CISSP for Dummies, 2nd Edition byLawrence MillerandPeter Gregory John Wiley & Sons

  2007 (434 pages)

  ISBN:9780470124260 Including quick assessments at the beginning of each chapter, a prep test at the end of each chapter, and a full-length practice exam, this guide offers proven test-taking tips and will get you up to speed on the latest changes to the exam.

  Table of Contents - CISSP For Dummies, 2nd Edition

   - Certification Basics

  2

• (ISC) and the CISSP Certification

  (CBK)

   - Security Architecture and Design

  

  Back Cover

Cramming for the CISSP exam? This friendly test-prep

guide makes studying a snap! Prepared by two CISSP-

certified experts, it gets you up to speed on the latest

changes to the exam and gives you proven test-taking

tips. You’ll find complete coverage of all ten domains of

the (ISC)2 Common Body of Knowledge to help you pass with flying colors. Discover how to: Register for the exam

  Develop a study plan Document your security work experience Break down exam questions Prepare for the bid day Put your certification to good use

  

About the Authors Lawrence Miller, CISSP has worked in systems administration and information security for more than

a decade and has earned numerous other certifications throughout that time including MCSE+I, CCNP, SCSA, CNA, A+, Network+, Security+, and i-Net+. He has also received NSA IAM certification training. He is currently working as the Information Technology Operations Manager for a top 100 U.S. law firm. He has previously worked as an internetworking security engineer and a security consultant for service providers and clients in the retail, financial, and

manufacturing sectors and served over 13 years in the

U.S. Navy as a Chief Petty Officer in various roles including information systems security and “weather guesser.” Peter H. Gregory, CISA, CISSP, is the author of twelve books on security and technology including Solaris

Security, Computer Viruses For Dummies, and Blocking

Spam and Spyware For Dummies.

  Peter is a security strategist at a publicly-traded financial management software company located in Redmond, Washington. Prior to this, he held tactical and strategic security positions in large wireless telecommunications organizations. He has also held development and operations positions in casino management systems, banking, government, non- profit organizations, and academia since the late 1970s.

CISSP for Dummies, 2nd Edition by Lawrence Miller and Peter Gregory

  CISSP For Dummies ® , 2nd Edition Published by Wiley Publishing, Inc.

  111 River Street Hoboken, NJ 07030-5774

  

  Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at

  Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

  For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

  Library of Congress Control Number: 2006939502

  ISBN: 978-0-470-12426-0 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1

  About the Authors Lawrence Miller, CISSP has worked in systems administration and

  information security for more than a decade and has earned numerous other certifications throughout that time including MCSE+I, CCNP, SCSA, CNA, A+, Network+, Security+, and i-Net+. He has also received NSA

  IAM certification training. He is currently working as the Information Technology Operations Manager for a top 100 U.S. law firm. He has previously worked as an internetworking security engineer and a security consultant for service providers and clients in the retail, financial, and manufacturing sectors and served over 13 years in the U.S. Navy as a Chief Petty Officer in various roles including information systems security and “weather guesser.”

  Peter H. Gregory, CISA, CISSP, is the author of twelve books on

  security and technology including Solaris Security, Computer Viruses For Dummies, and Blocking Spam and Spyware For Dummies. Peter is a security strategist at a publicly-traded financial management software company located in Redmond, Washington. Prior to this, he held tactical and strategic security positions in large wireless telecommunications organizations. He has also held development and operations positions in casino management systems, banking, government, non-profit organizations, and academia since the late 1970s. Peter’s Web sites can be found at

  He can be reached at .

  Dedication From Lawrence Miller:

  To those in all our lives that make it exciting, interesting, and fun, and are there for us when it isn’t.

  From Peter H. Gregory:

  To security professionals everywhere who are trying to do the right thing to protect their organizations’ assets.

