This book and its accompanying online resources are designed to be a complete preparation tool for your CISSP Exam.

The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, interactive flashcards, and exam tips to help you work on your exam readiness from now till your test day.

Before You Proceed

To learn how to access these resources, head over to Chapter 24, Accessing the Online Practice Resources, at the end of the book.

Figure 1.1: Dashboard interface of the online practice resources

Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:

1. Read each section thoroughly.
2. Make ample notes: You can use your favorite online note-taking tool or use a physical notebook. The free online resources also give you access to an online version of this book. Click the BACK TO THE BOOK link from the Dashboard to access the book in Packt Reader. You can highlight specific sections of the book there.
3. Chapter Review Questions: At the end of this chapter, you’ll find a link to review questions for this chapter. These are designed to test your knowledge of the chapter. Aim to score at least 75% before moving on to the next chapter. You’ll find detailed instructions on how to make the most of these questions at the end of this chapter in the Exam Readiness Drill - Chapter Review Questions section. That way, you’re improving your exam-taking skills after each chapter, rather than at the end.
4. Flashcards: After you’ve gone through the book and scored 75% more in each of the chapter review questions, start reviewing the online flashcards. They will help you memorize key concepts.
5. Mock Exams: Solve the mock exams that come with the book till your exam day. If you get some answers wrong, go back to the book and revisit the concepts you’re weak in.
6. Exam Tips: Review these from time to time to improve your exam readiness even further.

In this section, we will cover the following topics:

• The need for CISSPs
• CISSP exam overview
• CISSP exam structure
• Exam tips and tricks
• Information about becoming a CISSP

One of the challenges facing the cybersecurity profession is satisfying the necessity for qualified cybersecurity practitioners to meet the demand. According to the Bureau of Labor Statistics, the rate of growth for jobs in information security is projected at 37% from 2012-2022 (https://packt.link/FNAup). That’s much faster than the average for all other occupations. The Human Resources (HR) professionals who are on the front lines dealing with this challenge rarely possess the ability to quantify the expertise of a cybersecurity job candidate. Therefore, a respected, unbiased standard is necessary to help potential employers more easily determine qualified candidates from unqualified candidates. Enter ISC2 and their CISSP certification.

The International Information System Security Certification Consortium (ISC2) was established as a non-profit organization in 1989. Five years later, ISC2 launched its first certification, the CISSP, in 1994. At the time, the cybersecurity market was in desperate need of a baseline of cybersecurity knowledge to aid both the industry in standardizing the profession and those seeking to hire cybersecurity professionals. Since its founding, ISC2, through the CISSP and its other eight certifications, has established and maintained that standard.

In 2005, the United States Department of Defense (DoD) created the 8570 directive to assess and manage its cybersecurity workforce. The CISSP provides independent verification of a reliable baseline of knowledge and experience in cybersecurity of a practitioner. The CISSP tells the world that you know something about cybersecurity—not just something, but the right something about cybersecurity, as determined by industry experts who hold a CISSP certification. As per the 8570 directive and its current successor, the 8140 directive, many job roles in cybersecurity within the DoD require a CISSP certification to qualify.

In addition to helping HR professionals validate a baseline level of knowledge, the CISSP certification also validates experience. The CISSP certification requires not just a passing score but a minimum of five years of experience. ISC2 verifies this requisite experience before conferring the certification on any candidate who has achieved a passing score on the exam. You will learn more about this experience requirement in the Information about Becoming a CISSP section. This additional benefit of experience verification is of great value to employers.

The CISSP certification also comes with a 40-hour annual Continuing Professional Education (CPE) requirement to maintain the currency of your CISSP certification. See https://packt.link/6EFMh for more information. While ISC2 is a non-profit organization, they don’t just track your CPE and maintain your currency for free; there is an annual maintenance fee of 125 USD per year. The bright side is that if you choose to pursue any of the other eight ISC2 certifications, you will pay only 85 USD per year, unlike other cybersecurity certification organizations.

The CISSP exam outline is the most important tool when preparing for the certification. It is no exaggeration to say it is the roadmap of the test. This section will explain why it is so important to know it well. First and foremost, it is what ISC2 uses to build the test questions. The certification industry (organizations such as ISC2, ISACA, SANS, and CompTIA) calls exam questions items. The process of building test questions is called item writing, which for the CISSP exam and ISC2 is done by volunteer CISSPs in an item writing workshop.

