How to Prepare for the Exam

Preparing for the CISSP exam requires that you obtain and study materials designed to provide comprehensive information about security. In addition to this book, the following sources will help you study and prepare:

• The (ISC)² website: www.isc2.org

• The exam outline available at the (ISC)² website

One of the best methods to prepare is by setting a target date for taking the exam and then building out a study plan to meet your deadline. One approach is the 80/20 rule: Use 80% of your time reading and 20% of your time taking practice tests or meeting with a study group to review the material. This approach will help you prepare for the CISSP and pass on your first attempt.

Many people have found that forming a study group, attending seminars, and attending a formal training class helped them study for and master the material needed to pass the CISSP exam.

Practice Tests

This book is filled with practice questions to get you ready. Enjoy the following:

• Review Questions ending each chapter: These questions give you a final pass through the material covered in the chapter.

• Two full Practice Exams: The Answer Keys for the Practice Exams include explanations and tips for approaching each Practice Exam question.

In addition, the book includes two additional full practice tests in the Pearson Test Prep software available to you either online or as an offline Windows application. To access these practice tests, please see the instructions in the card inserted in the sleeve in the back of the book. This card includes a unique access code that enables you to activate your exams in the Pearson Test Prep software.

If you are interested in more practice exams than are provided with this book, check out the Pearson IT Certification Premium Edition eBook and Practice Test product. In addition to providing you with three eBook files (EPUB, PDF, and Kindle), this product provides you with two additional exams’ worth of questions. The Premium Edition version also offers you a link to the specific section in the book that presents an overview of the Topic covered in the question, allowing you to easily refresh your knowledge. The insert card in the back of the book includes a special offer for a 80% discount on this Premium Edition eBook and Practice Test product, which is an incredible deal.

Taking a Certification Exam

To take the CISSP exam, you must register with (ISC)². The CISSP exam is given at Pearson VUE testing centers. (ISC)² has implemented regional pricing: For example, as of this writing, registration is $749 https://www.isc2.org/Register-for-Exam/ISC2-Exam-Pricing in the United States. Check the Pearson VUE website at www.pearsonvue.com to get specific details.

After you register for the CISSP exam, you will receive a confirmation notice. Some locations may have limited test centers available, so you should schedule your exam in advance to make sure you can get the specific date and time you would like.

Arriving at the Exam Location

For any exam, you should arrive at the testing center early. Be prepared! You will need to bring your confirmation notice and identification. Two forms of ID are usually required, and any photo ID will suffice (for example, driver’s license, green card, passport). The testing center staff requires proof that you are who you say you are and that someone else is not taking the test for you. Arrive early because if you are late, you will be barred from entry and will not receive a refund for the cost of the exam.

In the Testing Center

You will not be allowed to take into the examination room study materials or anything else that could raise suspicion of cheating—including practice test material, books, exam prep guides, or other test aids.

After the Exam

You will get your exam results immediately after you finish taking the exam. If you pass the exam, the screen will simply show that you have passed the exam; you will not receive an exact score. If you do not pass, you will receive a complete breakdown on your score, by domain, so you can see the areas where you need further study.

Retaking a Test

If you fail the exam, you must wait at least 30 days to take it again. During this time, you should especially study the exam domains where you were weak. For example, if you received a 95% score in the Communication and Network Security domain and only 12% in Asset Security, you should focus your studies on the Asset Security domain. In addition, you should invest in some practice tests if you have not already done so. There is much to be said for getting used to a testing format.

Tracking Your CISSP Status

After you pass the CISSP certification exam, you need to attest to the CISSP Code of Ethics and have a security professional who already holds the CISSP certification complete an endorsement form for you. This person must be able to attest to your professional experience and be in good standing with (ISC)². If you don’t know anyone who is CISSP certified, you can get endorsements from another professional who is certified, licensed, or commissioned as well as an officer of the organization where you are employed. (For more information on endorsement, see the (ISC)² website.)

To maintain the validity of your CISSP certification, you must get recertified every three years and earn continuing professional education (CPE) credits by attending webinars, writing white papers, and doing other activities that improve your knowledge of information security and help you remain up to date with the security world.

When you earn the CISSP certification, you are recognized as someone who understands IT security and the role of a security leader. It will definitely boost your confidence and help provide greater opportunities to discuss security in a way that leadership will understand.

