grade in school because you’re smarter than the average bear. The CISSP exam assumes that if you can answer harder questions about a given topic, logically, you can answer easier questions about that same topic, so why waste your time?

You’ll have to answer a minimum of 100 questions. After you’ve answered the minimum number of questions, the testing engine will either conclude the exam (if it determines with 95 percent confidence that you’re statistically likely to pass or fail the exam) or continue asking up to a maximum of 150 questions until it reaches 95 percent confidence in either result. If you answer all 150 questions, the testing engine will determine whether you passed or failed based on your answers. If you run out of time (exceed the 3-hour time limit) but have answered the minimum number of questions (100), the testing engine will determine whether you passed or failed based on your answers to the questions you completed.

The CISSP exam contains 25 pre-test items. They are included for research purposes only. (Taking the test is kind of like being a test dummy — for dummies.) The exam doesn’t identify which questions are real and which are trial questions, however, so you’ll have to answer all questions truthfully and honestly and to the best of your ability!

There are three types of questions on the CISSP exam:

Multiple choice: Select the best answer from four choices, as in this example:

Which of the following is the FTP control channel?

A: TCP port 21

B: UDP port 21

C: TCP port 25

D: IP port 21

The FTP control channel is port 21, but is it TCP, UDP, or IP?

Drag and drop: Drag and drop the correct answer (or answers) from a list of possible answers on the left side of the screen to a box on the right side of the screen. Here’s an example:

Which of the following are message authentication algorithms? Drag and drop the correct answers from left to right.

© John Wiley & Sons, Inc.

MD5, SHA-2, and HMAC are all correct. You must drag and drop all three answers to the box on the right for the answer to be correct.

Hotspot: Select the object in a diagram that best answers the question, as in this example:

Which of the following diagrams depicts a relational database model?

© John Wiley & Sons, Inc.

Click one of the four panels to select your answer choice.

As described by (ISC)², you need a scaled score of 700 (out of 1000) or better to pass the examination. All three question types are weighted equally, but not all questions are weighted equally. Harder questions are weighted more heavily than easier questions, so there’s no way to know how many correct answers are required for a passing score. But wait — it gets even better! On the adaptive exam, you no longer get a score when you complete the CISSP exam; you’ll get either a pass or fail result. Think of this situation as being like watching a basketball game with no scoreboard or a boxing match with no indication of who’s winning until the referee raises the victor’s arm.

All questions on the CISSP exam require you to select the best answer (or answers) from the choices presented. The correct answer isn’t always a straightforward, clear choice. (ISC)² goes to great pains to ensure that you really, really know the material.

Tip A common, effective test-taking strategy for multiple-choice questions is to read each question carefully and eliminate any obviously wrong choices. The CISSP examination is no exception.

Warning Wrong choices aren’t necessarily obvious on the CISSP examination. You may find a few obviously wrong choices, but they stand out only to someone who has studied thoroughly for the exam.

The Pearson VUE computer-adaptive, 3-hour, 100- to 150-question version of the CISSP examination is currently available only in English. If you prefer to take the CISSP exam in Chinese (simplified — the language, not the exam), French, German, Japanese, Korean, Portuguese, or Spanish because that’s your native language (or if you don’t speak the language but really want to challenge yourself), you’ll have to take a form-based, 6-hour, 250-question version of the CISSP exam — what many of us would refer to as the old school exam. You’re permitted to bring a foreign-language dictionary (nonelectronic and nontechnical) to the exam, if you need one. Also, testing options are available for the visually impaired. You need to indicate your preferences when you register for the exam.

After the Examination

In most cases, you’ll receive your unofficial test results at the testing center as soon as you complete your exam, followed by an official email from (ISC)².

Warning In some rare instances, your unofficial results may not be available immediately. (ISC)² analyzes score data during each testing cycle; if there aren’t enough test results early in the testing cycle, your results could be delayed up to eight weeks.

If, for some reason, you don’t pass the CISSP examination — say that you read only this chapter of CISSP For Dummies, for example — you’ll have to wait 30 days to try again. If that happens, we strongly recommend that you read the rest of this book during those 30 days! If you fail a second time, you’ll have to wait 90 days to try again. If that happens, we most strongly recommend and highly urge you to read the rest of this book — perhaps a few times — during those 90 days! Finally, if you fail on your third attempt, you’ll have to wait 180 days. You’ll have no more excuses; you’ll definitely need to read, reread, memorize, comprehend, recite, ingest, and regurgitate this book several times!

After earning your CISSP certification, you must remain an (ISC)² member in good standing and renew your certification every three years. You can renew the CISSP certification by accumulating 120 Continuing Professional Education (CPE) credits or by retaking the CISSP examination. You must earn a minimum of 40 CPE credits during each year of your 3-year recertification cycle. You earn CPE credits for various activities, including taking educational courses or attending seminars and security conferences, belonging to association chapters and attending meetings, viewing vendor presentations, completing university or college courses, providing security training, publishing security articles or books, serving on relevant industry boards, taking part in self-study, and doing related volunteer work. You must document your annual CPE activities on the secure (ISC)² website to receive proper credit. You’re also required to pay a $125 (U.S.) annual maintenance fee to (ISC)². Maintenance fees are billed in arrears for the preceding year, and you can pay them in the secure members’ area of the (ISC)² website.

