CISSP certification: Howto
Hi, Habravchane! 
Recently, I passed one of the top certifications in the field of information security: Certified Information Systems Security Professional or CISSP for short. In the process of preparation, I collected bit by bit from my colleagues, as well as various forums and sites, useful information on certification and exam. “But this may be useful to someone!” I thought, sorting out on the desktop, and removed my finger from the Delete button.
Under the cut, I will tell you about my experience of preparation and share tips and techniques that I checked on myself. I hope this material will help you better understand what CISSP is and whether it is worth taking it, as well as save valuable time in the preparation process.
Certified Information Systems Security Professional is a vendor-independent information security certification from a non-profit organization International Information Systems Security Certifications Consortium, better known as (ISC) ². This certification appeared back in 1991 and at the moment about 70,000 specialists are active CISSP.
CISSP certification is primarily intended for consultants, auditors, architects, analysts and information security (IS) managers.
CISSP is among the highest certifications in the field of information security. Of the vendor-independent certifications that are popular in Russia, CISSP is on a par with CISA (information systems auditor, including information security auditor), CISM (information security manager) and CEH (theoretical foundations of ethical hacking). In my opinion, the last two pass a little easier.
Certification includes 10 topics (domains):
')
• Access Control
• Telecommunications and Network Security
• Information Security Governance and Risk Management
• Software Development Security
• Cryptography
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Physical (Environmental) Security
CISSP certification is said to be 20 miles wide and an inch deep. Better not tell. It is not necessary to deeply understand each topic, but your knowledge should cover all 10 domains in an even layer without gaps.
To obtain the CISSP title, you must pass a six-hour written exam of 250 questions across 10 domains, sign an agreement with the Code of Ethics (ISC) ², and confirm at least five years of experience with at least 2 of 10 domains with a surety from a specialist with a valid CISSP certificate.
I would single out the following main reasons:
• Knowledge. Many, probably, have heard outrageous reasoning that no one needs all these certifications, they have no relation to real knowledge, etc. It seems to me that this is the opinion of people who either did not give up the certification under discussion or did not give what they need. It would be naive to believe that a certificate = knowledge or the fact that a piece of paper can replace real experience. However, nothing streamlines knowledge and reveals gaps, as preparation for certification. This applies to vendor certifications and doubly to such "conceptual" certifications like CISSP. For me, this motivation was basic and I am satisfied with the result.
• Employment. Without a doubt, venerable certification in the resume looks good, but then I would not particularly encouraging. The absolute majority of employers in Russia have never heard of any CISSP, and if the company is mature enough in this matter, then it will be primarily interested in the real knowledge and experience that are hidden behind certification. The exception is system integrators who are constantly forced to prove their experience to customers, presenting lists of completed projects and the very certificates of their employees.
• Professional pride. Recognition of the professional community and colleagues. Well, or, more simply, ChSV. The military has orders, athletes get black belts and CCM, MacDonald's hang out employee of the month on the wall . I think there is nothing wrong with healthy ambition.
The Internet is full of hot battles on the need and sufficiency of CISSP certification. They will have enough time to get you bored while you are preparing for the exam. You find a forum thread discussing the Domain of Operational Security and find that 80% of comments contain controversies on this topic. If it is customary for foreigners to receive a certificate, and then show off the fot of its burning, then the position “not read, but condemn” is more popular among our compatriots.
To make a decision, you need to know all the opinions. Therefore a couple of links:
Article and classic hollivar in the comments:
www.infosecisland.com/blogview/22257-Your-CISSP-is-Worthless-So-Now-What.html# !
An ancient article from the current icon of the domestic "paper" information security of Alexei Lukatsky, which still hangs in the tops of searches on the Internet:
www.pcweek.ru/infrastructure/article/detail.php?ID=65988
Presentation of "Why You Shouldn't Get CISSP" (thanks to jekap for the tip):
attrition.org/security/conferences/why_you_should_not_get_a_CISSP-public.pdf# !
Below I will talk about my experience of surrender, but for now the dry facts:
The exam consists of 250 questions in all domains. It is given 6 hours without breaks. It turns out an average of 1.5 minutes. to question. Get out to rest, drink some water or go to the toilet only at the expense of your time. By the end of stress and strain you exhaust yourself completely, the speed drops. Therefore, it is really necessary to spend on the question no more than a minute.
All questions have 4 possible answers, from which you should choose the best. In this word, all the salt and all the complexity of the exam CISSP. Questions on the knowledge of some unambiguous fact at least. Almost all questions have several correct answers, and you need to choose the best one in terms of the methodologies and best practices that make up the course (there are hundreds of this kind). Well, common sense has not been canceled.
Previously, the exam was taken on paper and it took place 2-3 times a year. However, the last year the change is made on the computer and at any time when there is a place in the test center. Older CISSPs grumble that certification is no longer the same. Yes, the feeling of some special solemn ritual is no longer present, but it is much more comfortable to take on a familiar computer, and this, in my opinion, really saves time on the exam. Previously, it was necessary to transfer the answers from the draft and carefully draw the squares in front of the answers. Now this is not there, which, it seems to me, gives the person 40 minutes extra time. However, questions do not become easier, and new topics are added to the course each year, so it won’t be easy for sure.
It is not enough to pass the exam, we still have to confirm our five-year experience in at least 2 out of 10 domains. This discourages many young professionals or people who previously worked in other areas. However, there are a couple of features that will help bring certification closer. Higher education in the field of information security is counted for a year of experience. If there is no such education, then a year of experience can be obtained by obtaining one certification from this list . Mostly there is any exotic, but CCSP / CCNP Security, you may well be, if you were engaged in Cisco. And the CompTIA Security + exam can be passed just in preparation for the CISSP, because it’s about the same thing, only 10 times easier. There are CISM with CISA in the list, but if you have them, then with experience most likely everything is fine.
Your experience must confirm the current CISSP. If you don’t find one, you’ll find it (ISC) ².
As I taught:
When I was just thinking about preparing for the CISSP, I came across Dmitry Orlov’s blog , where he posted a complete (well, almost) translation into Russian of the 5th edition of the book by Sean Harris “CISSP All-In-One Exam Guide”. This work is truly titanic, and it is done at the highest level. Excellent Russian language, attention to terms and formatting. Reading is a pleasure. Hats off to Dmitry.
However, my goal was certification, and I think it is almost impossible to pass the English exam after reading the Russian textbook. Therefore, I slowly read the Russian version before the start of preparation, trying to penetrate into the general essence.
A search of books on Amazon by the word CISSP gives out a lot of textbooks, collections of questions, etc. But the main textbooks are the official guide from (ISC) ² and the book from that very Sean Harris (yes, Sean is a woman - see the photo on the right). At the end of 2012, new editions of these books were to be on sale. I waited for this moment in February, a week after ordering on Amazon, both books were on my desk. Two heavy bricks of 1500 pages each hinted that it was time to get down to business.
And here I made my main mistake. Not listening to the advice of colleagues in the forums, I decided that I had already read the past edition of the book by Sean Harris in Russian, and the Official (ISC) ² Guide would probably cover the subject of the exam more fully, so he was chosen as the main textbook. It was a great nonsense. The Official (ISC) ² Guide is not just written less understandable than the book of Harris. It is written just awful. The material is inconvenient, confusing, illogical. The chapters do not have numbering, and the style of headings changes arbitrarily in the course of the book, so it is not clear what is invested in. There are confused or repetitive paragraphs. There are spelling mistakes even in chapter titles (domains)! Traditionally, the description of the RADIUS protocol in all books on information security for some reason is very crooked, but all records were broken here. At the forums, it was suggested that English and terms in the Official (ISC) ² Guide are closer to the exam, but this also seems doubtful to me (different people prepare the exam and the book). I would recommend not to spend money on this book at all, even as a second source of information.