If you search the web for item writing, you’ll find many first-hand accounts from volunteers about their experiences of participating in an item writing workshop. There are some excellent ones on ISC2 where volunteers share their workshop experiences and details about the item writing process: https://packt.link/SvggM. ISC2 works very hard to protect the confidentiality and efficacy of their item bank (their database of exam questions). So, don’t waste your time trying to find or use brain-dumps or allegedly real questions (most likely fake).

Your study time is much better spent understanding the material covered in the exam outline and how ISC2 uses it to build items. The exam outline is the product of another kind of volunteer workshop, known as a JTA. In this workshop, the volunteer CISSPs review the current outline and update it to more accurately reflect the knowledge and skills a CISSP should have today and over the next three-year cycle. Once this crucial step is complete, the existing items in the bank must be mapped to the new outline. This is also done by volunteer CISSPs in a workshop called an item mapping workshop.

The item mapping process is important for two reasons. First, categorizing items into the appropriate part of the outline is necessary to build every test with an exact balance of items from the appropriate part of the outline, as determined by the JTA. The weighting of the outline will be discussed in detail later. Second, item mapping is necessary to determine where and how big the holes are in the item bank. These holes are then assigned to subsequent item writing workshops to be filled with new items based on the new exam outline. See https://packt.link/IqXal to view the outline.

This aspect will be of particular interest to you as you prepare for the CISSP exam. Each item must map to a specific topic in the exam outline. No surprise items on topics not covered by the exam outline are allowed. So, the exam items are fixed by the exam outline—this is an unbreakable rule. That being said, the outline is divided into eight domains or areas of knowledge, which you will soon see can be quite broad.

Domains

A domain is a broad collection of related information. In this section, you will become more familiar with the exam outline. The top level of the outline represents the eight domains. The second level represents the subject areas within the domain that CISSP candidates need to be familiar with related to that domain. Many second-level subject areas have a third level to further clarify the knowledge that is to be tested in the exam at the level above it. Any concept under the umbrella of a domain is fair game as a potential exam item.

It is no coincidence that this book is laid out exactly like the CISSP exam’s outline, as that is the information you need to know. Each domain in the exam outline will be covered by one or more chapters in this book. The goal is to introduce and explain each concept in the exam outline. Not only do you need to memorize this, but you also need to understand it as the exam tests your ability to correctly apply concepts to solve situations. It is not possible to capture every bit of potential information contained within a domain. This book will at least introduce every concept in the outline and delve deeper into those areas that are understood to have a high probability of showing up on your test.

CISSP CAT Examination Weightage

As mentioned earlier, each domain in the exam outline has a weight assigned. This means the Pearson VUE testing software must build your test with the exact percentage weights that are prescribed in the exam outline. So, if your test has 100 scored items, 16% or 16 items will be about concepts in Domain 1, Security and Risk Management.

While all ISC2 exam outlines provide domain-level weights, the CISSP exam outline provides weights for both linear testing and CAT. See https://packt.link/UCB05 for more information. The following table shows the domain level (the top level) of the exam outline, along with its corresponding weights:

Table 1.1: CISSP CAT examination weights

The weights are the same for both versions (linear testing and CAT) of the test. ISC2 publishes item weight information for both linear testing and CAT in case you plan on taking a non-English version of the CISSP exam. All ISC2 exams besides the English CISSP exam are linear. See https://packt.link/oNM7u for the other languages available. While the domain weights are fairly evenly balanced, they do have a little difference among them. This may help you budget your time and help you decide where you want to focus your study efforts. This information, combined with the pre-assessment test in the next chapter, can provide insights into where and how to focus your time.

CISSP CAT Examination Information

In 2017, ISC2 began using CAT for all English CISSP exams worldwide. This version of the test covers the same material from the exam outline as the traditional test (linear testing). According to ISC2, “CISSP CAT is a more precise and efficient evaluation of your competency” (https://packt.link/TxPI2). Translation—it is a little less painful. If you know the material, the CAT exam can determine that in fewer items. You go from the linear test, which is 6 hours long and contains 250 items, to a 3-hour test with potentially as few as 100 items in the CAT exam.

Overall, the CAT exam is much nicer than the linear version. That being said, there are a few things about the CAT exam you should know so that you are not surprised. First, the CAT scoring algorithm is much more efficient. This means that you never really know when the test is going to end.

You know the absolute minimum (100 items) and the absolute maximum (3 hours), although it is unlikely that you will finish at either of those two extremes. The test ends as soon as the algorithm is confident you either know your stuff or you don’t. If you don’t know your stuff, the algorithm will not just let you run down the clock while exposing more items to you if it already knows you are not going to pass.

