Introduction

Welcome to CISSP^® Exam Cram! This book covers the CISSP certification exam. Whether this is your first or your fifteenth Exam Cram, you’ll find information here and in Chapter 1 that will ensure your success as you pursue knowledge, experience, and certification. This introduction explains the ISC² certification programs in general and talks about how the Exam Cram series can help you prepare for the CISSP exam.

This book is one of the Exam Cram series of books and will help by getting you on your way to becoming an ISC² Certified Information Systems Security Professional (CISSP).

This introduction discusses the basics of the CISSP exam. Included are sections covering preparation, how to take an exam, a description of this book’s contents, how this book is organized, and, finally, author contact information.

Each chapter in this book contains practice questions. There are also two full-length practice exams at the end of the book. Practice exams in this book should provide an accurate assessment of the level of expertise you need to obtain to pass the test. Answers and explanations are included for all test questions. It is best to obtain a level of understanding equivalent to a consistent pass rate of at least 95% on the practice questions and exams in this book before you attempt the real exam.

Let’s begin by looking at preparation for the exam.

The ISC² website at www.isc2.org

The exam outline available at the ISC² website

Many people form study groups, attend seminars, and attend training classes to help them study for and master the material needed to pass the CISSP exam.

They help you diagnose areas of weakness.

They are useful for getting used to the format of questions.

They help you to decide when you are ready to take the exam.

This book contains questions at the end of each chapter and includes two full-length practice tests. However, if you still want more, a related Exam Cram CISSP Practice Questions book has more than 500 additional questions. Many other companies provide CISSP certification practice tests, flash cards, and aids as well.

After you register, you will receive a confirmation notice. Some locations may have limited test centers available, which means that you should schedule your exam in advance to make sure you can get the specific date and time you would like.

When you pass the exam, you will next be required to complete an endorsement form. The endorsement form must be completed by someone who can attest to your professional experience and who is an active CISSP in good standing. If you don’t know anyone who is CISSP-certified, ISC² allows endorsements from other professionals who are certified, licensed, or commissioned, and an officer of the corporation where you are employed. You can review complete information on the endorsement form at the ISC² website.

Most people seeking certification use multiple sources of information. Check out the links at the end of each chapter to get more information about subjects you’re weak in. Various security books from retailers also describe the topics in this book in much greater detail. Don’t forget that many have described the CISSP exam as being a “mile wide.”

This book includes other helpful elements in addition to the actual logical, step-by-step learning progression of the chapters themselves. Exam Cram books use elements such as exam alerts, tips, notes, and practice questions to make information easier to read and absorb.

Use the Cram Sheet to remember last-minute facts immediately before the exam. Use the practice questions to test your knowledge. You can always brush up on specific topics in detail by referring to the table of contents and the index. Even after you achieve certification, you can use this book as a rapid-access reference manual.

Opening hotlists

Chapter topics

Exam Alerts

Notes

Tips

Sidebars

Cautions

Exam preparation practice questions and answers

A “Need to Know More?” section at the end of each chapter

Now let’s look at each of the elements in detail.

Opening hotlists—The start of every chapter contains a list of terms you should understand. A second hotlist identifies all the techniques and skills covered in the chapter.

Chapter topics—Each chapter contains details of all subject matter listed in the table of contents for that particular chapter. The objective of an Exam Cram book is to cover all the important facts without giving too much detail; it is an exam cram. When examples are required, they are included.

Exam Alerts—Exam Alerts address exam-specific, exam-related information. An Exam Alert addresses content that is particularly important, tricky, or likely to appear on the exam. An Exam Alert looks like this:

Notes—Notes typically contain useful information that is not directly related to the current topic under consideration. To avoid breaking up the flow of the text, they are set off from the regular text.

Tips—Tips often provide shortcuts or better ways to do things.

Sidebars—Sidebars are longer and run beside the text. They often describe real-world examples or situations.

Cautions—Cautions apply directly to the use of the technology being discussed in the Exam Cram. For example, a Caution might point out that the CER is one of the most important items to examine when examining biometric devices.

Exam preparation practice questions—At the end of every chapter is a list of at least 10 exam practice questions similar to those in the actual exam. Each chapter contains a list of questions relevant to that chapter, including answers and explanations. Test your skills as you read.

“Need to Know More?” section—This section at the end of each chapter describes other relevant sources of information. With respect to this chapter, the best place to look for CISSP certification information is at the ISC² website, www.ISC2.org.

Practice exams—In addition to exam-preparation questions at the end of each chapter, two full practice exams are included at the end of the book.

Answers and explanations for practice exams—These follow each practice exam, providing answers and explanations to the questions in the exams.

Glossary—The glossary contains a listing of important terms used in this book with explanations.

