You're reading from Certified Information Systems Security Professional (CISSP) Exam Guide Become a certified CISSP professional with practical exam-oriented knowledge of all eight domains

Product type Paperback

Published in Sep 2024

Publisher Packt

ISBN-13 9781800567610

Length 526 pages

Edition 1st Edition

Tools

Kali Linux

Concepts

Cryptography

Authors (3):

Ted Jordan

Ric Daza

Hinne Hettema

View More author details

Table of Contents (28) Chapters

Preface

1. Intro I: Becoming a CISSP FREE CHAPTER

2. Intro II: Pre-Assessment Test

3. Chapter 1: Ethics, Security Concepts, and Governance Principles

4. Chapter 2: Compliance, Regulation, and Investigations

5. Chapter 3: Security Policies and Business Continuity

6. Chapter 4: Risk Management, Threat Modeling, SCRM, and SETA

7. Chapter 5: Asset and Privacy Protection

8. Chapter 6: Information and Asset Handling

9. Chapter 7: Secure Design Principles and Controls

10. Chapter 8: Architecture Vulnerabilities and Cryptography

11. Chapter 9: Facilities and Physical Security

12. Chapter 10: Network Architecture Security

13. Chapter 11: Securing Communication Channels

14. Chapter 12: Identity, Access Management, and Federation

15. Chapter 13: Identity Management Implementation

16. Chapter 14: Designing and Conducting Security Assessments

17. Chapter 15: Designing and Conducting Security Testing

18. Chapter 16: Planning for Security Operations

19. Chapter 17: Security Operations

20. Chapter 18: Disaster Recovery

21. Chapter 19: Business Continuity, Personnel, and Physical Security

22. Chapter 20: Software Development Life Cycle Security

23. Chapter 21: Software Development Security Controls

24. Chapter 22: Securing Software Development

25. Chapter 23: Secure Coding Guidelines, Third-Party Software, and Databases

26. Chapter 24: Accessing the Online Practice Resources

27. Other Books You May Enjoy

CISSP Exam Overview

The CISSP exam outline is the most important tool when preparing for the certification. It is no exaggeration to say it is the roadmap of the test. This section will explain why it is so important to know it well. First and foremost, it is what ISC2 uses to build the test questions. The certification industry (organizations such as ISC2, ISACA, SANS, and CompTIA) calls exam questions items. The process of building test questions is called item writing, which for the CISSP exam and ISC2 is done by volunteer CISSPs in an item writing workshop.

If you search the web for item writing, you’ll find many first-hand accounts from volunteers about their experiences of participating in an item writing workshop. There are some excellent ones on ISC2 where volunteers share their workshop experiences and details about the item writing process: https://packt.link/SvggM. ISC2 works very hard to protect the confidentiality and efficacy of their item bank (their database of exam questions). So, don’t waste your time trying to find or use brain-dumps or allegedly real questions (most likely fake).

Your study time is much better spent understanding the material covered in the exam outline and how ISC2 uses it to build items. The exam outline is the product of another kind of volunteer workshop, known as a JTA. In this workshop, the volunteer CISSPs review the current outline and update it to more accurately reflect the knowledge and skills a CISSP should have today and over the next three-year cycle. Once this crucial step is complete, the existing items in the bank must be mapped to the new outline. This is also done by volunteer CISSPs in a workshop called an item mapping workshop.

The item mapping process is important for two reasons. First, categorizing items into the appropriate part of the outline is necessary to build every test with an exact balance of items from the appropriate part of the outline, as determined by the JTA. The weighting of the outline will be discussed in detail later. Second, item mapping is necessary to determine where and how big the holes are in the item bank. These holes are then assigned to subsequent item writing workshops to be filled with new items based on the new exam outline. See https://packt.link/IqXal to view the outline.

This aspect will be of particular interest to you as you prepare for the CISSP exam. Each item must map to a specific topic in the exam outline. No surprise items on topics not covered by the exam outline are allowed. So, the exam items are fixed by the exam outline—this is an unbreakable rule. That being said, the outline is divided into eight domains or areas of knowledge, which you will soon see can be quite broad.

Domains

A domain is a broad collection of related information. In this section, you will become more familiar with the exam outline. The top level of the outline represents the eight domains. The second level represents the subject areas within the domain that CISSP candidates need to be familiar with related to that domain. Many second-level subject areas have a third level to further clarify the knowledge that is to be tested in the exam at the level above it. Any concept under the umbrella of a domain is fair game as a potential exam item.

It is no coincidence that this book is laid out exactly like the CISSP exam’s outline, as that is the information you need to know. Each domain in the exam outline will be covered by one or more chapters in this book. The goal is to introduce and explain each concept in the exam outline. Not only do you need to memorize this, but you also need to understand it as the exam tests your ability to correctly apply concepts to solve situations. It is not possible to capture every bit of potential information contained within a domain. This book will at least introduce every concept in the outline and delve deeper into those areas that are understood to have a high probability of showing up on your test.

CISSP CAT Examination Weightage

As mentioned earlier, each domain in the exam outline has a weight assigned. This means the Pearson VUE testing software must build your test with the exact percentage weights that are prescribed in the exam outline. So, if your test has 100 scored items, 16% or 16 items will be about concepts in Domain 1, Security and Risk Management.

While all ISC2 exam outlines provide domain-level weights, the CISSP exam outline provides weights for both linear testing and CAT. See https://packt.link/UCB05 for more information. The following table shows the domain level (the top level) of the exam outline, along with its corresponding weights:

Domain	Weight
1. Security and Risk Management	16%
2. Asset Security	10%
3. Security Architecture and Engineering	13%
4. Communication and Network Security	13%
5. Identity and Access Management (IAM)	13%
6. Security Assessment and Testing	12%
7. Security Operations	13%
8. Software Development Security	10%

Table 1.1: CISSP CAT examination weights

The weights are the same for both versions (linear testing and CAT) of the test. ISC2 publishes item weight information for both linear testing and CAT in case you plan on taking a non-English version of the CISSP exam. All ISC2 exams besides the English CISSP exam are linear. See https://packt.link/oNM7u for the other languages available. While the domain weights are fairly evenly balanced, they do have a little difference among them. This may help you budget your time and help you decide where you want to focus your study efforts. This information, combined with the pre-assessment test in the next chapter, can provide insights into where and how to focus your time.

CISSP CAT Examination Information

In 2017, ISC2 began using CAT for all English CISSP exams worldwide. This version of the test covers the same material from the exam outline as the traditional test (linear testing). According to ISC2, “CISSP CAT is a more precise and efficient evaluation of your competency” (https://packt.link/TxPI2). Translation—it is a little less painful. If you know the material, the CAT exam can determine that in fewer items. You go from the linear test, which is 6 hours long and contains 250 items, to a 3-hour test with potentially as few as 100 items in the CAT exam.

Overall, the CAT exam is much nicer than the linear version. That being said, there are a few things about the CAT exam you should know so that you are not surprised. First, the CAT scoring algorithm is much more efficient. This means that you never really know when the test is going to end.

You know the absolute minimum (100 items) and the absolute maximum (3 hours), although it is unlikely that you will finish at either of those two extremes. The test ends as soon as the algorithm is confident you either know your stuff or you don’t. If you don’t know your stuff, the algorithm will not just let you run down the clock while exposing more items to you if it already knows you are not going to pass.