Secured View: CISSP Certification
Are you game for CISSP?
large number of security professionals around the world are pursuing CISSP certification.
Here are some valuable tips to help you prepare for the examination. by Avinash
Mention 'CISSP' (Certified Information Systems Security
Professional) to any information security professional and most likely, he/she
will be already considering the examination to acquire certification. The number
of CISSPs has grown from around 3,000 in the year 2000 to 23,000 in 2003. So
just what is it that has attracted security professionals all over the world
towards this certification?
The CISSP exam is conducted by International Information
Systems Security Certification Consortium, abbreviated as (ISC)2, chartered
in 1989. The basis of this examination is understanding of the Common Body of
Knowledge (CBK), which is a compendium of information security knowledge. The
certification process itself requires fulfillment of the following conditions:
1. Subscribe to the (ISC)2 Code of Ethics.
2. Pass the CISSP Certification examination.
3. Endorsement by a CISSP or equivalent qualified professional
4. Minimum professional experience of four years; graduates require three years
If you are already working in the information security
field, the conditions are not formidable. The challenge is to go through the
entire Common Body of Knowledge, which is very comprehensive. No topic on information
security is left out.
I have mapped the CISSP domains with BS7799 domains.
CISSP certifies an individual, whereas BS7799 certifies an organization; the
body of security knowledge remains the same, which is not surprising. So, if
you are concerned about information security, you need professionals who have
a thorough understanding of all the security domains. CISSP endorses this knowledge,
hence the surge in its popularity.
Details of the main topics for each domain are given
in the CISSP Study Guide, which can be downloaded from the (ISC)2 website. In
brief these are:
Security Management Practices: This domain requires
knowledge about security policies, organization structure, risk assessment,
roles and responsibilities, information classification, personnel security and
so on. This may seem routine to a technical person. However, you would be more
open to understanding these topics if you acknowledged the fact that security
is not just the domain of technical personnel aloneit's also a responsibility
of the entire organization. And you will be responsible for convincing everyone
(from top management to end-user) about its importance.
Security Architecture and Models: This is the domain
where candidates get a test of security beyond network security. Lots of security
models and standards are involved. You will need to understand the theoretical
basis of the Orange Book, Common Criteria standards and also models like Bell
LaPadula. This is an interesting yet conceptually challenging module.
Access Control Systems & Methodo-logy: Here, we
are again on familiar terrain. Various access control methods are required to
be studied including biometrics, pap, chap, radius, single sign on, methods
of attacks, penetration testing and intrusion detection.
Application Development Security: This is another slippery
domain for networking professionals, but a very essential component of security.
We have to study the application security issues like Java, ActiveX controls,
database security, data warehousing and data mining security, malicious code
and methods of attack, and various application development security issues.
Operations Security: This is one of those deceptively
simple domains, where, like the security management practices domain, everything
looks like common sense. The areas covered here are documenting operating procedures,
segregation of duties, media management, administrative management, operations
controls like input control, output control, auditing and so on. If you try
to answer the questions based on your experience of operations alone, your answers
may be limited in scope. So, be careful about this domain.
Physical Security: Physical security is very obvious.
But this is the domain where most of the candidates fail. The reason again is
overconfidence about answering questions using common sense. Are you sure you
know enough about adequate lighting for a premises, or the appropriate height
of a fence? Do spend sufficient time preparing for this domain.
Cryptography: This is another domain where a lot of
unfamiliar theory has to be covered, especially in the area of symmetric key
Telecommunications, Network, & Internet Security:
Here we are back to familiar territory. You will have to brush up your concepts
on the seven layers of the OSI Model and then study the security issues posed
by each layer, as well as the solutions.
Business Continuity Planning: Availability is one of
the major requirements for security, the other two being confidentiality and
integrity. This domain covers BCP/DRP (Business Continuity Planning/ Disaster
Recovery Planning), and requires one to study the traditional steps of Business
Continuity, from risk assessment, impact analysis, recovery strategy planningto
implementation, restoration and testing. Most of us do not have much experience
of an elaborate BCP, so we have to be careful about this domain.
Law, Investigations, & Ethics: This model is not
about US laws but universally applicable principles of protection of intellectual
property, copyright, evidence gathering, investigation methods and incidence
handling. You should carefully read the (ISC)2 code of ethics to answer the
questions pertaining to ethics.