About This Book

The ideal reader for an Exam Cram book is someone seeking certification. However, an Exam Cram book is an easily readable book that presents many important facts. Therefore, an Exam Cram book is also extremely useful as a quick reference manual.

Most people seeking certification use multiple sources of information. Check out the links at the end of each chapter to get more information about subjects you need to get to know better. You might also seek out security books that describe particular topics in much greater detail. Many have described the CISSP exam as being “a mile wide,” so it is important to understand a wide range of topics.

This book includes a number of helpful elements, such as ExamAlerts, tips, notes, and practice questions to make information easier to read and absorb.

Inside the front cover of this book is a tear-out Cram Sheet that provides a lot of exam-critical information in a short space; use it to study and also to remember last-minute facts immediately before the exam. Use the practice questions to test your knowledge. Brush up on specific topics, when needed, referring to the table of contents and the index. Even after you achieve certification, you can use this book as a rapid-access reference manual.

The Chapter Elements

Each Exam Cram book has chapters that follow a predefined structure that makes these books easy to read and provides a familiar format for all Exam Cram books. This book, like other Exam Cram books, includes the following elements in each chapter:

• Key terms

• Chapter topics

• ExamAlerts

• Notes

• Tips

• Sidebars

• Cautions

• Exam prep questions and answers

• A “Need to Know More?” section that provides links to relevant information

Now let’s look at each of the chapter elements in detail:

• Key terms: Each chapter starts with a list of terms you should understand.

• Chapter topics: Each chapter follows up the key terms list with a list of topics covered in the chapter. The objective of an Exam Cram book is to cover all the important facts without giving too much detail. When examples are required, they are included.

• ExamAlerts: ExamAlerts address exam-related information, highlighting content that is particularly important, tricky, or likely to appear on the exam. An ExamAlert looks like this:

• Notes: Notes typically contain useful information that is not directly related to the topic currently being discussed. To avoid breaking up the flow of the text, notes are set off from the regular text.

• Tips: Tips often provide shortcuts or better ways to do things.

• Sidebars: Sidebars, which run beside the main text of a chapter, often describe real-world examples or situations.

• Cautions: Cautions apply directly to the use of the technology being discussed in the chapter. For example, a caution might point out that the CER is one of the most important items to examine for biometric devices.

• Exam prep questions: At the end of each chapter is a list of at least 10 exam practice questions similar to those you will see on the actual exam. The exam prep questions in each chapter are relevant to that chapter, and answers and explanations are provided to help you test your skills and learn more as you read.

• “Need to Know More?” section: This section at the end of most chapters provides links to relevant sources of information.

Other Book Elements

A number of important elements are provided in this book in addition to the standard chapters:

• Practice exams: In addition to exam-preparation questions at the end of each chapter, two full practice exams are included with this book.

• Answers and explanations for practice exams: For each question on each of the practice exams, I provide answers and explanations to help you understand why the correct answer is correct and why the incorrect answers are incorrect.

• Glossary: The glossary contains a list of important terms used in this book and their definitions.

• Cram Sheet: The Cram Sheet is a quick-reference, tear-out sheet of important facts that is especially useful for last-minute preparation. The facts on the Cram Sheet are important for the exam, and many of them can be difficult to remember.

• Companion website: The companion website contains the Pearson IT Certification Practice Test engine, which provides multiple test modes that you can use for exam preparation. The practice exams are designed to appropriately balance the questions over the domains covered by the exam. The practice exams cover the same concepts as the actual exam to ensure that you’re prepared for the exam.

Chapter Contents

The following list provides an overview of the chapters in the book:

• Chapter 1, “The CISSP Certification Exam”: This chapter introduces exam strategies and considerations.

• Chapter 2, “Asset Security”: This chapter discusses both physical and logical security and the countermeasures available for protecting an organization’s resources. Key topics include CIA, data classification, scoping and tailoring, and control of an organization’s assets from creation to destruction.

• Chapter 3, “Security and Risk Management”: This chapter discusses asset management and the protection of critical resources. Quantitative and qualitative risk assessment are two major topics covered in this chapter. You need to understand these concepts in order to assess and measure risk while reducing threats to your organization. Key concepts include the development of compliance requirements, professional ethics, policies, procedures, guidelines, and assorted controls.

