Chapter 1

(ISC)2 and the CISSP Certification

IN THIS CHAPTER

check Learning about (ISC)2 and the CISSP certification

check Understanding CISSP certification requirements

check Developing a study plan

check Registering for the exam

check Taking the CISSP exam

check Getting your exam results

In this chapter, you get to know the (ISC)2 and learn about the CISSP certification including professional requirements, how to study for the exam, how to get registered, what to expect during the exam, and of course, what to expect after you pass the CISSP exam!

About (ISC)2 and the CISSP Certification

The International Information System Security Certification Consortium (ISC)2 (www.isc2.org) was established in 1989 as a not-for-profit, tax-exempt corporation chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.

The CISSP was the first information security credential to be accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024 standard. This international standard helps to ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate’s competence for the certification. This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread criticism that has diminished the popularity of many vendor certifications over the years).

technicalstuff The ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) are two organizations that work together to prepare and publish international standards for businesses, governments, and societies worldwide.

The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)2 and defined through eight distinct domains:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

You Must Be This Tall to Ride This Ride (and Other Requirements)

The CISSP candidate must have a minimum of five cumulative years of professional (paid), full-time, direct work experience in two or more of the domains listed in the preceding section. The work experience requirement is a hands-on one — you can’t satisfy the requirement by just having “information security” listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly. Some examples of full-time information security roles that might satisfy the work experience requirement include (but aren’t limited to)

  • Security Analyst
  • Security Architect
  • Security Auditor
  • Security Consultant
  • Security Engineer
  • Security Manager

Examples of information technology roles for which you can gain partial credit for security work experience include (but aren’t limited to)

  • Systems Administrator
  • Network Administrator
  • Database Administrator
  • Software Developer

For any of these preceding job titles, your particular work experience might result in you spending some of your time (say, 25 percent) doing security-related tasks. This is perfectly legitimate for security work experience. For example, five years as a systems administrator, spending a quarter of your time doing security-related tasks, earns you 1.25 years of security experience.

Furthermore, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:

  • A four-year college degree (or regional equivalent)
  • An advanced degree in information security from a U.S. National Centers of Academic Excellence in Cyber Defense (CAE-CD)
  • A credential that appears on the (ISC)2-approved list, which includes more than 45 technical and professional certifications, such as various SANS GIAC certifications, Cisco and Microsoft certifications, and CompTIA Security+ (For the complete list, go to www.isc2.org/Certifications/CISSP/Prerequisite-Pathway).

See Chapter 2 to learn more about relevant certifications on the (ISC)2-approved list for an experience waiver.

tip In the U.S., CAE-CD programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/resources/educators/centers-academic-excellence/cyber-defense.

Preparing for the Exam

Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or online training environment, (ISC)2 offers CISSP training seminars.

We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of two hours a day for 60 days. If you’re a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this study out over a six-month period for two hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you’ll likely find yourself studying only as much as you would have in a 60-day period anyway.

Studying on your own

Self-study might include books and study references, a study group, and practice exams.

Begin by downloading the free official CISSP Certification Exam Outline from the (ISC)2 website at www.isc2.org/exam-outline. This booklet provides a good basic outline of the exam and the subjects on which you’ll be tested.

Next, read this (ISC)2-approved book and review the online practice at www.dummies.com (see the Introduction for more information). CISSP For Dummies is written to provide a thorough and essential review of all the topics covered on the CISSP exam. Then, read any additional study resources you can to further your knowledge and reinforce your understanding of the exam topics. You can find several excellent study resources in the official CISSP Certification Exam Outline and online at www.cccure.org and http://resources.infosecinstitute.com. Finally, rinse and repeat: Do another quick read of CISSP For Dummies as a final review before you take the actual CISSP exam.

warning Don’t rely on CISSP For Dummies (as awesome and comprehensive as it is!), or any other book — no matter how thick it is — as your single resource to prepare for the CISSP exam.

Joining a study group can help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals. It’s also an excellent networking opportunity (the talking-to-real-people type of network, not the TCP/IP type of network)! Study groups or forums can be hosted online or at a local venue. Find a group that you’re comfortable with and that is flexible enough to accommodate your schedule and study needs. Or create your own study group!

