Dissecting the CISSP Exam
Since our Security Study Guide can dissect two security certifications, we decided to unravel the exam that remains the focused, mid-level security credential most often requested by name in job postings and classified ads. This is, of course, the Certified Information Systems Security Professional (CISSP), which originated from the International Information Systems Security Certification Consortium (affectionately known as ISC2, pronounced “ICS-squared”; www.isc2.org). By the end of 2002, (ISC)2 expects the total population of CISSPs worldwide to be more than 10,000 and to have seated 6,000 or more prospective candidates for this exam in 2002 alone.
As certification exams go, the CISSP is a doozy in many ways. It consists of 250 multiple-choice questions across a dizzying array of topics—more on that soon—that must be completed in a six-hour period. The CISSP exam costs $450 and is delivered in cities around North America once or twice a year (more often in major metro areas). As an intermediate to senior-level security certification, the CISSP attempts to identify seasoned, experienced and knowledgeable security professionals. Beginning in 2003, CISSP experience requirements include four years of relevant work experience in information security or three years of experience with a college degree or equivalent life experience.
CISSPs tend to work as full-time security professionals and enjoy salaries that range from $75,000 to $150,000. Working as a full-time security pro usually means either a full-time position inside an organization big enough to afford such staff or a full-time position or consulting gig handling security concerns for one or more smaller (or less well-staffed) organizations on an outsourced basis.
The heart and soul of the CISSP resides in its so-called Common Body of Knowledge (CBK), which breaks the field of information security into 10 domains. Each of the domains covers a broad range of topics, tools, technologies and techniques as appropriate. As we dissect these domains, you’ll get an immediate sense of the scope and breadth of information that this exam covers. That said, the CISSP exam is more conceptual and best-practices-oriented, rather than immersing itself in all kinds of intricate details involved in installing, configuring and maintaining various kinds of security hardware and software. The latter knowledge is important to the degree that a knowledgeable, serious information security professional must understand such things. But the focus of the CISSP exam is more on general, accepted concepts, terminology, tools, techniques and approaches to designing, implementing and maintaining strong, effective information security than it is on the nuts-and-bolts details involved in enacting security policies, practices and procedures.
The Common Body of Knowledge is a huge knowledge base that candidates must explore and understand. Nevertheless, each domain falls inside the scope of what working information security professionals will encounter in their jobs. Thus, the experience requirement for the CISSP indicates that candidates’ related activities must fit within “one or more of the 10 test domains of the information systems security … CBK” and that they must have worked as a “practitioner, auditor, consultant, investigator or instructor” (or some equivalent job role that involves security directly, see www.isc2.org/cgi-bin/content.cgi?page=43 for more details).
Let’s look at the 10 domains of the CBK in more detail.
Access Control Systems and Methodology
Candidates must understand how to plan for, design, use and maintain user and group accounts, access controls, rights and permissions, numerous authentication mechanisms and auditing and accountability to monitor the efficacy of controls placed on IT infrastructures.
Questions in this topic area tend to concentrate on definitions and conceptual details related to the topics covered, and to applying such knowledge to select appropriate types or implementations to meet specific requirements or to fit within carefully described scenarios.
Application and Systems Development
Candidates must understand clearly how software development and data management relate to security matters. This includes planning for security in design and implementation, especially for distributed systems. It also requires thorough knowledge of and familiarity with recent documented malicious software threats or vulnerabilities, including worms, viruses, Trojan horses, active content and so forth. Other relevant topics include working with databases and repositories and working with systems developers to design and build secure software.
Of course, understanding and implementing security controls and security architectures is key (such as trusted computing bases, establishing and maintaining security perimeters, using principles of resource isolation and least privilege and so forth). Likewise, candidates must master managing system integrity levels and various well-known operational security modes (such as dedicated security mode, compartmented security mode and multilevel security mode, etc.). They must also be able to recognize and deal with malicious code and understand the concepts, history and literature that documents and surrounds well-known system and network attacks.
Business Continuity and Disaster Recovery Planning
An important aspect of security is protecting key assets and infrastructure from loss, harm or serious disruption. That explains why CISSP candidates must understand the practices, data storage and handling requirements and the kind of services and arrangements necessary for operations to continue in the face of various types of disruption. This means that candidates must be able to plan for, prepare, test and drill on and maintain specific actions, facilities, processes and procedures necessary to avoid adverse affects of failures, interruptions, acts of God and so on, where information system services and operations are concerned.
Ensuring privacy and protecting confidentiality of data are key concepts in information security. Thus, CISSP candidates must understand the basic principles and algorithms involved in data encryption and decryption. They must also understand how encryption applies to ensuring data confidentiality, integrity, authentication and non-repudiation. This means a good basic understanding of cryptographic concepts, methods and practices. Key topics and technologies include digital signatures; encryption algorithm types, strengths and efficiencies; key length and strength, plus key distribution, escrow and recovery technologies and techniques; various well-known error detection and correction techniques based on encryption, as well as hashes, digests and ciphers. The concepts and operation of public and private key algorithms are essential, as is a working understanding of the public key infrastructure (PKI). Candidates must understand how system architectures and features implement cryptographic functions. They must also become familiar with the concepts, history and literature surrounding well-known methods of cryptographic attack and their appropriate countermeasures.
Law, Investigations and Ethics
Information security exists within a framework of law and regulation; thus basic familiarity with related topics is essential. In particular, this includes various laws and regulations that deal with software licensing and intellectual property. Some knowledge of liability and data flows across boundaries is required, such as how local laws and jurisdictions apply to system or network security and business operations. Candidates must make themselves familiar with relevant computer crime laws and regulations and pro