The devil is not so bad as it is described, or how I passed the CISSP exam
CISSP (Certified Information Security Systems Professional) refers to the “gold standard” in the security industry and has long been a top of IT certifications.
The initial requirements for certification are quite high, which is probably why it scares many: at least 5 years of proven safety experience in at least 2 of the 8 domains covered by CISSP (about the domains below).
Exam really difficult. Before that, I had 12 Microsoft certifications, which were not close by the complexity and knowledge requirements. CISSP requires a broad knowledge of security, from physical asset protection to enterprise level security management.
')
All these difficulties affect the quality and value of the certification itself.
We still look at such certificates, although abroad it is often a necessary condition for a high technical position. It is possible that the service model of doing business spoiled the attitude to certification as to constant growth - new functional forms are often preferable to non-functional system attributes, including security.
Of the 15 years of experience in IT, about 7-8 of them are closely related to security (development of highly secure architectures, web security analysis, manual penetration testing, development of own IDS (intrusion detection system), security management of live systems, consulting). And every time it comes to security, sellers and customers ask the same question “how can you prove your experience”. That is, the first thing that I received from certification is the presence of evidence of safety expertise .
Surprisingly, the attitude to certificates in the Western world (in particular, in England) is completely different. They believe in their power there, and it was amazing when developers and managers immediately started asking pinpoint questions or talking about their knowledge of this certification. Sellers now in any case, convenient or not, will surely remember that the company has a certified CISSP specialist. That is, certification itself has become a part of marketing .
If we talk in general about security. It is not enough to know some separate technical details - modern conditions require knowledge of managing the security itself. Risk assessment and management, threat modeling, multi-level protection, standards and security frameworks, Business Continuity and Disaster Recovery plans, data classification levels, which translates into numerous policies, guidelines, procedures, and so on. According to the same GDPR (General Data Protection Regulation), if you can’t document that you comply with this prescription, then it doesn’t matter how well your system is built - you don’t. He was already familiar with the whole matter, but CISSP helped to structure information regarding standards and their requirements .
Another important point - the preparation for the exam itself allows you to refresh the knowledge that is not required every day and is forgotten. Who can immediately remember which symmetric encryption mode is best to use in which cases: ECB, CBC, CFB, OFB or CTR? What is the difference between HMAC, CBC-MAC and SMAC to ensure message integrity? Here I am about that. The main thing is not even to memorize it (although it will be necessary for the exam), but to further know where to look in order to make the right decision. “Recall” well-forgotten knowledge is helpful from time to time.
As mentioned above, CISSP covers 8 security domains.
Domain # 1. Security and Risk Management - issues of standards and security frameworks (ISO / IEC 27000, ITIL, SABSA, COBIT, NIST, ...), regulations and acts (GDPR, PCI DSS, HIPAA, Patriot Act, ...), confidentiality, risk management frameworks (ISO 31000, COSO, NIST). In short, everything related to international security practices and standards.
Domain # 2. Asset Security - data classification, data life cycle, organization levels of responsibility, data retention policies, data protection and deletion strategies.
Domain # 3. Security Engineering - cryptography, key management systems, operating system protection mechanisms, data access models, physical protection of buildings
Domain # 4. Communication and Network Security - network topology and standards, network protection, channel protection, threats and network attacks, communications security management.
Domain # 5. Identity and Access Management - physical and logical access control, access systems and their management, biometric access, attacks on access systems, intrusion detection and prevention systems.
Domain # 6. Security Assessment and Testing - methods for conducting security analysis, penetration testing, vulnerabilities, data backups, business recovery in case of unforeseen circumstances, organization of reporting.
Domain # 7. Security Operations - security incident investigation, physical protection management, incident management systems, change management, business recovery strategy in case of incidents.
Domain # 8. Software Development Security - security practices embedded in the development process, change and configuration management, repository protection. With this domain, I had the easiest way; I once developed my own SDLC for the service business for several companies.
As you can see, the certification itself covers a very broad area of security and is largely related to management, costing, processes and safety standards.
Now a little about the steps of the surrender itself:
1. Find an existing CISSP that confirms experience and qualifications
Before passing on the certificate, you need a reference from an existing CISSP certified specialist who is ready to vouch for your experience. If it is difficult to find one, you can request it from ISC2.
2. Buy online Pearson VUE exam
The nearest accredited centers for putting CISSP in Moscow, Vilnius, Kiev. The choice fell on Moscow.