• Chapter 4, “Security Architecture and Engineering”: This chapter discusses key concepts such as computer hardware, operating system design, security models (such as Biba, Bell-LaPadula, and Clark-Wilson), cryptography, and web, mobile, and embedded device vulnerabilities. This chapter also reviews basic physical controls and documentation used to verify, certify, and accredit systems and networks.

• Chapter 5, “Communication and Network Security”: This chapter discusses telecommunications technology. The OSI model; TCP/IP; network equipment; SD-WAN; LAN, MAN, and WAN protocols; and wireless technologies are just a few of the technologies discussed. This is an expansive domain and covers a lot of information that you need to master.

• Chapter 6, “Identity and Access Management”: This chapter covers the basics of access control and addresses the three A’s: authentication, authorization, and accountability. It discussed topics such as identification, single sign-on, centralized authentication, and federation.

• Chapter 7, “Security Assessment and Testing”: This chapter discusses security assessments, ethical hacking, and vulnerability scanning. It also reviews common types of malware and various attack methodologies.

• Chapter 8, “Security Operations”: This chapter covers operational controls an organization can implement to provide security. This chapter introduces topics such as background checks, dual controls, mandatory vacations, rotation of duties, and auditing.

• Chapter 9, “Software Development Security”: This chapter discusses databases, the software development lifecycle, and the importance of building security into applications and systems as early as possible during the development process. This chapter also covers project management, malicious code, knowledge-based systems, and application issues.

• Practice Exam I: This is a full-length practice exam.

• Answers to Practice Exam I: This element contains the answers and explanations for the first practice exam.

• Practice Exam II: This is a second full-length practice exam.

• Answers to Practice Exam II: This element contains the answers and explanations for the second practice exam.

Companion Website

Register this book to get access to the Pearson IT Certification test engine and other study materials, plus additional bonus content. Check this site regularly for new and updated postings written by the author that provide further insight into the more troublesome topics on the exam. Be sure to check the box indicating that you would like to hear from us to receive updates and exclusive discounts on future editions of this product or related products.

To access the companion website, follow these steps:

1. Go to www.pearsonITcertification.com/register and log in or create a new account.

2. Enter the ISBN 9780137419555.

3. Answer the challenge question as proof of purchase.

4. Click on the “Access Bonus Content” link in the Registered Products section of your account page to be taken to the page where your downloadable content is available.

Please note that many of our companion content files can be very large, especially image and video files.

If you are unable to locate the files for this title by following these steps, please visit www.pearsonITcertification.com/contact and select the Site Problems/Comments option to get help from our customer service representatives.

Accessing the Pearson Test Prep Practice Test Software and Questions

The companion site includes access to the Pearson Test Prep practice test software, which displays and grades a set of exam-realistic multiple-choice questions. Using Pearson Test Prep practice test software, you can either study by going through the questions in Study Mode or take a simulated exam that mimics real exam conditions.

These practice tests are available to you either online or as an offline Windows application. To access the practice exams that were developed with this book, please see the instructions in the card inserted in the sleeve in the back of the book. This card includes a unique activation code that enables you to activate your exams in the Pearson Test Prep software.

Accessing the Pearson Test Prep Software Online

The online version of the Pearson Test Prep software can be used on any device with a browser and connectivity to the Internet, including desktop machines, tablets, and smartphones. To start using your practice exams online, simply follow these steps:

1. Go to https://www.PearsonTestPrep.com.

2. Select Pearson IT Certification as your product group.

3. Enter your email address and the password for your account. If you don’t have an account on PearsonITCertification.com, you need to establish one by going to PearsonITCertification.com/join.

4. In the My Products tab, click the Activate New Product button.

5. Enter the activation code printed on the insert card in the back of your book to activate your product. The product is then listed in your My Products page.

6. Click the Exams button to launch the exam settings screen and start the exam.

Accessing the Pearson Test Prep Software Offline

If you wish to study offline, you can download and install the Windows version of the Pearson Test Prep software. You can use the download link for this software on the book’s companion website, or you can just enter this link in your browser: http://www.pearsonitcertification.com/content/downloads/pcpt/engine.zip.