I ordered the exam on June 4th, so I had 3 months to study. If before that I had not read the Russian version of the textbook, I would not have enough time. I recommend to make a training plan in advance. This will allow you to track the backlog much earlier. If you learn for 2-3 hours on weekdays and for 6-8 hours on weekends, then one domain can be learned per week. Plus, at the end of the study, everything needs to be repeated and resolved as many test questions as possible. I did not have the opportunity to teach at work, on the weekends there were always some business, so I got out of schedule almost immediately. As a result, in May, holidays between holidays were taken, and by the end of the month they had to turn into a recluse.
Many people do not pass this exam the first time precisely because they first mistakenly believe that you can read a textbook and go to take it. With this approach, there is practically no chance to pass. By the end of the book, the first domains evaporate completely from memory. Therefore, I decided to write a synopsis in English, and at the end to repeat it and resolve questions. In the abstract, he wrote only what he did not know or was afraid to forget. One and a half of an 80-sheet notebook came out in a small handwriting. The point here is that the CISSP textbooks themselves are more like abstracts on stuffing. If Shawn Harris still occasionally indulges in lyrical digressions and life examples, the Official (ISC) ² Guide simply writes facts like a machine gun.
In addition to these books, the following sources of information are popular:
www.logicalsecurity.com/education/education_cbt.html - video courses from Sean Harris. I never understood how people teach certification through video courses: a lot of time is spent, but the depth is still insufficient and you will have to read the book anyway. However, the courses are always popular. Perhaps this format will suit you.
www.amazon.com/CISSP-CAP-Prep-Guide-Platinum/dp/0470007923 - many praise Ronald Kruetz’s CISSP books. I had no opportunity to evaluate. This book is often referred to as an alternative to the textbook Sean Harris, as Sean is a big lover of lyrical digressions and children's humor, which infuriates some.
www.amazon.com/CISSP-Study-Guide-Second-Edition/dp/1597499617 - Eric Conrad’s book is short and sharp. A prepared reader can use it for teaching, referring to other guides for additional details. Thanks for recommending bugaga0112358 .
Incredibly important in the preparation is the resolution of as many questions as possible across all 10 domains. This allows you to identify weaknesses that will definitely be even after the most careful study of the book, as well as get used to the format of the exam.
There are questions in the textbooks after each domain plus a book with Sean Harris with a disc of 1,400 questions. The minus of questions in textbooks on any certifications is that the questions there are given to the knowledge of the text of the chapter just read, and not “as in the exam”. Those who have taken Cisco exams will understand me.
Therefore, I bought for $ 40 a six-month subscription to the test questions of the site www.cccure.org and subsequently did not regret it. The engine with questions is convenient, albeit a little brake. It works well on a tablet or phone, so I decided to solve questions solely by lying on the sofa or basking in the spring sun on the balcony. Some of the questions on the site are free, so you can evaluate everything yourself before buying. The correct answer is explained in great detail. Large chunks of theory and external links are given.
For the exam, I resolved a little more than 1,700 questions in all domains (this is quite a bit, I didn’t have enough time for more), which allowed me to greatly stimulate knowledge. Seasoned recommend to reach up to 80% for each domain and only then consider that you are prepared. Believe me, this is not easy. I took a domain that I thought was well studied, and I got 60 percent and a light shock. This is a good sobering and destroys the illusion that after reading a book once, you will know everything.
All the Internet is full of messages that any questions are good, but the questions of the real exam still do not compare with anything in complexity. I did not think so. In my opinion, the questions from www.cccure.org are even somewhat more complicated than exam questions. In addition, the exam does not meet frankly idiotic questions that come across in all collections (in the style of "how much weight must stand the floor under each of the 4 legs of a class 3 fireproof enclosure according to the 1973 Brazilian classification").
Test questions help you get used to the exam format, and this greatly saves time and nerves in a real “battle”. The eyes routinely run through the text of the question, the brain almost automatically discards the wrong answers, as he has done a couple of thousand times, you tune in to the working mode and click question after question without being distracted by anything.
Here are a couple of sources of test questions:
www.isc2.org/studiscope/default.aspx - questions from the authors of the exam. They are prohibitively expensive and the questions themselves are very few. If you have extra money, you can buy.
booksite.syngress.com/companion/conrad - free questions from Eric Conrad, author of the book and podcasts on preparing for CISSP.
www.amazon.com/CISSP-Practice-Exams-Second-Edition/dp/0071792341 is the book by Sean Harris with additional test questions.
As of September 3, 2013, 184 people (a total of 84730 ) had CISSP certificates in force . Belarus, Ukraine and Kazakhstan add another 1, 16 and 7 people respectively. Even in total, we have less CISSP, for example, than in Malaysia, Ireland, Poland or South Africa. Hence the conclusion: to look for sensible materials and information in Russian is not a good idea. It is better to go to the English-speaking resources immediately.
The materials are not particularly exotic, so almost everything is googling. As rightly noted by one of the upcoming, "Google is my wife, and Wikipedia is my mistress." You can chat with colleagues, ask a question or read about the exam experience on the cccure.org site forum or in thematic groups on Linkedin (there are really powerful communities, many people who have already passed and help newcomers, even Shawn Harris herself appears sometimes).
securhotel.blogspot.ru - Andrei Shishkin's blog, where he puts mindmap on CISSP domains. Recent years, everything is just crazy about mindmap, but I personally prefer the good old notes.
www.securityhelp.ru/cissp/naiz.pdf , www.securityhelp.ru/cissp/Overley_Updated.pdf - “Cheat sheets” for a course, convenient for repeating material in transport, for example.
securitycerts.org/review/cissp-acronyms.htm - List of abbreviations for all domains. Useful when repeating material.
In the West, training in the Boot Camp format is very popular. We are not lagging behind either.
Offhand, preparation for the delivery of the CISSP is carried out in at least 2 training centers in Moscow: Microinform and Echelon . Microinform was the first in this area (earlier, when the exam was on paper, it was passed there), and Echelon had an interesting proposal for training after work.
Advertising claims that the courses will prepare you for the exam in the best possible way. However, to overestimate full-time study is not worth it. There is so much material that no course will give it to you. To go there you need to be partially prepared to ask questions and listen to the advice of experienced ones.
My personal opinion: this training is rational only if you are sent there by your company. That is, as an alternative to sitting in an office, this is effective, but in the same week of self-study at home you will learn 10 times more.
The exam is ordered through the Pearson VUE system (I ordered for $ 599). You must first register at www.isc2.org and get an ID.
I would recommend to order an exam at the very beginning of preparation in order to clearly mark for myself the moment of the end of this work. This will help to gather and begin to intensively prepare earlier. Otherwise, the preparation may take forever.
In Moscow at the moment you can take in two testing centers (at the Academy of National Economy on the South-West and in the ACET center on October), there are also centers in St. Petersburg and Kiev.
There are so few test centers, because the requirements for them are high. I have not seen such security measures before on any exam.