Finally, answer lots of practice exam questions. There are many resources available for CISSP practice exam questions. Some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don’t despair! The repetition of practice questions helps reinforce important information that you need to know in order to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Start with the online practice at www.dummies.com (see the Introduction for more information), and try the practice questions at Clément Dupuis and Nathalie Lambert’s CCCure website (www.cccure.org).

warning No practice exams exactly duplicate the CISSP exam (and forget about brain dumps — using or contributing to brain dumps is unethical and is a violation of the (ISC)2 non-disclosure agreement which could result in losing your CISSP certification permanently).

Getting hands-on experience

Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam.

For example, if you’re weak in networking or applications development, talk to the networking group or developers in your company. They may be able to show you a few things that can help make sense of the volumes of information that you’re trying to digest.

tip Your company or organization should have a security policy that’s readily available to its employees. Get a copy and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn’t have a security policy, perhaps now is a good time for you to educate management about issues of due care and due diligence as they relate to information security. For example, review your company’s plans for business continuity and disaster recovery. They don’t exist? Perhaps you can lead this initiative to help both you and your company.

Getting official (ISC)2 CISSP training

Classroom-based CISSP training is available as a five-day, eight-hours-a-day seminar led by (ISC)2-Authorized Instructors at (ISC)2 facilities and (ISC)2 Official Training Providers worldwide. Private on-site training is also available, led by (ISC)2-Authorized Instructors, and taught in your office space or a local venue. This is a convenient and cost-effective option if your company is sponsoring your CISSP certification and has ten or more employees taking the CISSP exam. If you generally learn better in a classroom environment or find that you have knowledge or actual experience in only two or three of the domains, you might seriously consider classroom-based training or private on-site training.

If it’s not convenient or practical for you to travel to a seminar, online training seminars provide the benefits of learning from an (ISC)2-Authorized Instructor at your computer. Online training seminars include real-time, instructor-led seminars offered on a variety of schedules with weekday, weekend, and evening options to meet your needs, and access to recorded course sessions for 60 days. Self-paced training is another convenient online option that provides virtual lessons taught by authorized instructors with modular training and interactive study materials. Self-paced online training can be accessed from any web-enabled device for 120 days and is available any time and as often as you need.

You can find information, schedules, and registration forms for official (ISC)2 training at www.isc2.org/Certifications/CISSP.

tip The American Council on Education’s College Credit Recommendation Service (ACE CREDIT) has evaluated and recommended three college credit hours for completing an Official (ISC)2 CISSP Training Seminar. Check with your college or university to find out if these credits can be applied to your degree requirements.

Attending other training courses or study groups

Other reputable organizations offer high-quality training in both classroom and self-study formats. Before signing up and spending your money, we suggest that you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends on the instructor; for this reason, try to find out from others whether the proposed instructor is as helpful as he or she is reported to be.

Many cities have self-study groups, usually run by CISSP volunteers. You may find a study group where you live; or, if you know some CISSPs in your area, you might ask them to help you organize a self-study group.

tip Always confirm the quality of a study course or training seminar before committing your money and time.

Take the practice exam

Practice exams are a great way to get familiar with the types of questions and topics you’ll need to be familiar with for the CISSP exam. Be sure to take advantage of the online practice exam questions that are included with this book (see the Introduction for more information). Although the practice exams don’t simulate the adaptive testing experience, you can simulate a worst-case scenario by configuring the test engine to administer 150 questions (the maximum number of questions you might see on the CISSP exam) with a time limit of three hours (the maximum amount of time you’ll have to complete the CISSP exam). Learn more about computer-adaptive testing for the CISSP exam in the “About the CISSP Examination” section later in this chapter and on the (ISC)2 website at www.isc2.org/Certification/CISSP/CISSP-Cat.

remember To successfully study for the CISSP exam, you need to know your most effective learning styles. “Boot camps” are best for some people, while others learn better over longer periods of time. Furthermore, some people get more value from group discussions, while reading alone works for others. Know thyself, and use what works best for you.

Are you ready for the exam?

Are you ready for the big day? We can’t answer this question for you. You must decide, on the basis of your individual learning factors, study habits, and professional experience, when you’re ready for the exam. Unfortunately, there is no magic formula for determining your chances of success or failure on the CISSP examination.

In general, we recommend a minimum of two months of focused study. Read this book and continue taking the practice exam on the Dummies website until you can consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information you need to know if you want to pass the CISSP examination. Read this book (and reread it) until you’re comfortable with the information presented and can successfully recall and apply it in each of the eight domains. Continue by reviewing other study materials (particularly in your weak areas) and actively participating in an online or local study group and take as many practice exams from as many different sources as possible.

