Dissecting the (ISC)2 CISSP Exam
Since the Security StudyGuide only dissects one security certification, this time I decided to unravel the exam that remains the focused, mid-level security credential most often requested by name in job postings and classified ads. This is, of course, the vendor-neutral Certified Information Systems Security Professional (CISSP) program, which originates from the International Information Systems Security Certification Consortium (affectionately known as (ISC)2, pronounced “ISC-squared” www.isc2.org), now in its 15th year of operation. As of Feb. 29, 2004, (ISC)2 put the total population of CISSPs worldwide at about 25,000, and it expects to seat between 12,000 and 15,000 prospective candidates in 2004 as well, according to Dow A. Williamson, director of communications for (ISC)2.
The CISSP consists of 250 multiple-choice questions across a dizzying array of topics that must be completed in a six-hour period. The CISSP exam costs $450 and is delivered in cities around North America once or twice a year (more often in major metro areas). As an intermediate- to senior-level security certification, the CISSP attempts to identify seasoned, experienced and knowledgeable security professionals. Current CISSP experience requirements include four years of relevant work experience in information security or three years of experience with a college degree or equivalent life experience. An extra year of experience credit accrues to those who complete master’s programs at schools recognized as National Centers of Excellence in Information Assurance by the National Security Agency (NSA).
CISSPs often work as full-time security professionals with salaries in a range from $75,000 to $150,000. Working as a full-time security professional usually means either a full-time position inside an organization big enough to afford such staff or a full-time position or consulting gig handling security concerns for one or more smaller organizations on an outsourced basis.
The heart and soul of the CISSP resides in the so-called (ISC)2 Common Body of Knowledge (CBK) which breaks the field of information security into 10 domains. Each of these domains covers a broad range of topics, tools, technologies and techniques as appropriate. As we dissect them, you’ll get an immediate sense of the scope and breadth of information that this exam covers. That said, the vendor-neutral CISSP exam is more conceptual and best-practices-oriented, rather than immersing itself in all kinds of intricate details involved in installing, configuring and maintaining various kinds of security hardware and software. This exam focuses more on general, accepted concepts, terminology, tools, techniques and approaches to designing, implementing and maintaining strong, effective information security than it does on nuts-and-bolts details involved in enacting security policies, practices and procedures.
The 10 domains in the (ISC)2 Common Body of Knowledge, from which the information for the CISSP exam is drawn, comprise a huge knowledge base that candidates must explore and understand. Nevertheless, each domain falls inside the scope of what working information security professionals will encounter on the job. Thus, the experience requirement for the CISSP indicates that candidates’ related activities must fit within “one or more of the 10 test domains of the information systems security … CBK” and that they must have worked as a “practitioner, auditor, consultant, investigator or instructor” (or some equivalent job role that involves security directly, see www.isc2.org/cgi-bin/content.cgi?page=43 for more details).
Access Control Systems and Methodology
Candidates must understand how to plan for, design, use and maintain user and group accounts, access controls, rights and permissions, numerous authentication mechanisms and auditing and accountability to monitor the efficacy of controls placed on IT infrastructures. Questions in this topic area tend to concentrate on definitions and conceptual details related to the topics covered and to applying such knowledge to select appropriate types or implementations to meet specific requirements or to fit within carefully described scenarios.
Application and Systems Development
Candidates must understand clearly how software development and data management relate to security. This includes planning for security in design and implementation, especially for distributed systems. It also requires thorough knowledge of and familiarity with recent documented malicious software threats or vulnerabilities including worms, viruses, Trojan horses, active content and so on. Other relevant topics include working with databases and repositories, and working with systems developers to design and build secure software. Of course, understanding and implementing security controls and security architectures is key (such as trusted computing bases, establishing and maintaining security perimeters, using principles of resource isolation and least privilege and so forth). Likewise, candidates must master managing system integrity levels and various well-known operational security modes. They must also be able to recognize and deal with malicious code and understand the concepts, history and literature that documents and surrounds well-known system and network attacks.
Business Continuity and Disaster Recovery Planning
An important aspect of security is protecting key assets and infrastructure from loss, harm or serious disruption. That explains why CISSP candidates must understand the practices, data storage and handling requirements and the services and arrangements necessary for business or organization operations to continue in the face of various types of disruption. This means that candidates must be able to plan for, prepare, test and drill on and maintain specific actions, facilities, processes and procedures necessary to avoid adverse affects of failures, interruptions, acts of God and so on, where information system services and operations are concerned.