The description of how I passed the exam turned out too in the style of LiveJournal, not really, I think, relevant to Habré. Those who are not interested in reading sentimental lytdybr, are invited to immediately go to the section Tips.
I decided to write out some useful, in my opinion, tips for taking the exam.
1 .It is necessary to learn "with a reserve". The story above should have illustrated this point. You can get sick, get excited at the exam, you will be distracted by something in the test center (noise, people, etc.). In addition, exam questions are updated more often than textbooks. That is, there will be a certain percentage of questions that were not covered in the textbook at all.
2Questions, especially long, with a lot of information, it is better to read from the end. First the question itself, and then the data. Otherwise, you can wade through text with a volume of A4 page with a bunch of details and figures and find at the end that the question is purely methodical and all the information above is completely unnecessary. And valuable time is spent.
3Issues of doubt can be flagged to return to them at the end. My advice: be sure to put the most likely answer right away. There can be no time to return, by the sixth hour you hardly become wiser, and intuition helps a lot in many methodological issues.
4There are quite a few questions that you can immediately answer. Questions in the style of “What is the length of the MD5 hash?” Or “What is the name of the logical division of local network technology into broadcast domains at the switch level?” Percent 10, not more. They need to spend 5 seconds to answer most of the questions, where the correct answers are 2-4 out of 4 and you need to choose the best. Here it is necessary to act on the contrary and immediately delete the mentally incorrect answers. It seems to be an obvious advice, but I’ll say by myself that after the third hour the attention starts to dissipate and you catch yourself reading over and over again the options that you have already dropped. You have to control yourself tightly. He crossed out the question - it no longer exists for you.
5Try to solve test questions in advance with a timer to make sure that there is no time for doubts and long thoughts. You have stalled on 1 issue, and as a result, you do not have enough time for 3 questions are much easier. We must act decisively. Do not know for sure, re-read the question again, there may be tips. You still do not know - intuition helps to choose from the 2-3 most likely answers. There will be no time for long doubts and the drawing in the notebook.
6There are fundamental concepts that run like a red thread through all 10 domains. They should always be kept in mind. Main:
a . Human life and health is always most valuable. No data or rules can be more important than human life (even the life of the offender).
b . CISSP is not an engineer, admin or pentester. First of all, he is a manager who sets up a managed process approach to security in an organization and thinks in terms of cost of ownership, risks, asset values, legislation, etc. Remember this, and many questions will become much easier to answer.
7. No wonder that applicants for the title of CISSP require 5 years of work in the specialty. Real experience helps a lot. However, one must be careful. When taking the exam, always prefer the concept from the book to the real experience. Judging by the holivars in the forums on relatively simple questions from the course, the curve of real experience prevents many people from answering questions correctly. CISSPs are handed over to streamline knowledge and master key concepts. How to break a spear in the forum skirmishes, better think about why your experience is different from the concept and what you can improve in your work.
eight. Previously, the CISSP exam was blamed for the fact that the questions were very strongly focused on American law. When I saw in the test questions something like, “What is the essence of the fourth amendment to the constitution from the point of view of information security?” I came to a silent horror. According to my feelings, now 40 percent of those who donate are specialists from India, Pakistan, etc. (as a rule, from the big four auditor). Therefore, the exam is well cleaned from the American specifics. The rule follows from this: the answers to the questions should be universal. If, for example, it is not indicated that the case law is in the country, the answer should be suitable for any common legal system.
9. Many questions are very convoluted (this is not Cisco or Microsoft). Any double negatives (“how not to act to prevent ...) and unnecessary information should not bring you down. Mentally reformulate the question easier (for example, no + no = yes).
10 . To pass the exam, it is important to know English well and not only technical. However, your gaps in language proficiency can be well compensated by reading CISSP textbooks and solving test questions. It is very important to clearly understand the difference between "keywords" and the features of their use: must, should, may, most, least, enough, etc.
eleven. In questions there are financial and management terms that techies may not be completely clear. I realized this at the preparatory stage and therefore I actively consulted with Google, as well as with my mother (accountant) and a girl (financial auditor) on issues related to the evaluation of tangible and intangible assets, revenues, income, depreciation, stocks, etc. I learned a lot of new things.
12 . (ISC) ² has an Ethical Code ( (ISC) ² Code Of Ethics ). Often it is ignored, simply signing as a regular agreement. This is a big mistake. The code is necessary to know almost by heart (since it is very short) and to build on it in matters related to ethics and decision making.
13 . As not all yogurts are equally useful, not all domains are equally important. It is usually recommended to pay special attention to the following domains: Information Security and Risk management, Access Control, Security Architecture, Telecommunication and Network Security, BCP and DRP. However, according to my feelings, there were enough questions in all domains.
Let's talk about cheaters.
Traditionally in Russia, many exams are taken by “dumping”, that is, learning by heart answers to stolen exam questions. In the West, the situation is slightly different (they have a better understanding of the need for personal professional growth, and they can even ask from work if it is revealed), but freeloaders are still a dime a dozen. All popular certifications (the same Cisco, Microsoft) can be passed without knowing anything at all. One friend of a friend passed the two-hour exam in 15 minutes, because he learned the answers to the questions by the first letters - he didn’t even have to read them on the exam. The Americans requested a video from the training center, but he did not have cribs, so the certificate had to be given. Such a talent, yes in a peaceful course ...
In this case, the dumps do not even have to buy - the stolen questions are stolen again from the sellers and spread on the Internet.
When the CISSP gave up on paper all over the world at the same time, it was almost impossible to steal the questions in advance, because they were prepared anew for each new exam. Now the situation has changed. The organizers of the exam understand that the weakest point is the training centers. Therefore, you can take the exam in a very small number of CAs with increased security measures. However, the "plum" is likely to still be. Hope this does not discredit certification in the future.
According to the forums, in the summer of actual dumps in the public domain or on sale was not. At the same time there is a bunch of fake collections of questions, made up of assignments from textbooks, ancient exams and other rubbish. I saw a touching comment under a dump of 215 questions: “Thank you very much, I passed on 1000 out of 1000! The dump is completely correct! ” Considering that there are 250 questions in the exam (from a base of unknown size), and scores with success are not reported, it is hard to believe. And someone naive can waste money and trying to surrender.
Dumps, of course, can be used as a free source of trial questions of dubious quality, but this is completely contrary to the CISSP code of ethics. Decide for yourself.
Now about the crib. It is probably possible to drag in spurs for the exam, but it will be very problematic to use them. In test centers, they really follow this closely (as opposed to TCs that take “regular” exams). Yes, and not enough time. As one of my colleagues correctly noted, even having a computer with the Internet does not help at all in passing the exam. With the speed necessary for delivery, only your brain can work.
I hope the above will discourage your desire to get up on the slippery slope of deception. An honestly passed exam of this level will allow you to self-respect yourself a little more.
CISSP is often not dealt with the first time, it’s not worth killing about it. As a rule, after the exam, people themselves understand why they did not pass. Plus, problematic topics will be highlighted in the exam protocol.
The first re-take is possible in 30 days, then the intervals grow: the second - in 90 days, the third - in 180. If you have not passed 2 times, then you are doing something wrong. On the forums, of course, there are sad posts in the spirit of "today I rent out the 5th time, if not surrendered, I don’t know whether to live on." But they should not be disheartening. Usually, after the failure, the person simply realizes that he did not teach enough, is harnessed to study with double force and gives up the second time. Well, or throws this thing.