The total time allotted for CISSP examination is six
hours. The examination consists of 250 objective type questions. For each, you
have to select the correct answer from four options. In answering each question,
you'll be able to eliminate two options, which are obviously incorrect ones
or 'distracters'. Your real test will be to choose the correct answer from the
remaining two options, which will be closely related. At times both may seem
to be the correct answers. This is where your conceptual clarity will help you
make the right choice.
No domain-wise distribution of questions has been specified.
So we do not know the weightage given to individual domains. Your result does
not contain the marks obtained by you. You are simply declared 'passed'. But
if you are unsuccessful, you get domain-wise details, and know which domain(s)
you failed. Essentially, it means that you cannot leave a domain as an option.
You have to study everything.
Preparation for the CISSP examination
With the requirement of minimum four years experience,
we can safely assume that you have the basic understanding of the information
security field, and expertise in a few domains. Most likely, you would be a
networking professional with good understanding of security requirement for
networking. But you may not have same level of knowledge about the other areas.
Where does one begin?
The CISSP study guide from (ISC)2 website gives a list
of excellent books. Eventually, many of them will form part of your personal
library. Some of these books are available as Indian editions. The following
books are my favorites. These are affordable and authoritative.
1. Computer Networks, Fourth Edition Andrew S. Tannenbaum
2. Cryptography and Network Security William Stalling
3. Building Internet Firewalls Elizabeth Zwicky
4. Practical Unix & Internet Security Garfinkel & Spafford
5. TCP/IP Illustrated Volume 1 W. Richard Stevens
6. Security Engineering Ross Anderson
7. Inside Network Security Perimeter Stephan Northcutt
8. Information Systems Control & Audit Ron Weber
Another excellent source of study material is the National
Institute of Standards and Technology (NIST) publications. The Special Publication
(SP800) series covers almost every topic in the world of security, from physical
security to Web security, and wireless securityand these are available
as free downloads.
Yet another free source is the SANS reading room.
Finally, use the popular 'Google' search site. Just
specify the word that you are looking for and you'll get a million references.
Just don't get lost in the sea of knowledge.
Popularity of CISSP has also given rise to 'Preparation
Guides'. These are condensed knowledge capsules. These give an overview of all
the topics, but not an in-depth explanation. You must supplement these books
with good technical books.
There are a number of Internet sites giving tips about
the examination and question banks. The preparation guides also give sample
questions. Do take the help of these for your preparation. Make sure to keep
track of those questions where your answers were wrong. Attempt these questions
after a gap to see whether you are still giving wrong answers. This will mean
that you need to reset your memory and refresh your understanding.
The questions here do not reflect the actual difficulty
level of the CISSP examination. The questions in the exam may be more difficult.
So do not get over confident if you're scoring good marks in these sample questions.
(ISC)2 conducts official CISSP CBK review seminars
worldwide. These seminars are now held in India at a special price for Indian
nationals, working in India. The instructors for these seminars are selected
and trained by (ISC)2. The five-day seminars review the entire CBK material
and also give a sample test. This is a good opportunity for those who find it
difficult to go through self-study mode and prefer the interactive atmosphere
of a seminar. Check the (ISC)2 website for seminar announcements.
Group discussions / Study circles
Form a study group. This will keep you motivated and
you will be able to discuss your doubts with others. You may even allocate topics
to different group members and ensure that they teach others. I personally found
that teaching is the best way to understand a subject. So, volunteer for the
most difficult topic. Others may tear you apart in this encounter with a barrage
of questions, but you will definitely emerge more knowledgeable. It would help
if you're able to rope in a CISSP in these groups. You may boost his ego by
calling him 'mentor'. Of course, the mentor should be able to spare his time
for this purpose.
Allocate at least six months for preparation, with
about 10 to 15 hours of study every week. You may not be able to adequately
cover all the topics in less than this period. There's a lot of theory, for
which you may not have had hands-on experience. Take this opportunity to bring
yourself up-to-date on all the security related subjects. You will have to maintain
the habit of studying, even after getting the CISSP certification, by earning
40 CPE (Continued Professional Education) points each year.
(ISC)2 conducts examinations in all metros in India
with regular frequency. Keep an eye on the website announcement. You should
be able to plan the target examination date well in advance.
Currently the examination fee is $450 but it is revised
to $499 from 1st Jan. 2004. After passing the examination, you have to pay an
annual maintenance fee of $65 along with the statement of having clocked in
the 40 CPE hours.
The US dollar price for these certifications is a major
deterrent, but the global recognition is the reason why people still want to
pursue CISSP examination and certification.
Avinash Kadam is Director, Miel e-Security, Pvt. Ltd. He
can be reached at firstname.lastname@example.org