Warning Be sure to be truthful on your CPE reporting, and retain evidence of your training. (ISC)² audits some CPE submissions.

Tip As soon as you receive your certification, register on the (ISC)² website, and provide your contact information. (ISC)² reminds you of your annual maintenance fee, board of directors elections, annual meetings, training opportunities, and events, but only if you maintain your contact info — particularly your email address.

Chapter 2

Putting Your Certification to Good Use

IN THIS CHAPTER

Bullet Staying active as an (ISC)2 member

Bullet Discovering the joy of giving back

Bullet Working with others in your local security community

Bullet Getting the word out about CISSP certification

Bullet Bringing about change in your organization

Bullet Advancing your career with other certifications

Bullet Finding a mentor and being a mentor

Bullet Achieving security excellence

Although this book is devoted to helping you earn your CISSP certification, we thought it would be a good idea to include a few things you might consider doing after you’ve earned your CISSP. If you’re still exploring the CISSP certification, the information in this chapter will help you better understand many of the benefits of being a CISSP, including your role in helping others.

So what do you do after you earn your CISSP? You can do plenty of things to enhance your professional career and the global community. Here are just a few ideas!

Networking with Other Security Professionals

Unless you work for a large organization, there probably aren’t many other information security (infosec) professionals in your organization. You may be the only one! Yes, it can feel lonely at times, so we suggest that you find ways to make connections with infosec professionals in your area and beyond. Many of the activities described in this chapter provide networking opportunities. If you haven’t been much of a social butterfly before, and your professional network is somewhat limited, get ready to take your career to a whole new level as you meet like-minded security professionals and potentially build lifelong friendships.

THE POWER OF ONLINE BUSINESS NETWORKING

We promise that we have no affiliations with LinkedIn when we say it, but hear this: LinkedIn is one of the best business networking tools to come along since the telephone and the business card. LinkedIn can help you expand your networking horizons and help you make contacts with other business professionals in your company, your profession, your region, and far beyond.

Chances are that you aren’t new to LinkedIn, so we’ll skip the basics here. People in the infosec business are a bit particular, however, and that’s what we want to discuss. Infosec professionals tend to be skeptical. After all, we’re paid to be paranoid, as we sometimes say, because the bad guys (and gals) are out to get us. This skepticism relates to LinkedIn in this way: Most of us are wary of making connections with people we don’t know. So as you begin to network with other infosec professionals on LinkedIn, tread lightly, and proceed slowly. It’s best to start making connections with people you actually know and people you’ve actually met. If you make connection requests with infosec people you haven’t met, there’s a pretty good chance that they’ll ignore you or decline the request. They’re not being rude; they’re just aware of the fact that many scammers out there will build fake connections in the hope of earning your trust and pulling some kind of ruse later.

Similarly, if you’ve been one of those open networkers in the past, don’t be surprised if others are a bit reluctant to connect with you, even those you’ve met. As you transition into an infosec career, you’ll find that the rules are a bit different.

Bottom line: LinkedIn can be fantastic for networking and learning, but do know that infosec professionals march to the beat of a different drummer.

Remember It’s not what you know, but who you know. (Well, what you know matters too!)

If you’re just getting started in your infosec career (regardless of your age or other career experience), you’ll likely meet other infosec professionals that have at some point in their careers been in your shoes, who will be happy to help you find answers and solutions to some of those elusive questions and challenges that may be perplexing you. You may find that you’re initially doing more taking than giving, but make sure that you’re at least showing your appreciation and gratitude for their help — and remember to give back later in your career when someone new to infosec asks to pick your brain for some helpful insight.

As you venture out in search of other infosec professionals, put your smile on, and bring plenty of business cards. (Print your own if your employer doesn’t provide any.) You’re sure to make new friends and experience growth in the security business that may delight you.

Being an Active (ISC)² Member

Being an active (ISC)² member is easy! Besides volunteering (see the following section), you can participate in several other activities, including the following:

Attend the (ISC)² Congress. For years, (ISC)² rode the coattails of ASIS (formerly the American Society for Industrial Security; we blame Kentucky Fried Chicken for becoming KFC and starting the trend of businesses and organizations dropping the original meaning behind their acronyms!) and occupied a corner of the ASIS annual conference. But in 2016, (ISC)² decided that it was time to strike out on its own and run its own conference. In 2017, one of your authors (first name starts with P) attended and spoke at the very first stand-alone (ISC)² Congress and found it to be a first-class affair every bit as good as those other great national and global conferences. Find out about the next (ISC)² Congress at https://congress.isc2.org.