You are not yet CISSP. You are CISSP Associate. The rules strictly prohibit at this stage calling yourself CISSP anywhere. The punishment is a lifelong ban on certification.
A couple of working days after the exam you will receive congratulations and descriptions of the many possibilities that have now been opened to you: participation in thematic parties and conferences, subscriptions to closed editions, various services for "club members", etc. The most interesting thing in the end is how to actually receive the long-awaited certificate.
More than once I read flirty remarks that the exam is only the first stage, and the certification itself begins further. I do not think that the design of a pair of pieces of paper requires such solemnity.
You will need to write a resume in English with data on experience by domains (this is the main focus on this), education, other certifications and publications that you have. The second document is the Endorsement form . It should be signed by the current CISSP, confirming the data from your resume, as well as in general, that you are a decent and positive person.
These summaries can be further verified. For example, they asked me for a scan of a diploma (higher education in the field of information security I read for a year of experience, since I lacked 3 months to 5 years).
If you have not yet gained the necessary experience, you can remain in the CISSP Associate status until you have gained the missing one or two years.
The exam does not need to retake to maintain the status of CISSP. Instead, you must pay annual fees to the Annual Maintenance Fee (AMF) and score professional training Continuing Professional Education (CPE). AMF is now $ 85. CPEs are given for training in a specialty, attending conferences, reading professional literature, etc. Most points are given for performances and teaching in the field of information security. It is necessary to recruit at least 120 CPE for 3 years, and at least 20 CPE for each year. At first glance it seems that it is a lot, but in fact it turns out that if you really work by profession, then to score these points is not so difficult.
Many people ask this question after they pass CISSP. There is no direct way "higher". In its class, this certification is recognized by the majority as the highest. Therefore, it is logical to develop specializations that are relevant to you.
(ISC) ² has several CISSP specializations, but they are not very popular with us.
If you are an auditor or manager, you can take a look at ISACA certifications. CISA and CISM certifications are popular and well known in Russia. I have not heard of anyone handing over the venerable CGEIT (Governance of Enterprise IT) and CRISC (Risk and Information Systems Control).
Certification according to ISO 27000, PCI-DSS, ITIL, COBIT, etc. is quite popular with IB specialists (especially auditors). But if you are engaged in these areas, my advice, I think, you no longer need.
In the field of penetration tests, CE-certification from the EC-Council is popular. A rare specialist in penetration tests avoided the temptation to amuse his ego by walking along it with a steam roller of criticism. However, if CEH is perceived as a kind of baseline and a collection of methodologies (journalists need scandalous hacks and 0-day, and corporate clients are primarily predictable and reproducible testing), then it is not bad at all.
Vendor line of certifications are selected by specialization. The most popular (not by chance, of course) certification in the field of information security from Cisco and Microsoft. Any more or less large vendor has its certification.
The material turned out to be voluminous, but I think that a person who has embarked on the difficult path of preparation for the CISSP will find time to read it and will save a lot of time in the end.
I wish you to pass the first time. And for this you need to learn from the right textbooks, and not from your mistakes. I hope this article will help you a little.
I will be glad to answer questions and supplement the article with your materials.
Andrey Yankin, CISSP
Recently, I passed one of the top certifications in the field of information security: Certified Information Systems Security Professional or CISSP for short. In the process of preparation, I collected bit by bit from my colleagues, as well as various forums and sites, useful information on certification and exam. “But this may be useful to someone!” I thought, sorting out on the desktop, and removed my finger from the Delete button.
Under the cut, I will tell you about my experience of preparation and share tips and techniques that I checked on myself. I hope this material will help you better understand what CISSP is and whether it is worth taking it, as well as save valuable time in the preparation process.
What kind of CISSP?
Certified Information Systems Security Professional is a vendor-independent information security certification from a non-profit organization International Information Systems Security Certifications Consortium, better known as (ISC) ². This certification appeared back in 1991 and at the moment about 70,000 specialists are active CISSP.
CISSP certification is primarily intended for consultants, auditors, architects, analysts and information security (IS) managers.
CISSP is among the highest certifications in the field of information security. Of the vendor-independent certifications that are popular in Russia, CISSP is on a par with CISA (information systems auditor, including information security auditor), CISM (information security manager) and CEH (theoretical foundations of ethical hacking). In my opinion, the last two pass a little easier.
Certification includes 10 topics (domains):
')
• Access Control
• Telecommunications and Network Security
• Information Security Governance and Risk Management
• Software Development Security
• Cryptography
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Physical (Environmental) Security
CISSP certification is said to be 20 miles wide and an inch deep. Better not tell. It is not necessary to deeply understand each topic, but your knowledge should cover all 10 domains in an even layer without gaps.
To obtain the CISSP title, you must pass a six-hour written exam of 250 questions across 10 domains, sign an agreement with the Code of Ethics (ISC) ², and confirm at least five years of experience with at least 2 of 10 domains with a surety from a specialist with a valid CISSP certificate.
Why take it?
I would single out the following main reasons:
• Knowledge. Many, probably, have heard outrageous reasoning that no one needs all these certifications, they have no relation to real knowledge, etc. It seems to me that this is the opinion of people who either did not give up the certification under discussion or did not give what they need. It would be naive to believe that a certificate = knowledge or the fact that a piece of paper can replace real experience. However, nothing streamlines knowledge and reveals gaps, as preparation for certification. This applies to vendor certifications and doubly to such "conceptual" certifications like CISSP. For me, this motivation was basic and I am satisfied with the result.
• Employment. Without a doubt, venerable certification in the resume looks good, but then I would not particularly encouraging. The absolute majority of employers in Russia have never heard of any CISSP, and if the company is mature enough in this matter, then it will be primarily interested in the real knowledge and experience that are hidden behind certification. The exception is system integrators who are constantly forced to prove their experience to customers, presenting lists of completed projects and the very certificates of their employees.
• Professional pride. Recognition of the professional community and colleagues. Well, or, more simply, ChSV. The military has orders, athletes get black belts and CCM, MacDonald's hang out employee of the month on the wall . I think there is nothing wrong with healthy ambition.
Thousands of reasons not to pass
The Internet is full of hot battles on the need and sufficiency of CISSP certification. They will have enough time to get you bored while you are preparing for the exam. You find a forum thread discussing the Domain of Operational Security and find that 80% of comments contain controversies on this topic. If it is customary for foreigners to receive a certificate, and then show off the fot of its burning, then the position “not read, but condemn” is more popular among our compatriots.
To make a decision, you need to know all the opinions. Therefore a couple of links:
Article and classic hollivar in the comments:
www.infosecisland.com/blogview/22257-Your-CISSP-is-Worthless-So-Now-What.html# !
An ancient article from the current icon of the domestic "paper" information security of Alexei Lukatsky, which still hangs in the tops of searches on the Internet:
www.pcweek.ru/infrastructure/article/detail.php?ID=65988
Presentation of "Why You Shouldn't Get CISSP" (thanks to jekap for the tip):
attrition.org/security/conferences/why_you_should_not_get_a_CISSP-public.pdf# !
Exam and Confirmation
Below I will talk about my experience of surrender, but for now the dry facts:
The exam consists of 250 questions in all domains. It is given 6 hours without breaks. It turns out an average of 1.5 minutes. to question. Get out to rest, drink some water or go to the toilet only at the expense of your time. By the end of stress and strain you exhaust yourself completely, the speed drops. Therefore, it is really necessary to spend on the question no more than a minute.