3. Exam preparation
The main source was the CISSP All-in-One Exam Guide, Seventh Edition. Do not delude yourself that after reading it, you can pass the exam:
What good is this source:
A couple of recommendations:
4. Passing the exam
In Moscow, arrived the day before delivery. Hotel Warsaw is located in the same building where the exam is being held. From arrival until late at night I drove a list of questions. I do not know whether to advise sleep or not - this is a purely personal moment.
In the center of the surrender, everything is pathetic and serious - fingerprints are taken, pockets are searched, videos are filmed. It is better not to refuse earplugs, there will be other guys next to take their exams. 6 hours, 250 questions are allocated for the exam. That is less than 2 minutes per question. Therefore, it is better not to leave unanswered questions; perhaps you will not have time to return to them. Rely on your experience and intuition. You can mark yourself questions that are not completely sure.
Specificity of the exam: in the proposed list of answers, all the answers may be correct, but you need to choose the most suitable. Therefore, the “from reverse” method will not always work. The most important asset is always human life. Therefore, as soon as you see it in the answers, choose it.
Handled in five and a half hours. I tried to pass on the answers, which I was not completely sure about, but almost did not change anything.
The answer is given immediately - passed or not. You need to answer correctly at least 75% of the questions. If you have passed, then even the percentage of correctly answered questions will not be said.
At that moment, the congratulations that I had passed meant absolutely nothing to me — emotional and intellectual exhaustion affected. Like and wanted to rejoice, and could not. But over time, awareness has come.
5. CISSP certification
Successfully pass the exam is only the middle of the way. Then you need to confirm your experience - at least five years in at least two domains. Moreover, the document must be confirmed: it is necessary to provide copies of the contracts or employment record in which the position is indicated.
For the last 7 years I have been working in the position of Chief Technical Officer. In a separate document I wrote down all 8 domains in detail, sorting them out in order of their coolness in each. The document was added along with the rest of the scans to the application form. On the form briefly painted the whole experience.
The first confirmation of the experience should make CISSP from point # 1. Further, the commission (ISC) ² should once again check the information provided, and make a conclusion - whether you are worthy to wear the CISSP title or not, it takes up to 6 weeks.
December 12, 2017 successfully passed the exam, and only on February 13, 2018 the commission confirmed the certification.
6. Support CISSP certificate in active state
And again to get certified is still not enough: it needs to be maintained in the active status. Each year, you need to submit a certain amount of Continuing Education (CPE) credits, and the support of the certificate itself will cost about 85 USD per year.
Denis Koloshko
Complexity of certification
The initial requirements for certification are quite high, which is probably why it scares many: at least 5 years of proven safety experience in at least 2 of the 8 domains covered by CISSP (about the domains below).
Exam really difficult. Before that, I had 12 Microsoft certifications, which were not close by the complexity and knowledge requirements. CISSP requires a broad knowledge of security, from physical asset protection to enterprise level security management.
')
All these difficulties affect the quality and value of the certification itself.
We still look at such certificates, although abroad it is often a necessary condition for a high technical position. It is possible that the service model of doing business spoiled the attitude to certification as to constant growth - new functional forms are often preferable to non-functional system attributes, including security.
What does certification give
Of the 15 years of experience in IT, about 7-8 of them are closely related to security (development of highly secure architectures, web security analysis, manual penetration testing, development of own IDS (intrusion detection system), security management of live systems, consulting). And every time it comes to security, sellers and customers ask the same question “how can you prove your experience”. That is, the first thing that I received from certification is the presence of evidence of safety expertise .
Surprisingly, the attitude to certificates in the Western world (in particular, in England) is completely different. They believe in their power there, and it was amazing when developers and managers immediately started asking pinpoint questions or talking about their knowledge of this certification. Sellers now in any case, convenient or not, will surely remember that the company has a certified CISSP specialist. That is, certification itself has become a part of marketing .
If we talk in general about security. It is not enough to know some separate technical details - modern conditions require knowledge of managing the security itself. Risk assessment and management, threat modeling, multi-level protection, standards and security frameworks, Business Continuity and Disaster Recovery plans, data classification levels, which translates into numerous policies, guidelines, procedures, and so on. According to the same GDPR (General Data Protection Regulation), if you can’t document that you comply with this prescription, then it doesn’t matter how well your system is built - you don’t. He was already familiar with the whole matter, but CISSP helped to structure information regarding standards and their requirements .
Another important point - the preparation for the exam itself allows you to refresh the knowledge that is not required every day and is forgotten. Who can immediately remember which symmetric encryption mode is best to use in which cases: ECB, CBC, CFB, OFB or CTR? What is the difference between HMAC, CBC-MAC and SMAC to ensure message integrity? Here I am about that. The main thing is not even to memorize it (although it will be necessary for the exam), but to further know where to look in order to make the right decision. “Recall” well-forgotten knowledge is helpful from time to time.