  Authors’ Acknowledgments

Peter H. Gregory would like to thank Katie Feltman, Senior Acquisitions

  Editor at Wiley, for her perseverance and patience. Thank you to Mark Enochs, Senior Project Editor at Wiley, for your help, and to Nicole Haims for your thoughtful editing. Thank you, Larry, for agreeing once again to coauthor this book. It’s great as always to work with you on security books.

  And finally, heartfelt thanks go to Liz Suto, wherever you are, for getting me into this business over ten years ago when you asked me to do a tech review on your book Informix Online Performance Tuning.

  

Lawrence Miller would like to thank the folks at Wiley for all of your great

  work on this project, particularly Katie Feltman, Mark Enochs, and Nicole Haims. Your wonderful efforts helped ensure this 2nd Edition wasn’t just a Brady Bunch Reunion or CHIPS 2000, but rather a thorough and complete update of the 1st Edition that our readers will certainly appreciate. Peter, thank you again for working with me on yet another project and ensuring the same. And again, congratulations are in order for your recent successes, both personal and professional. I look forward to the opportunity to work together again.

  Publisher’s Acknowledgments

  We’re proud of this book; please send us your comments through our online registration form located at Some of the people who helped bring this book to market include the following:

  

Acquisitions, Editorial, and Media Development

Sr. Project Editor

  Mark Enochs

  (Previous Edition: Pat O’Brien) Sr. Acquisitions Editor

  Katie Feltman

  Copy Editors

  Nicole Haims Virginia Sanders

  Technical Editors

  Lawrence Miller Peter Gregory

  Editorial Manager

  Leah Cameron

  Media Development Specialists

  Angela Denny Kate Jenkins Steven Kudirka Kit Malone

  Media Project Supervisor

  Laura Moss-Hollister

  Editorial Assistant

  Amanda Foxworth

  Sr. Editorial Assistant

  Cherie Case

  Cartoons

  Rich Tennant ( )

  Project Coordinator

  Heather Kolter

  Layout and Graphics

  Claudia Bell Carl Byers

  Proofreaders

  Aptara David Faust

  Indexer

  Aptara

  Anniversary Logo Design

  Richard Pacifico

  Publishing and Editorial for Technology Dummies

  Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Acquisitions Director Mary C. Corder, Editorial Director

  Publishing for Consumer Dummies

  Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director

  Composition Services

  Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services

  Cheat Sheet: CISSP For Dummies, 2nd Edition

Months before the test

  1. Develop your preparation strategy. Get started by getting all your study aids lined up. CISSP For Dummies belongs on top of the pile.

  Budget your preparation time. The breadth of the CISSP 2.

  exam requires that you make time to review every aspect of the exam domains. Chances are you don’t apply every aspect of the CISSP arsenal every day at work, so you can’t count on it being fresh in your mind without reviewing every domain completely from the ground up. You’ll be unpleasantly surprised by what you’ve forgotten if you don’t plan to review.

  3. Schedule your exam time and make travel arrangements.

  The CISSP exam is scheduled frequently at many locations around the world. If necessary, you need to make travel arrangements, hotel arrangements, arrange child care, and actually find an available seat in a scheduled exam. It’s no more expensive to schedule the exam in advance and then reschedule than to pay the full last-minute entry fee, so don’t put off signing up for the exam because your schedule is subject to last-minute work or family needs.

Weeks before the test

  1. Schedule your preparation time. There’s enough to review that you have to be completely honest with yourself about your progress. A last-moment cram will be a disaster. Book blocks of time in your schedule for review, and be honest about sticking to your schedule.

  

Study CISSP For Dummies. This book reviews all aspects of

2.

  the CISSP exam, as well as being packed with test preparation tips.

  3. Take practice tests and answer practice questions. Practice questions confront you with gaps in your preparation and get you used to the brain sweat that the CISSP exam demands.

  4. Check other resources. If there are any aspects of the CISSP exam domains that you haven’t experienced up close and personal, now is the time to get that exposure.

  5. Plan your trip. Don’t count on making a long early-morning drive for an 8 a.m. exam. Make arrangements to get close to the exam site the night before, so that you will have a low-stress trip of just a few minutes to the testing room.