All questions have 4 possible answers, from which you should choose the best. In this word, all the salt and all the complexity of the exam CISSP. Questions on the knowledge of some unambiguous fact at least. Almost all questions have several correct answers, and you need to choose the best one in terms of the methodologies and best practices that make up the course (there are hundreds of this kind). Well, common sense has not been canceled.
Previously, the exam was taken on paper and it took place 2-3 times a year. However, the last year the change is made on the computer and at any time when there is a place in the test center. Older CISSPs grumble that certification is no longer the same. Yes, the feeling of some special solemn ritual is no longer present, but it is much more comfortable to take on a familiar computer, and this, in my opinion, really saves time on the exam. Previously, it was necessary to transfer the answers from the draft and carefully draw the squares in front of the answers. Now this is not there, which, it seems to me, gives the person 40 minutes extra time. However, questions do not become easier, and new topics are added to the course each year, so it won’t be easy for sure.
It is not enough to pass the exam, we still have to confirm our five-year experience in at least 2 out of 10 domains. This discourages many young professionals or people who previously worked in other areas. However, there are a couple of features that will help bring certification closer. Higher education in the field of information security is counted for a year of experience. If there is no such education, then a year of experience can be obtained by obtaining one certification from this list . Mostly there is any exotic, but CCSP / CCNP Security, you may well be, if you were engaged in Cisco. And the CompTIA Security + exam can be passed just in preparation for the CISSP, because it’s about the same thing, only 10 times easier. There are CISM with CISA in the list, but if you have them, then with experience most likely everything is fine.
Your experience must confirm the current CISSP. If you don’t find one, you’ll find it (ISC) ².
Training
As I taught:
When I was just thinking about preparing for the CISSP, I came across Dmitry Orlov’s blog , where he posted a complete (well, almost) translation into Russian of the 5th edition of the book by Sean Harris “CISSP All-In-One Exam Guide”. This work is truly titanic, and it is done at the highest level. Excellent Russian language, attention to terms and formatting. Reading is a pleasure. Hats off to Dmitry.
However, my goal was certification, and I think it is almost impossible to pass the English exam after reading the Russian textbook. Therefore, I slowly read the Russian version before the start of preparation, trying to penetrate into the general essence.
A search of books on Amazon by the word CISSP gives out a lot of textbooks, collections of questions, etc. But the main textbooks are the official guide from (ISC) ² and the book from that very Sean Harris (yes, Sean is a woman - see the photo on the right). At the end of 2012, new editions of these books were to be on sale. I waited for this moment in February, a week after ordering on Amazon, both books were on my desk. Two heavy bricks of 1500 pages each hinted that it was time to get down to business.
And here I made my main mistake. Not listening to the advice of colleagues in the forums, I decided that I had already read the past edition of the book by Sean Harris in Russian, and the Official (ISC) ² Guide would probably cover the subject of the exam more fully, so he was chosen as the main textbook. It was a great nonsense. The Official (ISC) ² Guide is not just written less understandable than the book of Harris. It is written just awful. The material is inconvenient, confusing, illogical. The chapters do not have numbering, and the style of headings changes arbitrarily in the course of the book, so it is not clear what is invested in. There are confused or repetitive paragraphs. There are spelling mistakes even in chapter titles (domains)! Traditionally, the description of the RADIUS protocol in all books on information security for some reason is very crooked, but all records were broken here. At the forums, it was suggested that English and terms in the Official (ISC) ² Guide are closer to the exam, but this also seems doubtful to me (different people prepare the exam and the book). I would recommend not to spend money on this book at all, even as a second source of information.
I ordered the exam on June 4th, so I had 3 months to study. If before that I had not read the Russian version of the textbook, I would not have enough time. I recommend to make a training plan in advance. This will allow you to track the backlog much earlier. If you learn for 2-3 hours on weekdays and for 6-8 hours on weekends, then one domain can be learned per week. Plus, at the end of the study, everything needs to be repeated and resolved as many test questions as possible. I did not have the opportunity to teach at work, on the weekends there were always some business, so I got out of schedule almost immediately. As a result, in May, holidays between holidays were taken, and by the end of the month they had to turn into a recluse.
Many people do not pass this exam the first time precisely because they first mistakenly believe that you can read a textbook and go to take it. With this approach, there is practically no chance to pass. By the end of the book, the first domains evaporate completely from memory. Therefore, I decided to write a synopsis in English, and at the end to repeat it and resolve questions. In the abstract, he wrote only what he did not know or was afraid to forget. One and a half of an 80-sheet notebook came out in a small handwriting. The point here is that the CISSP textbooks themselves are more like abstracts on stuffing. If Shawn Harris still occasionally indulges in lyrical digressions and life examples, the Official (ISC) ² Guide simply writes facts like a machine gun.
In addition to these books, the following sources of information are popular:
www.logicalsecurity.com/education/education_cbt.html - video courses from Sean Harris. I never understood how people teach certification through video courses: a lot of time is spent, but the depth is still insufficient and you will have to read the book anyway. However, the courses are always popular. Perhaps this format will suit you.
www.amazon.com/CISSP-CAP-Prep-Guide-Platinum/dp/0470007923 - many praise Ronald Kruetz’s CISSP books. I had no opportunity to evaluate. This book is often referred to as an alternative to the textbook Sean Harris, as Sean is a big lover of lyrical digressions and children's humor, which infuriates some.
www.amazon.com/CISSP-Study-Guide-Second-Edition/dp/1597499617 - Eric Conrad’s book is short and sharp. A prepared reader can use it for teaching, referring to other guides for additional details. Thanks for recommending bugaga0112358 .
Solving Questions
Incredibly important in the preparation is the resolution of as many questions as possible across all 10 domains. This allows you to identify weaknesses that will definitely be even after the most careful study of the book, as well as get used to the format of the exam.
There are questions in the textbooks after each domain plus a book with Sean Harris with a disc of 1,400 questions. The minus of questions in textbooks on any certifications is that the questions there are given to the knowledge of the text of the chapter just read, and not “as in the exam”. Those who have taken Cisco exams will understand me.
Therefore, I bought for $ 40 a six-month subscription to the test questions of the site www.cccure.org and subsequently did not regret it. The engine with questions is convenient, albeit a little brake. It works well on a tablet or phone, so I decided to solve questions solely by lying on the sofa or basking in the spring sun on the balcony. Some of the questions on the site are free, so you can evaluate everything yourself before buying. The correct answer is explained in great detail. Large chunks of theory and external links are given.
For the exam, I resolved a little more than 1,700 questions in all domains (this is quite a bit, I didn’t have enough time for more), which allowed me to greatly stimulate knowledge. Seasoned recommend to reach up to 80% for each domain and only then consider that you are prepared. Believe me, this is not easy. I took a domain that I thought was well studied, and I got 60 percent and a light shock. This is a good sobering and destroys the illusion that after reading a book once, you will know everything.
All the Internet is full of messages that any questions are good, but the questions of the real exam still do not compare with anything in complexity. I did not think so. In my opinion, the questions from www.cccure.org are even somewhat more complicated than exam questions. In addition, the exam does not meet frankly idiotic questions that come across in all collections (in the style of "how much weight must stand the floor under each of the 4 legs of a class 3 fireproof enclosure according to the 1973 Brazilian classification").