To access the book’s companion website and the software, simply follow these steps:

1. Register your book by going to PearsonITCertification.com/register and entering the ISBN 9780137419555.

2. Respond to the challenge questions.

3. Go to your account page and select the Registered Products tab.

4. Click on the Access Bonus Content link under the product listing.

5. Click the Install Pearson Test Prep Desktop Version link in the Practice Exams section of the page to download the software.

6. When the software finishes downloading, unzip all the files onto your computer.

7. Double-click the application file to start the installation and follow the onscreen instructions to complete the registration.

8. When the installation is complete, launch the application and click the Activate Exam button on the My Products tab.

9. Click the Activate a Product button in the Activate Product Wizard.

10. Enter the unique activation code from the card in the sleeve in the back of your book and click the Activate button.

11. Click Next and then click Finish to download the exam data to your application.

12. To start using the practice exams, select the product and click the Open Exam button to open the exam settings screen.

Note that the offline and online versions will sync together, so saved exams and grade results recorded on one version will be available to you in the other version as well.

Customizing Your Exams

When you are in the exam settings screen, you can choose to take exams in one of three modes:

• Study mode

• Practice Exam mode

• Flash Card mode

Study mode allows you to fully customize an exam and review answers as you are taking the exam. This is typically the mode you use first to assess your knowledge and identify information gaps. Practice Exam mode locks certain customization options in order to present a realistic exam experience. Use this mode when you are preparing to test your exam readiness. Flash Card mode strips out the answers and presents you with only the question stem. This mode is great for late-stage preparation, when you really want to challenge yourself to provide answers without the benefit of seeing multiple-choice options. This mode does not provide the detailed score reports that the other two modes provide, so it is not the best mode for helping you identify knowledge gaps.

In addition to these three modes, you will be able to select the source of your questions. You can choose to take exams that cover all of the chapters, or you can narrow your selection to just a single chapter or the chapters that make up specific parts in the book. All chapters are selected by default. If you want to narrow your focus to individual chapters, simply deselect all the chapters and then select only those on which you wish to focus in the Objectives area.

You can also select the exam banks on which to focus. Each exam bank comes complete with a full exam of questions that cover topics in every chapter. The two exams printed in the book are available to you, as are two additional exams of unique questions. You can have the test engine serve up exams from all four banks or just from one individual bank by selecting the desired banks in the exam bank area.

There are several other customizations you can make to your exam from the exam settings screen, such as the time allowed for taking the exam, the number of questions served up, whether to randomize questions and answers, whether to show the number of correct answers for multiple-answer questions, and whether to serve up only specific types of questions. You can also create custom test banks by selecting only questions that you have marked or questions on which you have added notes.

Updating Your Exams

If you are using the online version of the Pearson Test Prep software, you should always have access to the latest version of the software as well as the exam data. If you are using the Windows desktop version, every time you launch the software, it will check to see if there are any updates to your exam data and automatically download any changes made since the last time you used the software. This requires that you be connected to the Internet at the time you launch the software.

Sometimes, due to a number of factors, the exam data might not fully download when you activate your exam. If you find that figures or exhibits are missing, you might need to manually update your exams.

To update a particular exam you have already activated and downloaded, simply select the Tools tab and click the Update Products button. Again, this is only an issue with the desktop Windows application.

If you wish to check for updates to the Windows desktop version of the Pearson Test Prep exam engine software, simply select the Tools tab and click the Update Application button. Doing so allows you to ensure that you are running the latest version of the software engine.

Contacting the Author

Thank you for selecting my book; I have worked to apply the same concepts in this book that I have used in the hundreds of training classes I have taught. I hope this book provides you with the tools you need to pass the CISSP exam. Feedback is appreciated.

Spend your study time wisely and you can earn CISSP certification. Good luck on the exam!

Assessing Your Readiness for the CISSP Exam

This section helps you understand what’s required to obtain the CISSP certification and evaluate your readiness to take the CISSP certification exam. Are you ready?

Security Professionals in the Real World

Security is growing more important all the time, and the CISSP certification continues to be one of the most sought-after security certifications. Increasing numbers of people are studying for and obtaining CISSP certification. Congratulations on making the decision to follow in their footsteps. If you are willing to tackle the process seriously and do what it takes to obtain the necessary experience and knowledge, you can pass the exam on the first try.