Night before the test

  1. Have a nutritious dinner. Avoid spicy and rich foods. Think marathon runnerfor the day ahead.

  2. Double-check your admission and travel plans. Make sure that you know exactly where you need to be, what you need for admission, when you need to be there, and how early you need to leave to arrive with time to spare.

  3. Double-check your exam supplies. The CISSP exam is longer than other standard professional exams, and the testing conditions are different. You can bring snacks, beverages, tissues, and other comfort and refreshment items. In our opinion, a big bottle of water is tops on the list. Wear an analog watch; digital watches are forbidden in some testing areas.

  

Review CISSP For Dummies. Once more around the block

4.

  should get your head on straight. At this point, you should know the book cold.

  5. Go to sleep. Stretch out and get ready for an important day.

Day of the exam

  1. Dress in layers. The exam room may not be the most comfortable temperature, and your needs may change during the very long exam. Give yourself some flexibility to warm up or cool down.

  2. Review CISSP For Dummies. By now, you could write out this book from memory.

  3. Head to the exam room, sit down, and listen to the

  proctor’s instructions. At this point, you should be confident in

  your preparation, well rested, and ready to test your knowledge and skills. Good luck!

After you leave the exam room

  1. Prepare for a retest. It’s just like the Space Shuttle crew taking time to carefully shut down the bird even when they’re safely on the ground. Take the time immediately to make notes about what you found most difficult about the exam. If you need to retest, those notes are your shortest, most reliable path to follow-up success.

  2. Relax and wait for your results. At this point, there’s nothing left but to enjoy the quiet after the storm. So do it. Hug your family, play with your dog, and be optimistic. You’ve done everything you needed to do, and now you can enjoy the quiet.

  Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, the For Dummies Bestselling Book Series logo and all related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates. All other trademarks are property of their respective owners.

  Copyright © 2007 Wiley Publishing, Inc. All rights reserved. Item 2426-0. For more information about Wiley Publishing, call 1-800-762-2974.

Introduction

  Over the past several years, security practitioners around the world have begun pursuing a now well-known and highly regarded professional credential: the Certified Information Systems Security Professional (CISSP) certification.

  In turn, security-minded companies have been actively seeking individuals who have earned the coveted CISSP certification. It has surpassed the demand for many vendor-sponsored technical certifications and is widely held as the professional standard in the information security field.

About This Book

  Our goals in this book are simple: to help you prepare for and pass the CISSP examination, and to guide you after you earn the certification. Although we’ve stuffed it chock-full of good information, we don’t expect that this book will be a weighty desktop reference on the shelf of every security professional - although we certainly wouldn’t object. And this isn’t the Library of Congress. We don’t intend for this book to be an all-purpose, be-all-to-end-all, one-stop shop with all the answers to life’s great mysteries. Given the broad base of knowledge required for the CISSP certification, we strongly recommend using multiple resources to prepare for the exam. This book will provide you with a road map to the CISSP certification and sufficient information to help you pass the exam. It will not make you a security expert - or help you build pumped-up forearms! As a security professional, you’ll find that earning the CISSP certification is only a beginning. Business and technology, with their associated risks and vulnerabilities, require each of us as security professionals to constantly press forward, consuming vast volumes of knowledge and information in a constant tug of war against the bad guys. Thus, when preparing for your CISSP certification, you should study as much relevant information as your time and resources allow. CISSP For Dummies provides the blueprint for your study effort and gives you some great experience practicing for the test to boot.

How This Book Is Organized

  This book is organized into four parts. We cover the (ISC) 2 Common Body of Knowledge (CBK) domains in

   . Although this book’s

  chapters don’t necessarily have to be read in order, they’re organized according to the CBK domains and follow a somewhat logical progression - as logic dictates!

   contains the domains of the CBK. A CISSP candidate must have

  some practical work experience with at least a few of the concepts and technologies that we cover in this part. Taken individually, these domains represent at least a slightly larger part of the actual CISSP exam than other domains. This is certainly true about the Telecommunications and Network Security domain and the Information Security and Risk Management domain, which are largely introductions to basic security concepts discussed throughout the CBK.