Cram Sheet—The Cram Sheet is a quick-reference, tear-out cardboard sheet of important facts useful for last-minute preparation. Cram Sheets often include a simple summary of facts that are most difficult to remember.

Companion website—The companion website contains the Pearson IT Certification Practice Test engine, which provides multiple test modes that you can use for exam preparation. The practice tests are designed to appropriately balance the questions over each technical area (domain) covered by the exam. All concepts from the actual exam are covered thoroughly to ensure you’re prepared for the exam.

Chapter 1, “The CISSP Certification Exam”—This chapter introduces exam strategies and considerations.

Chapter 2, “Logical Asset Security”—This chapter discusses logical security and the countermeasures available for protecting an organization’s resources. Key topics include CIA, data classification, and control of an organization’s assets from creation to destruction.

Chapter 3, “Physical Asset Security”—This chapter discusses physical security and the importance of providing physical protection for an organization’s resources. Physical security plays a key role in securing an organization’s assets. Without effective physical security, there can be no effective security structure at all.

Chapter 4, “Security and Risk Management”—This chapter discusses asset management and the protection of critical resources. Quantitative and qualitative risk assessment are two major topics of this chapter. Readers must understand how these concepts are used to assess and measure risk while reducing threats to the organization. Key concepts include the development of policies, procedures, guidelines, and assorted controls.

Chapter 5, “Security Engineering”—This chapter discusses key concepts such as computer hardware, operating system design, security models (Biba, Bell-LaPadula, Clark-Wilson, etc.) and documentation used to verify, certify, and accredit systems and networks.

Chapter 6, “The Application and Use of Cryptography”—This chapter discusses the methods and systems used to encrypt and protect data. Symmetric, asymmetric, and hashing algorithms are introduced, along with PKI and cryptographic methods of attack.

Chapter 7, “Communication and Network Security”—This chapter discusses telecommunication technology. Items such as the OSI model, TCP/IP, network equipment, LAN, MAN, and WAN protocols, and wireless technologies are just a few of the technologies discussed. This is an expansive domain and covers a lot of information for the CISSP candidate to master.

Chapter 8, “Identity and Access Management”—This chapter covers the basics of access control. It addresses the three A’s: authentication, authorization, and accountability. Items like identification, single sign-on, centralized authentication, and federation are discussed.

Chapter 9, “Security Assessment and Testing”—This chapter discusses security assessments, ethical hacking, and vulnerability scanning. It also reviews common types of malware and various attack methodologies.

Chapter 10, “Security Operations”—This chapter covers operation controls—that is, the types of controls that the organization can implement. Topics such as background checks, dual controls, mandatory vacations, rotation of duties, and auditing are introduced.

Chapter 11, “Software Development Security”—This chapter discusses databases, the system development life cycle, and the importance of building security into applications and systems as early as possible during the development process. Project management is reviewed, as are malicious code, knowledge-based systems, and application issues.

Chapter 12, “Business Continuity Planning”—This chapter covers all the aspects of the BCP process. Although some may discount the importance of this domain, storms, floods, hurricanes, earthquakes, and other natural disasters. should demonstrate the criticality of this domain. This chapter addresses key elements of disaster recovery. One important item is that no demonstrated recovery exists until the business continuity plan has been tested. Exam candidates must understand what is needed to prevent, minimize, and recover from disasters.

Practice Exam I—This is a full-length practice exam.

Answers to Practice Exam I—This element contains the answers and explanations for the first practice exam.

Practice Exam II—This is a second full-length practice exam.

Answers to Practice Exam II—This element contains the answers and explanations for the second practice exam.

To access this companion website, follow the steps below:

1. Go to www.pearsonITcertification.com/register and log in or create a new account.

2. Enter the ISBN: 9780789757142.

3. Answer the challenge question as proof of purchase.

4. Click on the “Access Bonus Content” link in the Registered Products section of your account page, to be taken to the page where your downloadable content is available.

Please note that many of our companion content files can be very large, especially image and video files.

If you are unable to locate the files for this title by following the steps at left, please visit www.pearsonITcertification.com/contact and select the “Site Problems/Comments” option. Our customer service representatives will assist you.

The installation process requires two major steps: installing the software and then activating the exam. The website has a recent copy of the Pearson IT Certification Practice Test engine. The practice exam—the database of exam questions—is not on this site.

Windows 10, Windows 8.1, or Windows 7

Microsoft .NET Framework 4.5 Client

Pentium class 1 GHz processor (or equivalent)

512 MB RAM

650 MB disc space plus 50 MB for each downloaded practice exam

Access to the Internet to register and download exam databases

The software installation process is pretty routine compared to other software installation processes. If you have already installed the Pearson IT Certification Practice Test software from another Pearson product, there is no need for you to reinstall the software. Simply launch the software on your desktop and proceed to activate the practice exam from this book by using the activation code included in the access code card sleeve in the back of the book.