Test questions help you get used to the exam format, and this greatly saves time and nerves in a real “battle”. The eyes routinely run through the text of the question, the brain almost automatically discards the wrong answers, as he has done a couple of thousand times, you tune in to the working mode and click question after question without being distracted by anything.
Here are a couple of sources of test questions:
www.isc2.org/studiscope/default.aspx - questions from the authors of the exam. They are prohibitively expensive and the questions themselves are very few. If you have extra money, you can buy.
booksite.syngress.com/companion/conrad - free questions from Eric Conrad, author of the book and podcasts on preparing for CISSP.
www.amazon.com/CISSP-Practice-Exams-Second-Edition/dp/0071792341 is the book by Sean Harris with additional test questions.
Internets
As of September 3, 2013, 184 people (a total of 84730 ) had CISSP certificates in force . Belarus, Ukraine and Kazakhstan add another 1, 16 and 7 people respectively. Even in total, we have less CISSP, for example, than in Malaysia, Ireland, Poland or South Africa. Hence the conclusion: to look for sensible materials and information in Russian is not a good idea. It is better to go to the English-speaking resources immediately.
The materials are not particularly exotic, so almost everything is googling. As rightly noted by one of the upcoming, "Google is my wife, and Wikipedia is my mistress." You can chat with colleagues, ask a question or read about the exam experience on the cccure.org site forum or in thematic groups on Linkedin (there are really powerful communities, many people who have already passed and help newcomers, even Shawn Harris herself appears sometimes).
Useful resources
securhotel.blogspot.ru - Andrei Shishkin's blog, where he puts mindmap on CISSP domains. Recent years, everything is just crazy about mindmap, but I personally prefer the good old notes.
www.securityhelp.ru/cissp/naiz.pdf , www.securityhelp.ru/cissp/Overley_Updated.pdf - “Cheat sheets” for a course, convenient for repeating material in transport, for example.
securitycerts.org/review/cissp-acronyms.htm - List of abbreviations for all domains. Useful when repeating material.
Full-time education
In the West, training in the Boot Camp format is very popular. We are not lagging behind either.
Offhand, preparation for the delivery of the CISSP is carried out in at least 2 training centers in Moscow: Microinform and Echelon . Microinform was the first in this area (earlier, when the exam was on paper, it was passed there), and Echelon had an interesting proposal for training after work.
Advertising claims that the courses will prepare you for the exam in the best possible way. However, to overestimate full-time study is not worth it. There is so much material that no course will give it to you. To go there you need to be partially prepared to ask questions and listen to the advice of experienced ones.
My personal opinion: this training is rational only if you are sent there by your company. That is, as an alternative to sitting in an office, this is effective, but in the same week of self-study at home you will learn 10 times more.
Exam Order
The exam is ordered through the Pearson VUE system (I ordered for $ 599). You must first register at www.isc2.org and get an ID.
I would recommend to order an exam at the very beginning of preparation in order to clearly mark for myself the moment of the end of this work. This will help to gather and begin to intensively prepare earlier. Otherwise, the preparation may take forever.
In Moscow at the moment you can take in two testing centers (at the Academy of National Economy on the South-West and in the ACET center on October), there are also centers in St. Petersburg and Kiev.
There are so few test centers, because the requirements for them are high. I have not seen such security measures before on any exam.
The description of how I passed the exam turned out too in the style of LiveJournal, not really, I think, relevant to Habré. Those who are not interested in reading sentimental lytdybr, are invited to immediately go to the section Tips.
How I handed over
Everyone advises on the last day not to prepare, but to rest and have a good sleep. Like, if you do not know, then late to cry. The main thing is that the exam brain was rested.
This advice is not for me. I always repeat the material on the eve of bedtime. All evening before the exam, I reread my notes and repeated classifications.
In the afternoon I bought a small snack and water, went to the book for a paper dictionary. Rules allowed to bring a general vocabulary for the exam (specialized are prohibited). The dictionary is checked to ensure that it does not have cheat sheets, as well as to the fact that it contains only translations of words and there are no expanded dictionary entries.
By the end of the day, I realized that escaping from the heat with cold juice was not a very good idea - I got sick.
On the night before the exam, my throat ached as it never hurt. From pain, I could not sleep until 4 in the morning. Then the painkiller and Coldrex won and I fell asleep. At 8 in the morning I woke up completely sick, had breakfast, drank Coldrex again and went to the exam full of dark thoughts. Nose drops and pills were added to the snack and water.
I handed over to ACET on October. I asked in advance on the phone how to find them and did it for a reason: the center is right next to the metro, but finding it from the first time is not so easy.
The center's employee turned out to be a very polite and pleasant grandmother, who, however, carefully checked my pockets, took all things and watches and checked 2 identity documents (this could be a Russian passport, international, law, credit card - the main thing is that at least one there was a photo). Only 1 document and dictionary can be entered in the room. Even a drop in the nose did not give to take. Only a handkerchief.
You are given a "washable" notebook, markers to it and earplugs. The employee also gave me yellow building headphones in case the noise in the hall would interfere strongly and the earplugs did not help (there are several cars — people take various exams). In fact, there was very quiet all the time of the exam, no one was noisy.
In the hall you sit under the camera, which shoots you from above. Always have a passport on the table. To enter and exit the hall, you need to put your hand on the scanner in order to exclude the possibility of changing the person who gives in during the exit to the toilet, for example. By the way, the toilet is also separate there, so that the donor could not leave the controlled area. There were no cameras, it seems :)
My plan was this: I answer questions for 3 hours, then, between 3 and 4 hours, I take a break for 10 minutes (toilet, water, chocolate). And again in battle. It is rather silly to do many breaks: many do not have enough time (1.5 minutes for each of the 250 puzzling questions - this is very little). Productivity is rapidly falling to an end, so for the first 3 hours you need to answer, I think, at least 150 questions.
I decided to avoid postponing questions until later, leaving this opportunity for the most extreme case.
When I was still a student, I took my first exam on Cisco, the second question came to me was a lab that was godless (almost all the stories about Cisco exams start with the words “Laba is buggy”). I fumbled with her for a very long time and started to get really nervous when, after 25 minutes, I was still on the second question. Fortunately, then managed to catch up with the schedule. On this exam, the first questions on the contrary helped me calm my nerves and get to work. The format of the questions was very familiar after solving educational tasks with cccure.com, and their complexity seemed to me even lower.
The next 3 hours I worked like a car. Fully focused on the exam. Periodically, people entered and left the hall, but I hardly noticed them. Heart pounding accelerated, but exactly. Because of adrenaline in the blood, the feeling was as if I had just drank a jar of energy. Apparently, due to the long exertion of the last weeks of preparation, the culmination of which was this exam, I now felt some kind of unusual, severe determination. Even if I did not know the answer, I quickly and without hesitation chose the best, in my opinion, answer and moved on.
As a result, after 3 hours, I passed over 200 questions, well ahead of the plan. But my nerves already smelled of burning contacts. I decided to slow down and calmly reach the end of the exam. Then the disease took its toll. My head ached and my temperature rose. Every next 10 questions were given to me with great difficulty. Attention dissipated. At some point, it even became hard for me to read the dictionary. The lines scattered, and the white pages began to float in different colors. Muscles ached, even sitting was very hard.
I realized that if I take a break and go out, it will be very difficult to come back. Therefore, I reached the end of the exam, slowly answering recent questions. 4 250- .