   The Part of Tens The much loved and revered Part of Tens contains four chapters that are

  more than mere lists. We include information to help you prepare for the CISSP exam and to also help you in your career as a security professional.

   Appendixes and Bonus Chapters and you definitely don’t want to skip this part! Appendix A details all the goodies on the CD that accompanies this book; believe us, it’s packed! On the CD you’ll find a test engine and more bonus chapters such as the glossary, but it’s not just any ordinary glossary: The CISSP exam requires you to select the best answer for a given question. You definitely need to know and understand very concise terms and definitions for the exam in order to recognize any obviously wrong answers.

How the Chapters Are Organized

  CISSP For Dummies (now in its second edition) is unique in the For

Dummies series. Because the CISSP examination covers such a broad

  base of information, we don’t recommend skipping any of the material in this book. The information presented in some of the chapters may be familiar to you or easier to understand than others, but we still recommend at least a quick, cursory read of those chapters. For this reason, we don’t include a quick assessment test at the beginning of each chapter as in other For Dummies certification books. Instead, we chose to pack this book with as much useful information as possible to help you succeed in your quest for the CISSP certification.

  the domain covered therein. You also find a list of chapter objectives that closely correlates to the CISSP knowledge objectives for that domain.

Study subjects

  In the heart of each CISSP domain chapter, we extensively cover the knowledge objectives listed in the CISSP CBK. These chapters provide the relevant information for the CISSP exam with enough detail to place the information into proper context.

Tables and illustrations

  To be helpful to you in your study, we provide tables and illustrations of important information or concepts whenever we can. However, because CISSP is a vendor-neutral certification, don’t expect to find screen captures or simulation-type graphics. More room for good, old-fashioned information!

  Prep Tests

  Finally, we conclude each CISSP domain chapter with a quick, 10- question multiple-choice Prep Test. Note: The prep tests at the end of each of these chapters are not the type of questions that you find on the actual CISSP examination. (See the CD-ROM for sample questions similar to those found on the CISSP exam.) Instead, the prep tests are meant to help you recall important information that we present in the chapter to help you answer questions on the actual exam.

Icons Used in This Book

  Throughout this book, you note little icons in the left margin that act as road signs to help you quickly pull out the stuff that’s most important to you. Here’s what they look like and what they represent.

  

Instant Answer Instant Answer icons highlight important information to

  help you answer questions on the actual exam. To succeed on the CISSP exam look for these icons to highlight critical points.

   Remember Information tagged with a Remember icon identifies

  general information and core concepts that you may already know but should certainly understand and review before the CISSP exam.

  

Tip Tip icons include short suggestions and tidbits of useful information.

Warning Look for Warning icons to identify potential pitfalls, including easily confused or difficult-to-understand terms and concepts.

   Cross-Reference

  These icons point you toward other places in the book for more information on a particular subject.

   Technical Stuff These icons break down jargon and complicated topics into common terms.

Let’s Get Started!

  Congratulations! You made it through the introduction to CISSP For

  

Dummies. You’re now in the proper mental state for mass absorption of

  knowledge, and well on your way to becoming a Certified Information Systems Security Professional! Actually, this is only the beginning. But remember, a journey of a thousand miles begins with a heavy dose of caffeine and processed sugar, so pick your favorite and get started!

  Part I: Certification Basics

  Part Overview

   Putting Your Certification to Good Use

In this part . .

  (ISC)2? CBK? CISSP? No, they’re not droids in a new Star Wars movie. The chapters in this part describe the “who, what, when, where, how, and why” of the CISSP certification, as well as the “now what?” and the subject areas tested.