The following steps outline the installation process:

1. Download the exam practice test engine from the companion site.

2. Respond to Windows prompts as with any typical software installation process.

The installation process will give you the option to activate your exam with the activation code supplied on the paper in the cardboard sleeve. This process requires that you establish a Pearson website login. You will need this login in order to activate the exam, so please do register when prompted. If you already have a Pearson website login, there is no need to register again. Just use your existing login.

Step 1: Start the Pearson IT Certification Practice Test software from the Windows Start menu or from your desktop shortcut icon.

Step 2: To activate and download the exam associated with this book, from the My Products or Tools tab, select the Activate button.

Step 3: At the next screen, enter the activation code from the paper inside the cardboard holder in the back of the book. Once entered, click the Activate button.

Step 4: The activation process will download the practice exam. Click Next, and then click Finish.

Once the activation process is completed, the My Products tab should list your new exam. If you do not see the exam, make sure you have selected the My Products tab on the menu. At this point, the software and practice exam are ready to use. Simply select the exam and click the Open Exam button.

To update a particular exam that you have already activated and downloaded, simply select the Tools tab and select the Update Products button. Updating your exams will ensure you have the latest changes and updates to the exam data.

If you wish to check for updates to the Pearson Cert Practice Test exam engine software, simply select the Tools tab and select the Update Application button. This will ensure you are running the latest version of the software engine.

Thank you for selecting my book; I have worked to apply the same concepts in this book that I have used in the hundreds of training classes I have taught. Spend your study time wisely and you, too, can become a CISSP. Good luck on the exam!

Don’t be lulled into thinking that this is an easy test. Some words of caution might be in order:

The CISSP exam requires the candidate to absorb a substantial amount of material. The test is 6 hours long and consists of 225 graded questions. This is longer than typical exams at Microsoft and most other IT vendors.

The pass mark is set high, at 700 points. The individual questions are weighted, which means that harder questions are worth more than easier ones.

Most of the individuals attempting the exam are familiar with one to three of the domains. This means that studying for the exam can be overwhelming because there is so much material to cover. This book can help by guiding you to the areas in which you are weak or strong.

To be eligible for the CISSP exam, students are required to have five years of experience, or four years of experience and a college degree.

Any educational background in computer science will be helpful, as will other IT certifications you have achieved.

Hands-on actual experience is not only essential, but also required to obtain this certification.

You’ll have a good basic knowledge needed for three or more of the eight domains, assuming that you finished your degree and your schooling and have some fairly sophisticated computer skills. Subject areas such as application development, networking, and database design are a great help.

Did you attend some type of technical school or week-long CISSP course?

This question applies to low-level or short-term computer courses. Many of these courses are extremely basic or focused in one particular area. Although the CISSP exam is not platform-specific, training classes that focused on networking, security, hacking, or database design will help you pass the exam.

Have you developed any security policies, performed security audits, performed penetration tests, or developed response plans?

If yes, you will probably be able to handle about half of the CISSP exam domains.

Do you have a photographic memory?

If yes, you might have a slim chance of passing simply by reading this book, taking some practice exams, and using the Internet to brush up on the subjects you are weak in. However, the goal here is to gain a real understanding of the material. As a CISSP, you might be asked to lead, plan, organize, or control your organization’s security operations; if that happens, you’ll need a real understanding of how the various technologies and techniques work. Don’t cheat yourself or gamble with your career.

Again, the education and requirements given here are by no means absolute. Still, an education can give you a very good grounding in any endeavor—the higher the level of education, the better.

Practice exams highlight weak spots for further study.

Practice exams give you a general perspective on the question format. Practicing the questions the way they are asked can help enormously on the actual testing day.

Two full-length practice exams are provided with this book. Que also publishes a second book, CISSP Practice Questions Exam, with more than 500 practice CISSP test questions; it is an excellent supplement to this book.

Write a book.

Read a book. (Only one per year can be used for credit.) This will give you a couple of credits, but not enough to keep your certification current.

Do volunteer work that is approved by ISC². When you are certified, you can log on to the ISC² website for more information. A variety of volunteer work is available.

Attend a training class. Just about any type of technology training class is accepted as long as it is tied to one of the domains.

Teach a training class.

Attend a college-level security class.

As you can see, the goal here is to help you stay current. As technology changes, we all must continue to learn to keep up the pace.

Now that we have covered some of the ways in which to assess your exam readiness, let’s move on to Chapter 1, “The CISSP Certification Exam,” where you will learn more about how the exam is structured and some effective test-taking strategies.