Secured View: CISSP Certification

Are you game for CISSP?

A large number of security professionals around the world are pursuing CISSP certification. Here are some valuable tips to help you prepare for the examination. by Avinash Kadam

Mention 'CISSP' (Certified Information Systems Security Professional) to any information security professional and most likely, he/she will be already considering the examination to acquire certification. The number of CISSPs has grown from around 3,000 in the year 2000 to 23,000 in 2003. So just what is it that has attracted security professionals all over the world towards this certification?

The CISSP exam is conducted by International Information Systems Security Certification Consortium, abbreviated as (ISC)2, chartered in 1989. The basis of this examination is understanding of the Common Body of Knowledge (CBK), which is a compendium of information security knowledge. The certification process itself requires fulfillment of the following conditions:

1. Subscribe to the (ISC)2 Code of Ethics.
2. Pass the CISSP Certification examination.
3. Endorsement by a CISSP or equivalent qualified professional
4. Minimum professional experience of four years; graduates require three years of experience.

If you are already working in the information security field, the conditions are not formidable. The challenge is to go through the entire Common Body of Knowledge, which is very comprehensive. No topic on information security is left out.

I have mapped the CISSP domains with BS7799 domains. CISSP certifies an individual, whereas BS7799 certifies an organization; the body of security knowledge remains the same, which is not surprising. So, if you are concerned about information security, you need professionals who have a thorough understanding of all the security domains. CISSP endorses this knowledge, hence the surge in its popularity.

Details of the main topics for each domain are given in the CISSP Study Guide, which can be downloaded from the (ISC)2 website. In brief these are:

Security Management Practices: This domain requires knowledge about security policies, organization structure, risk assessment, roles and responsibilities, information classification, personnel security and so on. This may seem routine to a technical person. However, you would be more open to understanding these topics if you acknowledged the fact that security is not just the domain of technical personnel alone—it's also a responsibility of the entire organization. And you will be responsible for convincing everyone (from top management to end-user) about its importance.

Security Architecture and Models: This is the domain where candidates get a test of security beyond network security. Lots of security models and standards are involved. You will need to understand the theoretical basis of the Orange Book, Common Criteria standards and also models like Bell LaPadula. This is an interesting yet conceptually challenging module.

Access Control Systems & Methodo-logy: Here, we are again on familiar terrain. Various access control methods are required to be studied including biometrics, pap, chap, radius, single sign on, methods of attacks, penetration testing and intrusion detection.

Application Development Security: This is another slippery domain for networking professionals, but a very essential component of security. We have to study the application security issues like Java, ActiveX controls, database security, data warehousing and data mining security, malicious code and methods of attack, and various application development security issues.

Operations Security: This is one of those deceptively simple domains, where, like the security management practices domain, everything looks like common sense. The areas covered here are documenting operating procedures, segregation of duties, media management, administrative management, operations controls like input control, output control, auditing and so on. If you try to answer the questions based on your experience of operations alone, your answers may be limited in scope. So, be careful about this domain.

Physical Security: Physical security is very obvious. But this is the domain where most of the candidates fail. The reason again is overconfidence about answering questions using common sense. Are you sure you know enough about adequate lighting for a premises, or the appropriate height of a fence? Do spend sufficient time preparing for this domain.

Cryptography: This is another domain where a lot of unfamiliar theory has to be covered, especially in the area of symmetric key cryptography.

Telecommunications, Network, & Internet Security: Here we are back to familiar territory. You will have to brush up your concepts on the seven layers of the OSI Model and then study the security issues posed by each layer, as well as the solutions.

Business Continuity Planning: Availability is one of the major requirements for security, the other two being confidentiality and integrity. This domain covers BCP/DRP (Business Continuity Planning/ Disaster Recovery Planning), and requires one to study the traditional steps of Business Continuity, from risk assessment, impact analysis, recovery strategy planning—to implementation, restoration and testing. Most of us do not have much experience of an elaborate BCP, so we have to be careful about this domain.

Law, Investigations, & Ethics: This model is not about US laws but universally applicable principles of protection of intellectual property, copyright, evidence gathering, investigation methods and incidence handling. You should carefully read the (ISC)2 code of ethics to answer the questions pertaining to ethics.

Examination structure

The total time allotted for CISSP examination is six hours. The examination consists of 250 objective type questions. For each, you have to select the correct answer from four options. In answering each question, you'll be able to eliminate two options, which are obviously incorrect ones or 'distracters'. Your real test will be to choose the correct answer from the remaining two options, which will be closely related. At times both may seem to be the correct answers. This is where your conceptual clarity will help you make the right choice.