Overview

  Some say that the Certified Information Systems Security Professional (CISSP) candidate requires a breadth of knowledge 50 miles across and 2 inches deep. To embellish on this statement, we believe that the CISSP candidate is more like the Great Wall of China, with a knowledge base extending over 3,500 miles, with a few holes here and there, stronger in some areas than others, but nonetheless one of the Seven Wonders of the Modern World.

  The problem with many currently available CISSP preparation materials is in defining how high the Great Wall actually is: Some material overwhelms and intimidates CISSP candidates, leading them to believe that the wall is as high as it is long. Other study materials are perilously brief and shallow, giving the unsuspecting candidate a false sense of confidence as he or she merely attempts to step over the Great Wall, careful not to stub a toe. CISSP For Dummies answers the question, “What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?”

  2 and the CISSP Certification

About (ISC)

  The International Information Systems Security CertificationsConsortium, or (ISC)2, established the Certified Information Systems Security Professional (CISSP) certification program in 1989. The (ISC) 2 is a nonprofit, tax-exempt corporation chartered for the explicit purpose of developing and administering the certification and education programs associated with the CISSP (as well as several CISSP concentrations, and the Systems Security Certified Practitioner, or SSCP, and the Certification and Accreditation Professional, (or CAP) certification. The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC) 2 and defined through ten distinct domains:

  Access Control Telecommunications and Network Security Information Security and Risk Management Application Security Cryptography Security Architecture and Design Operations Security Business Continuity and Disaster Recovery Planning Legal, Regulations, Compliance, and Investigations Physical (Environmental) Security

You Must Be This Tall to Ride (And Other Minimum Requirements)

  The CISSP candidate must have a minimum of four years of professional work experience in one or more of the domains listed in the preceding section. After being notified of a passing score on the CISSP examination, the candidate must submit a qualified third-party endorsement (from another CISSP; the candidate’s employer; or any licensed, certified, or commissioned professional, such as a banker, attorney, or certified public accountant) to validate the candidate’s work experience. This endorsement must be submitted within 90 days of the date of the exam results notification letter or the application and exam results are voided. A percentage of submitted applications will be randomly audited, requiring additional documentation (normally a resume and confirmation from employers of work history) and review by (ISC)2.

  Final notification of certification upon receipt of the endorsement letter will normally be sent by (ISC) 2 via e-mail within one business day (seven business days if audited). The candidate must also subscribe to the (ISC) 2 Code of Ethics and renew certification every three years. The CISSP certification can be renewed by accumulating 120 Continuing Professional Education (CPE) credits or by retaking the CISSP examination. You earn CPE credits for various activities, including taking educational courses or attending seminars and security conferences, membership in association chapters and meeting attendance, vendor presentations, university or college course completion, providing security training, publishing security articles or books, serving on industry boards, self-study, and volunteer work. You must submit evidence of any such activities to (ISC) 2 for determining and documenting CPE credits. In most cases, this can be done online in the secure area of the (ISC) 2 Web site. There is also an $85 (U.S.) annual maintenance fee payable to (ISC)2. Maintenance fees are billed in arrears for the preceding year and may be paid online, also in the secure area of the (ISC) 2 Web site.

   Tip The minimum requirement for CISSP certification is four years of

  professional work experience in one or more of the ten domains of the CISSP CBK. However, you can be credited for one year of experience if you have either a four-year college degree or a master’s degree in Information Security from a National Center of Excellence (but you cannot combine both the four-year degree and the master’s degree to get two years of credit).

   Cross-Reference See

  Registering for the Exam You can register for the CISSP exam online, via mail, or via fax.

  First, you need to find a suitable exam date and location. It’s given throughout the year at various locations (typically at colleges, community centers, or convention centers) worldwide. You can find exam schedules on the (ISC) 2 Web site at

   Remember Unlike many other certification exams, the CISSP

  examination isn’t conveniently available at Thomson Prometric or Pearson VUE testing centers. Some travel may be necessary, which requires planning in advance for travel arrangements . . . possibly including airline, rental car, and hotel reservations. If you’re traveling to another country for your CISSP examination, visa requirements may apply.