The Ideal CISSP Candidate

The CISSP certification is designed for any individual who is leading, planning, organizing, or controlling the security initiative of an organization. The ideal CISSP candidate is likely to have a four-year college education and have at least five to seven years’ experience in one or more of the eight CISSP domains. The most applicable degree is in computer science or a related field. Exam candidates who do not have a four-year college degree must have a minimum of five years of direct full-time security work experience in two or more of the eight domains. (The complete list of approved certifications can be found at www.isc2.org/credential_waiver/default.aspx.)

Don’t be lulled into thinking that the CISSP exam is an easy test. Some words of caution are in order:

• The CISSP exam requires the candidate to absorb a substantial amount of material. Both the adaptive exam and the fixed-form exam are considered quite challenging.

• The pass mark is set high, at 700 points out of 1,000. The individual questions are weighted so that harder questions are worth more than easier ones.

• Most of the individuals attempting the exam are familiar with one to three of the eight domains covered on the CISSP exam. Studying for the exam can be overwhelming because there is a lot of material to cover. This book can help you identify and remediate the areas in which you are weak.

• To be eligible for the CISSP exam, students are required to have five years of experience or four years of experience and a college degree.

Put Yourself to the Test

This section prompts you to answer some simple questions to better understand how much work and effort you need to invest to pass the CISSP certification exam. The experience and education you have will dictate how difficult it will be for you to pass the exam.

From the beginning, two things should be clear:

• Any educational background in computer science will be helpful, as will other IT certifications you have achieved.

• Hands-on actual experience is not only essential but required to obtain CISSP certification.

Your Educational Background

Be honest in your answers to the following questions, or you will end up wasting around $700 on an exam you were not ready to take:

• Do you have a computer science degree?

  If you have a computer science degree and some fairly sophisticated computer skills, you should have some good basic knowledge needed for three or more of the eight domains. Subject areas such as application development, networking, and database design are a great help.

• Did you attend some type of technical school or week-long CISSP course?

  This question applies to low-level or short-term computer courses, many of which are extremely basic or focused in one particular area. Although the CISSP exam is not platform specific, training classes focused on networking, security, hacking, or database design will help you pass the exam.

• Have you developed any security policies, performed security audits, performed penetration tests, or developed response plans?

  If yes, you will probably be able to handle about half of the CISSP exam domains.

• Do you have a photographic memory?

  If yes, you might have a slim chance of passing simply by reading this book, taking some practice exams, and using the Internet to brush up on the subjects you are weak in. However, the goal here is to gain a real understanding of the material. As a security professional, you might be asked to lead, plan, organize, or control your organization’s security operations, and to do so, you’ll need a real understanding of how the various technologies and techniques work. Don’t cheat yourself or gamble with your career.

The education and requirements given here are by no means absolute. Still, an education can give you a very good grounding in any endeavor; the higher the level of education, the better.

Testing Your Exam Readiness

Whether you attend a training class, form a study group, or study on your own, preparing for the CISSP exam is essential. The exam will cost you more than MG $700, depending on where you are located, and you’ll want to do everything you can to make sure you pass on the first try. Reading, studying, and taking practice exams are the best ways to increase your readiness. Remember that two full-length practice exams are provided with this book. Practice exams help in two main ways:

• They highlight weak spots for further study.

• They help you get familiar with the question format. Practicing the questions the way they are asked can help enormously on exam day.

After the Exam

As mentioned earlier in this introduction, after you have passed the exam, you need to earn CPE credits each year to maintain your certification. Your certification will come up for renewal every three years, at which point you’ll need to obtain 120 CPE credits or retake the exam. Retaking the exam is not a popular choice. These are some ways to gain CPE credits to keep your certification current:

• Write a book.

• Read a book. (Only one per year can be used for credit.) This will give you a couple of credits—but not enough to keep your certification current.

• Do volunteer work that is approved by (ISC)². When you are certified, you can log on to the (ISC)² website for more information on volunteer work.

• Attend a training class. Just about any type of technology training class is accepted, as long as it is tied to one of the CISSP domains.

• Teach a training class.

• Attend a college-level security class.

As you can see, the goal here is to help you stay current with changing technology.

Chapter 1, “The CISSP Certification Exam,” provides more information about how the exam is structured and describes some effective test-taking strategies.