Then, when you feel like you’re ready for the big day, find a romantic spot, take a knee, and — wait, wrong big day! Find a secure Wi-Fi hot spot (or other Internet connection), take a seat, and register for the exam!

Registering for the Exam

The CISSP exam is administered via computer-adaptive testing (CAT) at local Pearson VUE testing centers worldwide. To register for the exam, go to the (ISC)2 website (www.isc2.org/Register-For-Exam) and click the “Register” link, or go directly to the Pearson VUE website (www.pearsonvue.com/isc2).

On the Pearson VUE website, you first need to create an account for yourself; then you can register for the CISSP exam, schedule your test, and pay your testing fee. You can also locate a nearby test center, take a Pearson VUE testing tutorial, practice taking the exam (which you should definitely do if you’ve never taken a CBT), and then download and read the (ISC)2 non-disclosure agreement (NDA).

tip Download and read the (ISC)2 NDA when you register for the exam. Sure, it’s boring legalese, but it isn’t unusual for CISSPs to be called upon to read contracts, license agreements, and other “boring legalese” as part of their information security responsibilities — so get used to it (and also get used to not signing legal documents without actually reading them)! You’re given five minutes to read and accept the agreement at the start of your exam, but why not read the NDA in advance so you can avoid the pressure and distraction on exam day, and simply accept the agreement. If you don’t accept the NDA in the allotted five minutes, your exam will end and you forfeit your exam fees!

When you register, you’re required to quantify your relevant work experience, answer a few questions regarding any criminal history and other potentially disqualifying background information, and agree to abide by the (ISC)2 Code of Ethics.

The current exam fee in the U.S. is $699. You can cancel or re-schedule your exam by contacting Pearson VUE by telephone at least 24 hours in advance of your scheduled exam or online at least 48 hours in advance. The fee to re-schedule is $50. The fee to cancel your exam appointment is $100.

warning If you fail to show up for your exam or you’re more than 15 minutes late for your exam appointment, you’ll forfeit your entire exam fee!

tip Great news! If you’re a U.S. military veteran and are eligible for Montgomery GI Bill or Post-9/11 GI Bill benefits, the Veteran’s Administration (VA) will reimburse you for the full cost of the exam, regardless of whether you pass or fail. In some cases, (ISC)2 Official Training Providers also accept the GI Bill for in-person certification training.

About the CISSP Examination

The CISSP examination itself is a grueling three-hour, 100- to 150-question marathon. To put that into perspective, in three hours, you could run an actual (mini) marathon, watch Gone with the Wind, The Godfather Part II, Titanic, or one of the Lord of the Rings movies, or play “Slow Ride” 45 times on Guitar Hero. Each of these feats, respectively, closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.

The CISSP exam is now an adaptive exam, which means the test changes based on how you’re doing on the exam. The exam starts out relatively easy, and then gets progressively harder as you answer questions correctly. That’s right; The better you do on the exam, the harder it gets — but that’s not a bad thing! Think of it like skipping a grade in school because you’re smarter than the average bear. The CISSP exam assumes that if you can answer harder questions about a given topic, then logically, you can answer easier questions about that same topic, so why waste your time?

You’ll have to answer a minimum of 100 questions. After you’ve answered the minimum number of questions, the testing engine will either conclude the exam if it determines with 95 percent confidence that you’re statistically likely to either pass or fail the exam, or it will continue asking up to a maximum of 150 total questions until it reaches a 95 percent confidence level in either result. If you answer all 150 questions, the testing engine will determine whether you passed or failed based on your answers. If you run out of time (exceed the three-hour time limit) but you’ve answered the minimum number of questions (100), the testing engine will determine whether you passed or failed based on your answers to the questions you completed.

Only 75 percent of the questions on the exam are actually calculated toward your final result. The other 25 percent are trial questions for future versions of the CISSP examination (kind of like being a test “test dummy” — for dummies). However, the exam doesn’t identify which questions are real and which are trial questions, so you’ll have to answer all questions truthfully and honestly and to the best of your ability!

There are three types of questions on the CISSP exam:

  • Multiple-choice. Select the best answer from four possible choices. For example:

    Which of the following is the FTP control channel?

    A TCP port 21

    B UDP port 21

    C TCP port 25

    D IP port 21

    The FTP control channel is port 21, but is it TCP, UDP, or IP?