  After you find a suitable exam date and location on the (ISC) 2 Web site, complete the online registration form or download a copy of the form so that you can mail or fax it back to (ISC)2. If you’re registering online or via fax, you need to use a MasterCard or Visa for payment. If registering by mail, you can pay for the exam via MasterCard, Visa, personal check, or money order. The current fee to take the test is $499 if you register more than 16 days in advance. The mailing address for registrations is: (ISC) 2 Services 2494 Bayshore Boulevard, Suite 201, Dunedin, FL 34698 U.S.A. The number for fax registration is 727-738-8522. When you register, you’ll be required to quantify your work experience in information security. You’re not required to have experience in all the ten domains, but the cumulative total of your work experience must be at least four years.

   Tip We recommend that you register early, for several reasons:

  The total charge of $499 for early registration and the $100 rescheduling fee is exactly the same as the fee for normal registration: $599. By committing to a specific testing date, you’re more likely to stay focused and avoid procrastination.

  Registering early allows you to better plan your travel arrangements and possibly save some money by booking reservations well in advance. Space is limited at all test centers. Reservations are accepted on a first-come, first-served basis; in the case of registrations by mail, the date of the postmark is used. If the test date fills up before you register (and this is a hot certification), you may be hard-pressed to find another test date and location that suits you this year.

   Tip

  Great news! If you’re a U.S. military veteran and are eligible for Montgomery GI Bill benefits, the Veteran’s Administration will reimburse you for the full cost of the exam, pass or fail (the VA doesn’t cover exam preparation costs).

Developing a Study Plan

  Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success and can be incorporated into your study plan. For those who learn best in a classroom or training environment, (ISC) 2 offers CISSP review seminars.

  We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of 2 hours a day for 60 days. If you’re a slow learner or reader, or perhaps find yourself weak in many areas, plan on 4–6 hours a day and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this out over a 6-month period for 2 hours a day. Consider, however, that committing to 6 months of intense study is much harder (on you, as well as your family and friends) than 2 months. In the end, you will find yourself studying only as much as you would have in a 60-day period.

Self-study

  Self-study can include books and study references, a study group, and practice exams. Begin by requesting an official CISSP Candidate Information Bulletin

  (CIB) from the (ISC) 2 Web site ( ). It’s free and will be e-mailed to you as a password-protected Adobe Acrobat PDF document.

  This booklet provides a good outline of the subjects on which you’ll be tested. Next, read this book, take the practice exam and review the materials on the accompanying CD-ROM. CISSP For Dummies is written to provide the CISSP candidate an excellent overview of all the broad topics covered on the CISSP exam. Also, focus on weak areas that you’ve identified. Read additional references; we list several great ones on the CD-ROM. As a minimum, we highly recommend The CISSP Prep Guide: Gold Edition by Ronald L. Krutz and Russell Dean Vines (John Wiley & Sons, Inc.). You can also find several study guides at

  Joining or creating your own study group will help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals.

  

Remember No practice exams exactly duplicate the CISSP exam (and

  forget about brain dumps). However, many resources are available for practice questions. You’ll find that some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don’t despair! The repetition of practice questions will help reinforce important information that you need to know in order to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Use the Practice Exam and/or the Flash Cards on the CD-ROM and try the practice questions on the CISSP Open Study Guide (OSG) Web site ( ).

Getting hands-on experience

  Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities during your course of study for the CISSP exam. For example, if you’re weak in networking or applications development, talk to the networking group or programmers in your company. They may be able to show you a few things that will help make sense of the volumes of information that you’re trying to digest.

   Tip Your company should have a security policy that’s freely available

  to its employees, particularly if you have a security function in the organization. Get a copy and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn’t have a security policy, perhaps now is a good time for you to educate management about issues of due care, due diligence, and other concepts from the Legal, Regulations, Compliance, and Investigations security domain. Review your company’s Business Continuity and Disaster Recovery plans. They don’t exist? Perhaps this is an initiative that you can lead to help both you and your company.