, , , , . « …». «» . . .
, , . ( ), - , . , . , .
Before the exam
Everyone advises on the last day not to prepare, but to rest and have a good sleep. Like, if you do not know, then late to cry. The main thing is that the exam brain was rested.
This advice is not for me. I always repeat the material on the eve of bedtime. All evening before the exam, I reread my notes and repeated classifications.
In the afternoon I bought a small snack and water, went to the book for a paper dictionary. Rules allowed to bring a general vocabulary for the exam (specialized are prohibited). The dictionary is checked to ensure that it does not have cheat sheets, as well as to the fact that it contains only translations of words and there are no expanded dictionary entries.
By the end of the day, I realized that escaping from the heat with cold juice was not a very good idea - I got sick.
Exam day
On the night before the exam, my throat ached as it never hurt. From pain, I could not sleep until 4 in the morning. Then the painkiller and Coldrex won and I fell asleep. At 8 in the morning I woke up completely sick, had breakfast, drank Coldrex again and went to the exam full of dark thoughts. Nose drops and pills were added to the snack and water.
I handed over to ACET on October. I asked in advance on the phone how to find them and did it for a reason: the center is right next to the metro, but finding it from the first time is not so easy.
The center's employee turned out to be a very polite and pleasant grandmother, who, however, carefully checked my pockets, took all things and watches and checked 2 identity documents (this could be a Russian passport, international, law, credit card - the main thing is that at least one there was a photo). Only 1 document and dictionary can be entered in the room. Even a drop in the nose did not give to take. Only a handkerchief.
You are given a "washable" notebook, markers to it and earplugs. The employee also gave me yellow building headphones in case the noise in the hall would interfere strongly and the earplugs did not help (there are several cars — people take various exams). In fact, there was very quiet all the time of the exam, no one was noisy.
In the hall you sit under the camera, which shoots you from above. Always have a passport on the table. To enter and exit the hall, you need to put your hand on the scanner in order to exclude the possibility of changing the person who gives in during the exit to the toilet, for example. By the way, the toilet is also separate there, so that the donor could not leave the controlled area. There were no cameras, it seems :)
My plan was this: I answer questions for 3 hours, then, between 3 and 4 hours, I take a break for 10 minutes (toilet, water, chocolate). And again in battle. It is rather silly to do many breaks: many do not have enough time (1.5 minutes for each of the 250 puzzling questions - this is very little). Productivity is rapidly falling to an end, so for the first 3 hours you need to answer, I think, at least 150 questions.
I decided to avoid postponing questions until later, leaving this opportunity for the most extreme case.
When I was still a student, I took my first exam on Cisco, the second question came to me was a lab that was godless (almost all the stories about Cisco exams start with the words “Laba is buggy”). I fumbled with her for a very long time and started to get really nervous when, after 25 minutes, I was still on the second question. Fortunately, then managed to catch up with the schedule. On this exam, the first questions on the contrary helped me calm my nerves and get to work. The format of the questions was very familiar after solving educational tasks with cccure.com, and their complexity seemed to me even lower.
The next 3 hours I worked like a car. Fully focused on the exam. Periodically, people entered and left the hall, but I hardly noticed them. Heart pounding accelerated, but exactly. Because of adrenaline in the blood, the feeling was as if I had just drank a jar of energy. Apparently, due to the long exertion of the last weeks of preparation, the culmination of which was this exam, I now felt some kind of unusual, severe determination. Even if I did not know the answer, I quickly and without hesitation chose the best, in my opinion, answer and moved on.
As a result, after 3 hours, I passed over 200 questions, well ahead of the plan. But my nerves already smelled of burning contacts. I decided to slow down and calmly reach the end of the exam. Then the disease took its toll. My head ached and my temperature rose. Every next 10 questions were given to me with great difficulty. Attention dissipated. At some point, it even became hard for me to read the dictionary. The lines scattered, and the white pages began to float in different colors. Muscles ached, even sitting was very hard.
I realized that if I take a break and go out, it will be very difficult to come back. Therefore, I reached the end of the exam, slowly answering recent questions. 4 250- .
, , , , . « …». «» . . .
, , . ( ), - , . , . , .
Tips ...
I decided to write out some useful, in my opinion, tips for taking the exam.
1 .It is necessary to learn "with a reserve". The story above should have illustrated this point. You can get sick, get excited at the exam, you will be distracted by something in the test center (noise, people, etc.). In addition, exam questions are updated more often than textbooks. That is, there will be a certain percentage of questions that were not covered in the textbook at all.
2Questions, especially long, with a lot of information, it is better to read from the end. First the question itself, and then the data. Otherwise, you can wade through text with a volume of A4 page with a bunch of details and figures and find at the end that the question is purely methodical and all the information above is completely unnecessary. And valuable time is spent.
3Issues of doubt can be flagged to return to them at the end. My advice: be sure to put the most likely answer right away. There can be no time to return, by the sixth hour you hardly become wiser, and intuition helps a lot in many methodological issues.
4There are quite a few questions that you can immediately answer. Questions in the style of “What is the length of the MD5 hash?” Or “What is the name of the logical division of local network technology into broadcast domains at the switch level?” Percent 10, not more. They need to spend 5 seconds to answer most of the questions, where the correct answers are 2-4 out of 4 and you need to choose the best. Here it is necessary to act on the contrary and immediately delete the mentally incorrect answers. It seems to be an obvious advice, but I’ll say by myself that after the third hour the attention starts to dissipate and you catch yourself reading over and over again the options that you have already dropped. You have to control yourself tightly. He crossed out the question - it no longer exists for you.
5Try to solve test questions in advance with a timer to make sure that there is no time for doubts and long thoughts. You have stalled on 1 issue, and as a result, you do not have enough time for 3 questions are much easier. We must act decisively. Do not know for sure, re-read the question again, there may be tips. You still do not know - intuition helps to choose from the 2-3 most likely answers. There will be no time for long doubts and the drawing in the notebook.
6There are fundamental concepts that run like a red thread through all 10 domains. They should always be kept in mind. Main:
a . Human life and health is always most valuable. No data or rules can be more important than human life (even the life of the offender).
b . CISSP is not an engineer, admin or pentester. First of all, he is a manager who sets up a managed process approach to security in an organization and thinks in terms of cost of ownership, risks, asset values, legislation, etc. Remember this, and many questions will become much easier to answer.
7. No wonder that applicants for the title of CISSP require 5 years of work in the specialty. Real experience helps a lot. However, one must be careful. When taking the exam, always prefer the concept from the book to the real experience. Judging by the holivars in the forums on relatively simple questions from the course, the curve of real experience prevents many people from answering questions correctly. CISSPs are handed over to streamline knowledge and master key concepts. How to break a spear in the forum skirmishes, better think about why your experience is different from the concept and what you can improve in your work.
eight. Previously, the CISSP exam was blamed for the fact that the questions were very strongly focused on American law. When I saw in the test questions something like, “What is the essence of the fourth amendment to the constitution from the point of view of information security?” I came to a silent horror. According to my feelings, now 40 percent of those who donate are specialists from India, Pakistan, etc. (as a rule, from the big four auditor). Therefore, the exam is well cleaned from the American specifics. The rule follows from this: the answers to the questions should be universal. If, for example, it is not indicated that the case law is in the country, the answer should be suitable for any common legal system.