  • Drag and drop. Drag and drop the correct answer (or answers) from a list of possible answers on the left side of the screen to a box for correct answers on the right side of the screen. For example:

    Which of the following are message authentication algorithms? Drag and drop the correct answers from left to right.

    image

    MD5, SHA-2, and HMAC are all correct. You must drag and drop all three answers to the box on the right for the answer to be correct.

  • Hotspot. Select the object in a diagram that best answers the question. For example:

    Which of the following diagrams depicts a relational database model?

    image

    Click one of the four panels above to select your answer choice.

As described by (ISC)2, you need a scaled score of 700 (out of 1000) or better to pass the examination. All three question types are weighted equally, but not all questions are weighted equally. Harder questions are weighted more heavily than easier questions, so there’s no way to know how many correct answers are required for a passing score. But wait, it gets even better! On the adaptive exam, you no longer get a score when you complete the CISSP exam — you’ll either get a pass or fail result. Think of it like watching a basketball game with no scoreboard — or a boxing match with no indication of the winner until the referee raises the victor’s arm.

tip All questions on the CISSP exam require you to select the best answer (or answers) from the possible choices presented. The correct answer isn’t always a straightforward, clear choice. (ISC)2 goes to great pains to ensure that you really, really know the material.

tip A common and effective test-taking strategy for multiple-choice questions is to carefully read each question and then eliminate any obviously wrong choices. The CISSP examination is no exception.

warning Wrong choices aren’t necessarily obvious on the CISSP examination. You may find a few obviously wrong choices, but they only stand out to someone who has studied thoroughly for the exam.

The Pearson VUE computer-adaptive, three-hour, 100- to 150-question version of the CISSP examination is currently only available in English. If you prefer to take the CISSP exam in Chinese (simplified, the language not the exam), French, German, Japanese, Korean, Portuguese, or Spanish, because that’s your native language (or you don’t speak the language but you really want to challenge yourself), then you’ll have to take a form-based, six-hour, 250-question version of the CISSP exam (what many of us would refer to as the “old school” exam). You’re permitted to bring a foreign language dictionary (non-electronic and non-technical) for the exam, if needed. Testing options are also available for the visually impaired. You need to indicate your preferences when you register for the exam.

After the Examination

In most cases, you’ll receive your unofficial test results at the testing center as soon as you complete your exam, followed by an official email from (ISC)2.

warning In some rare instances, your unofficial results may not be immediately available. (ISC)2 analyzes score data during each testing cycle; if they don’t have enough test results early in the testing cycle, your results could be delayed up to eight weeks.

If, for some reason, you don’t pass the CISSP examination — say, for example, you only read this chapter of CISSP For Dummies — you’ll have to wait 30 days to try again. If that happens, we strongly recommend that you read the rest of this book during those 30 days! If you fail a second time, you’ll have to wait 90 days to try again. If that happens, we most strongly recommend and highly urge you to read the rest of this book — perhaps a few times — during those 90 days! Finally, if you fail on your third attempt, you’ll have to wait 180 days — no more excuses, you definitely need to read, re-read, memorize, comprehend, recite, ingest, and regurgitate this book several times if that happens!

After you earn your CISSP certification, you must remain an (ISC)2 member in good standing and renew your certification every three years. You can renew the CISSP certification by accumulating 120 Continuing Professional Education (CPE) credits or by retaking the CISSP examination. You must earn a minimum of 40 CPE credits during each year of your three-year recertification cycle. You earn CPE credits for various activities, including taking educational courses or attending seminars and security conferences, belonging to association chapters and attending meetings, viewing vendor presentations, completing university or college courses, providing security training, publishing security articles or books, serving on relevant industry boards, taking part in self-study, and doing related volunteer work. You must document your annual CPE activities on the secure (ISC)2 website to receive proper credit. You are also required to pay a U.S. $85 annual maintenance fee, payable to (ISC)2. Maintenance fees are billed in arrears for the preceding year, and you can pay them online, also in the secure members area of the (ISC)2 website.

warning Be sure to be absolutely truthful on your CPE reporting and retain evidence of your training. (ISC)2 audits some CPE submissions.

tip As soon as you receive your certification, register on the (ISC)2 website and provide your contact information. (ISC)2 reminds you of your annual maintenance fee, Board of Directors elections, annual meetings, and events, but only if you maintain your contact info — particularly your email address.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.29.119