  The (ISC) 2 also administers a five-day CISSP CBK Review Seminar to help the CISSP candidate prepare. Schedules and registration forms for the CBK Review Seminar are available on the (ISC) 2 Web site at

  The early rate for the CISSP CBK Review seminar is $2,495 if you register 16 days or more in advance (the standard rate is $2,695). Members of ISSA, IIA, or ISACA also get a $250 discount. (All dollar amounts listed here are U.S. currency, and are subject to change.) If you generally learn better in a classroom environment or find that you only have knowledge or actual experience in one or two of the domains, you might seriously consider attending a review seminar.

Attending other training courses or study groups

  Other reputable organizations such as SANS (

  offer

  high-quality training in classroom and self-study formats. Before signing up and spending your money, we suggest that you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends upon the instructor; for this reason, we think it’s valuable to find out from others whether the proposed instructor is as helpful as he or she is reported to be.

  Many cities have self-study groups, usually run by CISSP volunteers. For example, one of the authors lives in Seattle, where a CISSP study group has been run by volunteers for many years. There may be such a study group where you live; or, if you know some CISSPs in your area, you might ask them to help to organize a self-study group (and tell him or her you will help!).

   Tip

  Always confirm the quality of a study course or training seminar before committing your money and time. See

for more information on starting a CISSP study group.

Are you ready for the exam? Are you ready for the big day? This is a difficult question for us to answer

  You must decide, based on your individual learning factors, study habits, and professional experience when you’re ready for the exam. We don’t know of any magic formula for determining your chances of success or failure on the CISSP examination. (If you find one, please write to us so that we can include it in the next edition of this book.) In general, we recommend a minimum of two months of focused study.

  Read this book and continue taking the practice exam in this book and on the accompanying CD until you can consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information that you will need to pass the CISSP examination. Read this book (and reread it) until you’re comfortable with the information presented and can successfully recall and apply it in each of the ten domains.

  Continue by reviewing other materials (particularly in your weak areas) and actively participating in an online or local study group. Take as many practice exams from as many different sources as possible. There are no brain dumps for the CISSP examination, and no practice test will exactly duplicate the actual exam (some are too easy, and others are too difficult), but repetition will help you retain the important knowledge required to succeed on the CISSP exam.

About the CISSP Examination

  The CISSP examination itself is a grueling 6-hour 250-question marathon. To put that into perspective, in 6 hours you could walk about 25 miles, watch a Kevin Costner movie 11/2 times, or sing “My Way” 540 times on a karaoke machine. Each of these feats respectively closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.

  As described by the (ISC)2, a minimum score of “70 percent” is required to pass the examination. Not all the questions are weighted equally, so it’s not possible to absolutely state the number of correct questions required for a passing score.

  The examination isn’t computer based. It is administered the old- fashioned way: exam booklet, answer sheet, and lots of pencils. You may write in the exam booklet, but only answers recorded on the answer sheet are scored.

  You won’t find any multiple-answer, fill-in-the-blank scenario or simulation questions on the CISSP exam. However, all 250 multiple-choice questions require you to select the best answer from 4 possible choices. This means that the correct answer isn’t always a straightforward, clear choice. In fact, you can count on many questions to initially appear as though they have more than one correct answer. (ISC) 2 goes to great pains to ensure that you really, really know the material. For instance, a sample question might resemble the following:

  Which of the following is the FTP control channel?

  A TCP port 21 B UDP port 21 C TCP port 25 D IP port 21 but is it TCP, UDP, or IP? Increasingly, CISSP exam questions are based more upon situations than on simple knowledge of facts. For instance, here’s a question you might get:

  A system administrator has found that a former employee has successfully logged in to the system. The system administrator should: A Shut down the system.

  B Confirm the breach in the IDS logs. C Lock or remove the user account. D Contact law enforcement.