9. Many questions are very convoluted (this is not Cisco or Microsoft). Any double negatives (“how not to act to prevent ...) and unnecessary information should not bring you down. Mentally reformulate the question easier (for example, no + no = yes).
10 . To pass the exam, it is important to know English well and not only technical. However, your gaps in language proficiency can be well compensated by reading CISSP textbooks and solving test questions. It is very important to clearly understand the difference between "keywords" and the features of their use: must, should, may, most, least, enough, etc.
eleven. In questions there are financial and management terms that techies may not be completely clear. I realized this at the preparatory stage and therefore I actively consulted with Google, as well as with my mother (accountant) and a girl (financial auditor) on issues related to the evaluation of tangible and intangible assets, revenues, income, depreciation, stocks, etc. I learned a lot of new things.
12 . (ISC) ² has an Ethical Code ( (ISC) ² Code Of Ethics ). Often it is ignored, simply signing as a regular agreement. This is a big mistake. The code is necessary to know almost by heart (since it is very short) and to build on it in matters related to ethics and decision making.
13 . As not all yogurts are equally useful, not all domains are equally important. It is usually recommended to pay special attention to the following domains: Information Security and Risk management, Access Control, Security Architecture, Telecommunication and Network Security, BCP and DRP. However, according to my feelings, there were enough questions in all domains.
... & Tricks
Let's talk about cheaters.
Traditionally in Russia, many exams are taken by “dumping”, that is, learning by heart answers to stolen exam questions. In the West, the situation is slightly different (they have a better understanding of the need for personal professional growth, and they can even ask from work if it is revealed), but freeloaders are still a dime a dozen. All popular certifications (the same Cisco, Microsoft) can be passed without knowing anything at all. One friend of a friend passed the two-hour exam in 15 minutes, because he learned the answers to the questions by the first letters - he didn’t even have to read them on the exam. The Americans requested a video from the training center, but he did not have cribs, so the certificate had to be given. Such a talent, yes in a peaceful course ...
In this case, the dumps do not even have to buy - the stolen questions are stolen again from the sellers and spread on the Internet.
When the CISSP gave up on paper all over the world at the same time, it was almost impossible to steal the questions in advance, because they were prepared anew for each new exam. Now the situation has changed. The organizers of the exam understand that the weakest point is the training centers. Therefore, you can take the exam in a very small number of CAs with increased security measures. However, the "plum" is likely to still be. Hope this does not discredit certification in the future.
According to the forums, in the summer of actual dumps in the public domain or on sale was not. At the same time there is a bunch of fake collections of questions, made up of assignments from textbooks, ancient exams and other rubbish. I saw a touching comment under a dump of 215 questions: “Thank you very much, I passed on 1000 out of 1000! The dump is completely correct! ” Considering that there are 250 questions in the exam (from a base of unknown size), and scores with success are not reported, it is hard to believe. And someone naive can waste money and trying to surrender.
Dumps, of course, can be used as a free source of trial questions of dubious quality, but this is completely contrary to the CISSP code of ethics. Decide for yourself.
Now about the crib. It is probably possible to drag in spurs for the exam, but it will be very problematic to use them. In test centers, they really follow this closely (as opposed to TCs that take “regular” exams). Yes, and not enough time. As one of my colleagues correctly noted, even having a computer with the Internet does not help at all in passing the exam. With the speed necessary for delivery, only your brain can work.
I hope the above will discourage your desire to get up on the slippery slope of deception. An honestly passed exam of this level will allow you to self-respect yourself a little more.
And it is worth any work.
After exam
If you did not pass
CISSP is often not dealt with the first time, it’s not worth killing about it. As a rule, after the exam, people themselves understand why they did not pass. Plus, problematic topics will be highlighted in the exam protocol.
The first re-take is possible in 30 days, then the intervals grow: the second - in 90 days, the third - in 180. If you have not passed 2 times, then you are doing something wrong. On the forums, of course, there are sad posts in the spirit of "today I rent out the 5th time, if not surrendered, I don’t know whether to live on." But they should not be disheartening. Usually, after the failure, the person simply realizes that he did not teach enough, is harnessed to study with double force and gives up the second time. Well, or throws this thing.
So you have passed
You are not yet CISSP. You are CISSP Associate. The rules strictly prohibit at this stage calling yourself CISSP anywhere. The punishment is a lifelong ban on certification.
A couple of working days after the exam you will receive congratulations and descriptions of the many possibilities that have now been opened to you: participation in thematic parties and conferences, subscriptions to closed editions, various services for "club members", etc. The most interesting thing in the end is how to actually receive the long-awaited certificate.More than once I read flirty remarks that the exam is only the first stage, and the certification itself begins further. I do not think that the design of a pair of pieces of paper requires such solemnity.
You will need to write a resume in English with data on experience by domains (this is the main focus on this), education, other certifications and publications that you have. The second document is the Endorsement form . It should be signed by the current CISSP, confirming the data from your resume, as well as in general, that you are a decent and positive person.
These summaries can be further verified. For example, they asked me for a scan of a diploma (higher education in the field of information security I read for a year of experience, since I lacked 3 months to 5 years).
If you have not yet gained the necessary experience, you can remain in the CISSP Associate status until you have gained the missing one or two years.
Maintaining certification
The exam does not need to retake to maintain the status of CISSP. Instead, you must pay annual fees to the Annual Maintenance Fee (AMF) and score professional training Continuing Professional Education (CPE). AMF is now $ 85. CPEs are given for training in a specialty, attending conferences, reading professional literature, etc. Most points are given for performances and teaching in the field of information security. It is necessary to recruit at least 120 CPE for 3 years, and at least 20 CPE for each year. At first glance it seems that it is a lot, but in fact it turns out that if you really work by profession, then to score these points is not so difficult.
What's next?
Many people ask this question after they pass CISSP. There is no direct way "higher". In its class, this certification is recognized by the majority as the highest. Therefore, it is logical to develop specializations that are relevant to you.
(ISC) ² has several CISSP specializations, but they are not very popular with us.
If you are an auditor or manager, you can take a look at ISACA certifications. CISA and CISM certifications are popular and well known in Russia. I have not heard of anyone handing over the venerable CGEIT (Governance of Enterprise IT) and CRISC (Risk and Information Systems Control).
Certification according to ISO 27000, PCI-DSS, ITIL, COBIT, etc. is quite popular with IB specialists (especially auditors). But if you are engaged in these areas, my advice, I think, you no longer need.
In the field of penetration tests, CE-certification from the EC-Council is popular. A rare specialist in penetration tests avoided the temptation to amuse his ego by walking along it with a steam roller of criticism. However, if CEH is perceived as a kind of baseline and a collection of methodologies (journalists need scandalous hacks and 0-day, and corporate clients are primarily predictable and reproducible testing), then it is not bad at all.
Vendor line of certifications are selected by specialization. The most popular (not by chance, of course) certification in the field of information security from Cisco and Microsoft. Any more or less large vendor has its certification.
Conclusion
The material turned out to be voluminous, but I think that a person who has embarked on the difficult path of preparation for the CISSP will find time to read it and will save a lot of time in the end.
I wish you to pass the first time. And for this you need to learn from the right textbooks, and not from your mistakes. I hope this article will help you a little.
I will be glad to answer questions and supplement the article with your materials.
Andrey Yankin, CISSP
Source: https://habr.com/ru/post/196638/
All Articles