No domain-wise distribution of questions has been specified. So we do not know the weightage given to individual domains. Your result does not contain the marks obtained by you. You are simply declared 'passed'. But if you are unsuccessful, you get domain-wise details, and know which domain(s) you failed. Essentially, it means that you cannot leave a domain as an option. You have to study everything.

Preparation for the CISSP examination

With the requirement of minimum four years experience, we can safely assume that you have the basic understanding of the information security field, and expertise in a few domains. Most likely, you would be a networking professional with good understanding of security requirement for networking. But you may not have same level of knowledge about the other areas. Where does one begin?

Reference books

The CISSP study guide from (ISC)2 website gives a list of excellent books. Eventually, many of them will form part of your personal library. Some of these books are available as Indian editions. The following books are my favorites. These are affordable and authoritative.

1. Computer Networks, Fourth Edition Andrew S. Tannenbaum
2. Cryptography and Network Security William Stalling
3. Building Internet Firewalls Elizabeth Zwicky
4. Practical Unix & Internet Security Garfinkel & Spafford
5. TCP/IP Illustrated Volume 1 W. Richard Stevens
6. Security Engineering Ross Anderson
7. Inside Network Security Perimeter Stephan Northcutt
8. Information Systems Control & Audit Ron Weber

Another excellent source of study material is the National Institute of Standards and Technology (NIST) publications. The Special Publication (SP800) series covers almost every topic in the world of security, from physical security to Web security, and wireless security—and these are available as free downloads.

Yet another free source is the SANS reading room.

Finally, use the popular 'Google' search site. Just specify the word that you are looking for and you'll get a million references.

Just don't get lost in the sea of knowledge.

Popularity of CISSP has also given rise to 'Preparation Guides'. These are condensed knowledge capsules. These give an overview of all the topics, but not an in-depth explanation. You must supplement these books with good technical books.

Question banks

There are a number of Internet sites giving tips about the examination and question banks. The preparation guides also give sample questions. Do take the help of these for your preparation. Make sure to keep track of those questions where your answers were wrong. Attempt these questions after a gap to see whether you are still giving wrong answers. This will mean that you need to reset your memory and refresh your understanding.

The questions here do not reflect the actual difficulty level of the CISSP examination. The questions in the exam may be more difficult. So do not get over confident if you're scoring good marks in these sample questions.

CISSP Seminars

(ISC)2 conducts official CISSP CBK review seminars worldwide. These seminars are now held in India at a special price for Indian nationals, working in India. The instructors for these seminars are selected and trained by (ISC)2. The five-day seminars review the entire CBK material and also give a sample test. This is a good opportunity for those who find it difficult to go through self-study mode and prefer the interactive atmosphere of a seminar. Check the (ISC)2 website for seminar announcements.

Group discussions / Study circles

Form a study group. This will keep you motivated and you will be able to discuss your doubts with others. You may even allocate topics to different group members and ensure that they teach others. I personally found that teaching is the best way to understand a subject. So, volunteer for the most difficult topic. Others may tear you apart in this encounter with a barrage of questions, but you will definitely emerge more knowledgeable. It would help if you're able to rope in a CISSP in these groups. You may boost his ego by calling him 'mentor'. Of course, the mentor should be able to spare his time for this purpose.

Study period

Allocate at least six months for preparation, with about 10 to 15 hours of study every week. You may not be able to adequately cover all the topics in less than this period. There's a lot of theory, for which you may not have had hands-on experience. Take this opportunity to bring yourself up-to-date on all the security related subjects. You will have to maintain the habit of studying, even after getting the CISSP certification, by earning 40 CPE (Continued Professional Education) points each year.

Examination schedule

(ISC)2 conducts examinations in all metros in India with regular frequency. Keep an eye on the website announcement. You should be able to plan the target examination date well in advance.

Examination Fee

Currently the examination fee is $450 but it is revised to $499 from 1st Jan. 2004. After passing the examination, you have to pay an annual maintenance fee of $65 along with the statement of having clocked in the 40 CPE hours.

The US dollar price for these certifications is a major deterrent, but the global recognition is the reason why people still want to pursue CISSP examination and certification.

Avinash Kadam is Director, Miel e-Security, Pvt. Ltd. He can be reached at awkadam@mielesecurity.com