The exam is made up of three types of items: multiple-choice questions, innovative questions, and scenario questions. The last two types of questions are legacy, meaning ISC2 will not be making any more questions of that type. The bulk of the questions are multiple-choice, and that is what this book will be focusing on. The other two types have been mentioned because you may see one or two in your exam.

“Innovative questions” is a fancy term for drag and drop. Imagine a graphic with four or five different boxes, where you have to drag the concept or term from one side of the screen to the other to match it up with an appropriate concept. If you know the material in this book, you should have no problem with this type of question. Another rare type of question is scenario questions. These questions have a long introduction scenario, followed by two to five questions based on that scenario.

As mentioned previously, today’s CISSP exam is predominantly made up of multiple-choice questions (MCQs). These questions have a to-the-point question portion (known as the item stem) and they have four options (A, B, C, and D). Only one option is the key or the correct answer; there cannot be more than one correct answer. The other three options are called distractors; they are incorrect answers.

To pass the exam, you need 700 out of 1,000 points. These points are scaled, which means that not all the questions are worth the same. Additionally, 25 questions are worth zero points. These are known as pre-test questions. If a pre-test question performs well, it will be promoted to a scored item in a future exam. Obviously, ISC2 does not indicate which questions are pre-test and which are scored, so try your best on all the questions.

So, what makes one question worth more than another? The more cognitively difficult the question, the more points it is worth. This cognitive difficulty is based on Bloom’s Taxonomy. See https://packt.link/eLxTU for more information on Bloom’s Taxonomy. In short, Bloom explains that there are different levels of understanding regarding concepts, with the most basic being Knowledge and the highest being Evaluation. For the CISSP exam, you only need to learn Knowledge, Application, and Analysis, as shown in the following diagram:

Figure 1.2: Bloom’s Taxonomy

You can think of a knowledge-level question as pure memorization of a term or a concept you read. Application-level questions can be thought of as a deeper understanding of the underlying concept. Finally, the most challenging of cognitive levels is Analysis. It requires a deep understanding of multiple concepts; in particular, applying multiple concepts to solve a specific problem.

The idea of cognitive difficulty is best made clear with a few examples. Consider a concept from Domain 4, Communication and Network Security; specifically, 4.1:

• At which layer of the Open System Interconnection (OSI) reference model does the Address Resolution Protocol (ARP) operate?
  1. 2 – Data Link
  2. 3 – Network
  3. 6 – Presentation
  4. 7 – Application

This is an example of a knowledge-level item. You only need to remember from reading or seeing an OSI model graphic that ARP is a layer 2 protocol. You need not know what it does, how it does it, about security issues with ARP, or how to fix them.

• What is the purpose of the Address Resolution Protocol (ARP)?

1. To resolve a Fully Qualified Domain Name (FQDN)
2. To request an Internet Protocol (IP) address for a host
3. To resolve an Internet Protocol (IP) address to a Media Access Control (MAC) address
4. To build a loop-free topology in Internet Protocol (IP) networks

This is an example of an application-level item. It requires a deeper understanding of what the ARP does, why it is needed, and where it fits into the OSI and Transmission Control Protocol/Internet Protocol (TCP/IP) models.

• Which attack leverages the Address Resolution Protocol (ARP)?

1. Transmission Control Protocol (TCP) spoofing
2. Distributed Denial of Service (DDoS)
3. Man-in-the-Middle (MitM)
4. Dynamic Host Configuration Protocol (DHCP) starvation

This is an example of an analysis-level item. Here, the exam is still just talking about ARP, but each question requires a progressively deeper understanding of the underlying ARP concept. For this item, you must understand what ARP is, how ARP works, and the cybersecurity attacks that use it. Notice that all the items are single sentences. Note that there is no correlation between the length of a question’s portion (item stem) and its cognitive difficulty.

What does it take to become a CISSP? Two things. First, you must demonstrate mastery of the knowledge encompassed in the CISSP exam outline, which this book and your diligent efforts will help you with. Second, you must meet the CISSP experience requirement. See https://packt.link/OkYeS for more details. Upon passing the exam, you must furnish ISC2 with proof of at least five years of cumulative paid work experience in at least two of the eight domains in the CISSP exam outline.

ISC2 is very specific regarding how much experience it takes to satisfy this requirement. By five years, they mean throughout your career, including full-time (35+ hours/week), part-time (20–34 hours/week), and internships. One year of experience equals 2,080 hours. So, a total of 10,400 hours is required.

At the time you pass the exam, you are not a full CISSP yet. A four-year college degree or a certification from an ISC2-approved list will satisfy one year of experience. If you do not currently meet the experience requirement yet, don’t worry—you will be designated as an Associate CISSP and will be given six years to meet the job experience requirement.

