Chapter 1. The CISSP Certification
This chapter covers the following topics:
• The goals of the CISSP certification: A description of its sponsoring bodies and the stated goals of the certification
• The value of the CISSP certification: An examination of the career and business drivers that comprise the value of the certification
• The Common Body of Knowledge: The ten domains of information that make up the topics covered in the certification
• Steps to becoming a CISSP: The process involved in achieving the CISSP certification
The Certified Information Systems Security Professional (CISSP) is one of the most respected and sought after security certifications available today. It is a globally recognized credential that demonstrates that the holder has knowledge and skills across a broad range of security topics.
As the number of security threats to organizations grows and the nature of these threats broaden, companies large and small have realized that security can no longer be an afterthought. It must be built into the DNA of the enterprise to be successful. This requires trained professionals who are versed not only in technology security but in all aspects of security. It also requires a holistic approach to protecting the enterprise.
In today’s world security is no longer a one-size-fits-all proposition. The CISSP credential is a way security professionals can demonstrate the ability to design, implement, and maintain the correct security posture for an organization based on the complex environments in which today’s organizations exist.
The Goals of the CISSP Certification
The CISSP certification is created and managed by one of the most prestigious security organizations in the world and has a number of stated goals. Although not critical for passing the exam, having knowledge of the organization and of these goals is helpful in understanding the motivation behind the creation of the exam.
Sponsoring Bodies
The CISSP is created and maintained by the International Information Systems Security Certification Consortium (ISC)2. The (ISC)2 is a global not-for-profit organization that provides both a vendor-neutral certification process and supporting educational materials.
The CISSP is one of a number of security-related certifications offered by (ISC)2. Other certifications offered by this organization include the following:
• Systems Security Certified Practitioner (SSCP)
• Certified Authorization Professional (CAP)
• Certified Secure Software Lifecycle Professional (CSSLP)
Several additional versions of the CISSP are offered that focus in particular areas. These include:
• CISSP-Information Systems Security Architecture Professional (CISSP-ISSAP)
• CISSP-Information Systems Security Engineering Professional (CISSP-ISSEP)
• CISSP-Information Systems Security Management Professional (CISSP-ISSMP)
(ISC)2 derives some of its prestige from the fact it was the first security certification body to meet the requirements set forth by the ANSI/ISO/IEC Standard 17024, a global benchmark for personnel certification. This ensures certifications offered by this organization are both highly respected and sought after.
Stated Goals
The goal of (ISC)2, operating through its administration of the CISSP certification, is to provide a reliable instrument to measure an individual’s knowledge of security. This knowledge is not limited to technology issues alone, but to all aspects of security that face an organization.
In that regard the topics are technically more shallow than those tested by some other security certifications while covering a much wider range of issues than those same certifications. Later in this section the topics that comprise the 10 domains of knowledge are covered in detail, but it is a wide range of topics. This vast breadth of knowledge and the experience needed to pass the exam are what set the CISSP certification apart.
The Value of the CISSP Certification
The CISSP certification holds value for both the exam candidate and the enterprise. This certification is routinely in the top 10 of yearly lists that rank the relative demand for various IT certifications.
To the Security Professional
Numerous reasons exist for why the security professional would spend the time and effort required to achieve this credential:
• To meet growing demand for security professionals
• To become more marketable in an increasingly competitive job market
• To enhance skills in a current job
• To qualify for or compete more successfully for a promotion
• To increase one’s salary
In short, this certification demonstrates that the holder not only has the knowledge and skills tested in the exam, but also that the candidate has the wherewithal to plan and implement a study plan that addresses an unusually broad range of security topics.
To the Enterprise
For the organization, the CISSP certification offers a reliable benchmark to which job candidates can be measured by validating knowledge and experience. Candidates who successfully pass the rigorous exam are required to submit documentation verifying experience in the security field. Individuals holding this certification will stand out from rest, not only making the hiring process easier but also adding a level of confidence in the final hire.
The Common Body of Knowledge
The material contained in the CISSP is divided into 10 domains, which comprise what is known as the Common Body of Knowledge. This book devotes a chapter to each of these domains. Inevitable overlap occurs between the domains, leading to some overlap between topics covered in the chapters; the topics covered in each chapter are described next.