  You won’t find the answer to this in a book (well, probably not). But there is still a best answer to every exam question - perhaps not an ideal answer, but there is a best answer. A common and effective test-taking strategy for multiple-choice questions is to carefully read each question and then eliminate any obviously wrong choices. The CISSP examination is no exception.

   Warning Wrong choices aren’t so obvious on the CISSP examination.

  You will find a few obviously wrong choices, but they only stand out to someone who has studied thoroughly for the examination and has a good grasp of all ten of the security domains. Only 225 questions are actually counted toward your final score. The other 25 are trial questions for future versions of the CISSP examination. However, these questions aren’t identified within the exam, so you have to answer all 250 questions as if they’re the real thing.

  The CISSP examination is currently available in English only. Foreign language dictionaries are permitted. (ISC) 2 also recommends that non- English speaking candidates pass the Test of English as a Foreign

  Language (TOEFL) exam prior to attempting the CISSP examination.

   contains suggestions for preparation on the day of the exam.

Waiting for Your Results

  Perhaps the most painful part of the CISSP examination is waiting for the results. You can expect to come out of the CISSP examination, at best, with no idea of whether you have passed or failed . . . or worse, with the sinking feeling that you bombed it miserably. Take heart - this is an almost universal reaction, caused by mental fatigue, but it’s certainly not the universal result.

  (ISC) 2 officially states that you can expect your exam results via first class mail within 4–6 weeks of your examination date. However, (ISC) 2 is getting more efficient and often has results out within 1–2 weeks. No results are given out via telephone. If you don’t receive your results within 6 weeks, you should contact (ISC) 2 to inquire about the status. Your results will be simply Pass or Fail. No score is given, and your domain strengths/weaknesses aren’t identified. You just receive an official letter informing you of your results. When you pass, you receive your CISSP certification number, CISSP certificate, wallet card, lapel pin, and username/ temporary password for access to the secure (ISC) 2 Web site.

   Tip While waiting for your results, assume the worst and prepare for

  the retest. Recall specific problem areas from the examination. Write them down and study those areas again. If you fail the examination, this effort will pay huge dividends when you try again. And if you find out that you did pass the examination, you’ll be a better CISSP!

   Cross-Reference

  (CBK) In This Chapter

  Getting up close and personal with the CBK Reviewing the ten domains of information security Understanding knowledge objectives and study topics

Overview

  The Common Body of Knowledge (CBK) defines a basic and common knowledge base for all security professionals. This is collectively referred to as the ten domains of information security. The CBK also provides minimum knowledge requirements for the Certified Information Systems Security Professional (CISSP) exam. Although these knowledge requirements are analogous to the test objectives, they are distinctly different. For one thing, the test objectives require a candidate to perform specific tasks or demonstrate skill with a specific technology, while the CBK is relatively abstract, and changes little over time. The CBK is periodically updated by the CBK Committee, which is appointed by the International Information Systems Security Certifications Consortium (ISC) 2 Board of Directors. The ten domains of information security, as defined in the CBK, are described below and can be found online at

Access Control

  The Access Control domain encompasses the set of mechanisms employed to restrict or direct the behavior, use, and content of an information system. It defines a user’s rights on a system, including what a user can do and what resources are available to a user.

  This domain is covered in

Telecommunications and Network Security

  The Telecommunications and Network Security domain encompasses the structures, transmission methods, transport formats, and security measures used to provide confidentiality, integrity, availability, and authentication for transmissions over private and public networks.

  This domain is covered in

Information Security and Risk Management

  The Information Security and Risk Management domain encompasses the following topics:

  Security management: The identification of an organization’s

  information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability.

  Risk management: The identification, measurement, control,

  and minimization of loss associated with uncertain events or risks, including overall security review, risk analysis, selection and evaluation of safeguards, cost-benefit analysis, management decision, safeguard implementation, and effectiveness review.

  This domain is covered in

Application Security

  The Application Security domain encompasses the controls included within systems and application software, as well as the steps used in their development. This domain is covered in