This section will present some tried and tested exam tips and tricks to help you study for the CISSP exam, as well as some tips on how to approach the questions. First, consider the ISC2 website. There is a wealth of resources there, two of which you should be familiar with. The first is the ISC2 Community (https://packt.link/OT5sN), where you can explore the community you are trying to join. Be sure to check out the CISSP study group at https://packt.link/mEwXi.

The second resource is the ISC2 official acronym list, which is made available to you during the exam. However, you can preview it here: https://packt.link/AZxpN. Every acronym used anywhere in an ISC2 item bank is made public here. The item bank is a sneak peek into the concepts the items cover. Note that this covers all the acronyms for all nine of the tests that ISC2 offers (CISSP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, SSCP, CCSP, CAP, CSSLP, and HCISPP); they are not broken down by certification.

The goal of ISC2 is to ensure that exam candidates have a true command of the exam’s material, thus avoiding on-paper CISSPs. These are people who have their certification, but once they are in a professional setting, they do not understand the CISSP Common Body of Knowledge (CBK), which would threaten ISC2 and its CISSP certification’s hard-fought reputation as the best in cybersecurity. To that end, this section will discuss your study strategy. Unlike other tests you may have taken in the past, the CISSP exam will require more than just memorization to pass. It is important to keep this in mind. With each concept you are exposed to as you prepare, ask yourself: Why is this important? How does it work? What other concepts does it relate to?

A good example of the axiom understand, don’t memorize is aptly illustrated concerning security frameworks such as ISO 27001, NIST 800-53, and COBIT. While it is important to be familiar with these and other fundamental documents, these three frameworks all cover the same concepts—it is just that they are published by three different organizations: ISO, NIST, and ISACA, respectively. You do not want to spend your precious study time memorizing which framework says what or how it says it. Rather, focus your efforts on understanding the concepts contained within, why they are important, and who tends to use one framework over another and why.

Moving on to the test itself, take a look at some strategies to use during the test. Remember that the bulk of the exam questions will be in multiple-choice format, that is, the format where the question portion of the item is known as the item stem, and the four potential answers are known as options. Each part of these items is discussed next. First, keep in mind that the length of the item stem can mislead you into a false sense of security.

As mentioned earlier in this chapter, the length of the item stem is not representative of its underlying complexity. So, be sure you understand the nuance of what is being asked. It can be easy to quickly read a question, especially one with a short item stem, and assume you know what they are asking. The best way to avoid this pitfall is to read the question slowly and carefully. Your eyes can play tricks on you when you speed read. Missing or misreading just one word can change its meaning. Anxious test-takers tend to rush, afraid they will run out of time. If you know the material, then there will be plenty of time.

Now, take a look at the options portion of an item. Remember that there are only four options (A, B, C, and D). Only one of those options is the correct answer or the key. The other three options are aptly named distractors. ISC2 does not set out to trick you but to test how well you know the material. Sometimes, the difference between one answer option and another is one word or the sequence of a list. So, the wrong answer will look right to someone who only slightly knows the concept being tested. That is the mark of a good distractor: not to trick someone who understands the concept but to distinguish between the ones who do and do not know the concept well.

Sometimes, you can know the material too well. This can happen in a couple of ways. One way is that you work or have worked in the domain that is being tested so you have real-world experience. This can cause you to overthink the question. Keep in mind that every item on the CISSP exam must be backed up with a valid reference. Exam items are never based solely on an item writer’s personal experience unless their personal experience is common practice. It would be unfair to expect any CISSP candidate to have knowledge that is not publicly available, such as from non-proprietary sources such as books, journals, and websites.

If you find yourself facing an item where, after reading the stem, you cannot find the right answer among the options, here are a few tips. First, look for the best answer from the given choices. Next, all else being equal, choose your answer while wearing your manager hat and not as a technical person. Remember that the CISSP is meant to be broad, not deep—a perspective prized among managers. Finally, if those two tips do not illuminate the best choice, try to understand the differences among and between all the options given. If all else fails, guess. In the CAT version of the CISSP exam, you cannot mark questions or go back to a question later, so never leave a question unanswered.

In this chapter, we discussed the CISSP certification and why it is so valuable in the cybersecurity industry. You also learned how it is built and maintained by CISSP-certified experts from around the world. You were introduced to the all-important CISSP exam outline provided by ISC2 and the foundation of how this book is organized and dug deeper into the CISSP exam’s structure. You got some exam tips and tricks and learned about the experience requirements to fully become a CISSP.

The next chapter will give you a pre-assessment test to help you gauge your strengths and weaknesses in the exam outline.