Access Control
The access control domain covers aspects of controlling access to information, including the identification of security principals. Topics include:
• Access control concepts
• Access control types and techniques
• Access control models
• Access control administration and monitoring
• Access control attacks
• Access control review and auditing
• Access control lifecycle
Telecommunications and Network Security
The telecommunications and network security domain focuses on protecting data in transit and securing the underlying networks over which the data travels. Topics include:
• OSI and TCP/IP model
• Network topologies and technologies
• Network protocols and services
• Network routing
• WAN and remote connection technologies
• Wireless networks
• Secure network design
• Network device security
• Protecting communication channels
• Network attack methods
Information Security Governance and Risk Management
The information security governance and risk management domain addresses the processes involved in developing security polices and their constituent procedures, standards, and guidelines. Topics include:
• Security governance and risk management concepts
• Security frameworks and methods
• Risk assessment and management
• Alignment of security goals to business processes
• Compliance with industry regulations and legal obligations
• Management of the information life cycle
• Integration of third-party governance
• Personnel security
• Security training and awareness
• Security budgeting and assessment
Software Development Security
The software development security domain explores the software development life cycle and development best practices. The topics include:
• System and software development life cycle
• Software development methods
• Security control in the software environment
• Assessment of software security
• Software threats
Cryptography
The cryptography domain discusses maintaining the confidentiality of data, both in transit and at rest. Topics include:
• The role of cryptography in information security
• The cryptographic lifecycle
• Cryptography methods
• Encryption system types
• The role of a public key infrastructure (PKI)
• Key management processes
• The relationship between digital signatures and non-repudiation
• E-mail and Internet security
• Methods of crypto-analytic attacks
Security Architecture and Design
The security architecture and design domain covers design models and the proper alignment of these models to support an organization’s strategic objectives. The topics include:
• Security models and their respective fundamental concepts
• Security modes
• Security evaluation models
• Current capabilities of information systems
• Vulnerabilities of security architectures
• Software-based attacks
• Countermeasures
Operations Security
The operations security domain surveys the execution of security measures and maintenance of proper security posture. Topics include:
• Principle of secure operations control
• Resource protection
• Operations processes, including incident response, patch management, and change control
• Attack prevention and mitigation
• Maintaining availability
Business Continuity and Disaster Recovery Planning
The business continuity and disaster recovery planning domain describes the processes involved in maintaining business livelihood during incidents both large and small. Topics include:
• Identification of requirements for business continuity
• Development and execution of a business impact analysis
• Recovery strategies
• Disaster preparedness and recovery
Legal, Regulations, Investigations, and Compliance
The legal, regulations, investigations, and compliance domain focuses on aligning security policies to an increasing amount of regulations and legal requirements facing organizations today. Topics include:
• Computer crime concepts
• Major legal systems
• Intellectual property law
• Legal issues pertaining to integration law and the transfer of data
• Professional ethics prescribed by the (ISC)2
• Procedures and roles that support successful investigations
• Forensic procedures
• Evidence
• Proper auditing and reporting
• Security issues involved in contracts and the procurement process
Physical and Environmental Security
The physical and environmental security domain addresses processes designed to physically protect all assets, including people, devices, facilities, and support systems. Topics include:
• Threats to physical and environmental security
• Site and facility design issues impacting security
• Network perimeter security
• Internal physical security
• Equipment security
• Facility security
• Secure device placement
• Personnel privacy and safety
Steps to Becoming a CISSP
To become a CISSP, certain prerequisites must be met and procedures followed. This final section covers those topics.
Qualifying for the Exam
Candidates must have a minimum of five years of direct full-time professional security work experience in two or more of the ten domains in the Common Body of Knowledge. You may receive a one-year experience waiver with a four-year college degree or additional credential from the approved list, available at the (ISC)2 website, thus requiring four years of direct full-time professional security work experience in two or more of the ten domains of the CISSP.
If you lack this experience you can become an Associate of (ISC)2 by successfully passing the CISSP exam. You’ll then have six years to earn your experience to become a CISSP.
Signing Up for the Exam
The steps required to sign up for the CISSP are as follows:
• Complete the exam registration form that is found at the site www.isc2.org. Send this form in to (ISC)2.
• Supply work history as well as documents for the necessary educational requirements (see the section “Qualifying for the Exam”).
• Sign the Codes of Ethics form indicating you will abide by the code.
• Provide payment and indicate the exam site and date. The locations and dates can be found at www.isc2.org.
About the CISSP Exam
The CISSP exam is a paper-based test that the candidate can spend up to 4 hours completing. There are no formal breaks but you are allowed to bring a snack and eat it at the back of the test room, but any time used for that will count toward the 4 hours. You must bring a government-issued identification card. No other forms of ID will be accepted.
The test consists of 250 items with 4 choices per item. Some of the items will not be scored and are for research, which will not be identified to the candidate. The passing grade is 700 out of a possible 1000. Results will be released via e-mail within 4 to 6 weeks.