Vote in (ISC)² elections. Every year, one-third of the (ISC)² board of directors is elected to serve three-year terms. As a CISSP in good standing, you’ve earned the right to vote in the (ISC)² elections. Exercise that right! The best part is becoming familiar with other CISSPs who run for board positions so you can select those who will best advance the (ISC)² mission. You can read the candidates’ biographies and understand the agendas they’ll pursue if elected. With your vote, you’re doing your part to ensure that the future of (ISC)² rests in good hands with directors who can provide capable leadership and vision.

Attend (ISC)² events. (ISC)² conducts several in-person and virtual events each year, from networking receptions to conferences and educational events. (ISC)² often holds gatherings at larger industry conferences such as RSA and BlackHat. Check the (ISC)² website regularly to find out more about virtual events and live events in your area.

Join an (ISC)² chapter. (ISC)² has more than 150 chapters in more than 50 countries. You can find out more at www.isc2.org/chapters. You have many great opportunities to get involved in local chapters, including chapter leadership, chapter activities, and community outreach projects. Chapter events are also great opportunities to meet other infosec professionals.

Partake in free training. (ISC)² offers lab-style courses, immersive courses, and express training at the Professional Development Institute that can help expand your horizons. Find out more at www.isc2.org/Development.

Enjoy exclusive resources and discounts. (ISC)² membership has many perks in the form of discounts and access to exclusive content and services. Find out more at www.isc2.org/Member-Resources/Exclusive-Benefits.

Wear your digital badge proudly. You can set up your digital badges and use them on LinkedIn, business cards, blogs, and elsewhere. Best of all – they’re free. Learn more at https://credly.com.

Tip It’s important for (ISC)² to have your correct contact information. As soon as you become a CISSP (or even before), make sure that your profile is accurate and complete so that you’ll receive announcements about activities.

Considering (ISC)² Volunteer Opportunities

(ISC)² is much more than a certifying organization: It’s also a cause, and you might even say it’s a movement. It’s security professionals’ raison d’être, the reason we exist — professionally, anyway. As one of us, consider throwing your weight into the cause.

Volunteers have made (ISC)² what it is today, and they make valuable contributions toward your certification. You can’t stand on the sidelines and watch others do the work. Use your talents to help those who’ll come after you. You can help in many ways. For information about volunteering, see the (ISC)² Volunteering website (www.isc2.org/Membership/Volunteer-Grow).

Tip Most sanctioned (ISC)² volunteer activities are eligible for CPE credits. Check with (ISC)² for details.

Writing certification exam questions

The state of technology, laws, standards, and practices within the CISSP Common Body of Knowledge (CBK) is continually changing and advancing. To be effective and relevant, CISSP exams need to have fresh new exam questions that reflect how security is done today. Therefore, people working in the industry — such as you — need to write new questions. If you’re interested in being a question writer, visit the (ISC)² website to apply.

Speaking at events

(ISC)² now holds more security-related events worldwide than it has at any other time in its history. More often than not, (ISC)² speakers are local volunteers — experts in their professions who want to share with others what they know. If you have an area of expertise or a unique perspective on CISSP-related issues, consider educating others via a speaking engagement. For more information, visit the (ISC)² website at www.isc2.org/Membership/Volunteer-Grow, and find the speaking opportunities that interest you.

Tip If you speak at an (ISC)² Congress, your conference fees are waived. You need to pay only for transportation, lodging, and meals.

Helping at (ISC)² conferences

(ISC)² puts on a fantastic annual conference called the (ISC)² Congress. This conference is an excellent opportunity to learn new topics and meet other infosec professionals. But the conference doesn’t run itself; it’s powered by volunteers! Go to the (ISC)² Congress website at https://congress.isc2.org to find information about volunteering.

Reading and contributing to (ISC)² publications

(ISC)² publishes quarterly online magazines called InfoSecurity Professional INSIGHTS and Cloud Security INSIGHTS that are associated with InfoSecurity Professional magazine. You can find out more at www.isc2.org/InfoSecurity-Professional/InfoSecurity-Professional-Insights.

The (ISC)² Blog is a free online publication for all (ISC)² members. Find the blog, as well as information about writing articles, at https://blog.isc2.org.

Supporting the (ISC)² Center for Cyber Safety and Education

The Center for Cyber Safety and Education, formerly the (ISC)² Foundation, is a not-for-profit charity formed by (ISC)² in 2011. The center is a conduit through which security professionals can reach society and empower students, teachers, and the general public to secure their online lives through cybersecurity education and awareness programs in the community. The center was formed to meet those needs and expand altruistic programs, such as Safe and Secure Online, the Information Security Scholarship Program, and industry research (the center’s three core programs). Find out more at www.iamcybersafe.org.

Participating in bug-bounty programs

As an (ISC)² member, you can earn CPE credits and contribute to a safer world by participating