Domains
As mentioned above, CISSP covers 8 security domains.
Domain # 1. Security and Risk Management - issues of standards and security frameworks (ISO / IEC 27000, ITIL, SABSA, COBIT, NIST, ...), regulations and acts (GDPR, PCI DSS, HIPAA, Patriot Act, ...), confidentiality, risk management frameworks (ISO 31000, COSO, NIST). In short, everything related to international security practices and standards.
Domain # 2. Asset Security - data classification, data life cycle, organization levels of responsibility, data retention policies, data protection and deletion strategies.
Domain # 3. Security Engineering - cryptography, key management systems, operating system protection mechanisms, data access models, physical protection of buildings
Domain # 4. Communication and Network Security - network topology and standards, network protection, channel protection, threats and network attacks, communications security management.
Domain # 5. Identity and Access Management - physical and logical access control, access systems and their management, biometric access, attacks on access systems, intrusion detection and prevention systems.
Domain # 6. Security Assessment and Testing - methods for conducting security analysis, penetration testing, vulnerabilities, data backups, business recovery in case of unforeseen circumstances, organization of reporting.
Domain # 7. Security Operations - security incident investigation, physical protection management, incident management systems, change management, business recovery strategy in case of incidents.
Domain # 8. Software Development Security - security practices embedded in the development process, change and configuration management, repository protection. With this domain, I had the easiest way; I once developed my own SDLC for the service business for several companies.
As you can see, the certification itself covers a very broad area of security and is largely related to management, costing, processes and safety standards.
Surrender experience
Now a little about the steps of the surrender itself:
1. Find an existing CISSP that confirms experience and qualifications
Before passing on the certificate, you need a reference from an existing CISSP certified specialist who is ready to vouch for your experience. If it is difficult to find one, you can request it from ISC2.
2. Buy online Pearson VUE exam
The nearest accredited centers for putting CISSP in Moscow, Vilnius, Kiev. The choice fell on Moscow.
3. Exam preparation
The main source was the CISSP All-in-One Exam Guide, Seventh Edition. Do not delude yourself that after reading it, you can pass the exam:
- this is 1300 pages of fabulous text with lots of abbreviations
- many moments had to look further on the Internet
- on the exam I remember a question that was mentioned by one short sentence in the book
What good is this source:
- well structured information and good presentation
- really exam oriented
- At the end of each domain there is a list of questions to check.
- still serves as a reference book when security concerns
A couple of recommendations:
- read everything initially in the English version
- do not try to find questions that will be on the exam and memorize them - questions are constantly mixed; at the end of putting the list of questions no one gives anyone
- do not forget to learn the Code of Ethics, some questions will be on it
4. Passing the exam
In Moscow, arrived the day before delivery. Hotel Warsaw is located in the same building where the exam is being held. From arrival until late at night I drove a list of questions. I do not know whether to advise sleep or not - this is a purely personal moment.
In the center of the surrender, everything is pathetic and serious - fingerprints are taken, pockets are searched, videos are filmed. It is better not to refuse earplugs, there will be other guys next to take their exams. 6 hours, 250 questions are allocated for the exam. That is less than 2 minutes per question. Therefore, it is better not to leave unanswered questions; perhaps you will not have time to return to them. Rely on your experience and intuition. You can mark yourself questions that are not completely sure.
Specificity of the exam: in the proposed list of answers, all the answers may be correct, but you need to choose the most suitable. Therefore, the “from reverse” method will not always work. The most important asset is always human life. Therefore, as soon as you see it in the answers, choose it.
Handled in five and a half hours. I tried to pass on the answers, which I was not completely sure about, but almost did not change anything.
The answer is given immediately - passed or not. You need to answer correctly at least 75% of the questions. If you have passed, then even the percentage of correctly answered questions will not be said.
At that moment, the congratulations that I had passed meant absolutely nothing to me — emotional and intellectual exhaustion affected. Like and wanted to rejoice, and could not. But over time, awareness has come.
5. CISSP certification
Successfully pass the exam is only the middle of the way. Then you need to confirm your experience - at least five years in at least two domains. Moreover, the document must be confirmed: it is necessary to provide copies of the contracts or employment record in which the position is indicated.
For the last 7 years I have been working in the position of Chief Technical Officer. In a separate document I wrote down all 8 domains in detail, sorting them out in order of their coolness in each. The document was added along with the rest of the scans to the application form. On the form briefly painted the whole experience.
The first confirmation of the experience should make CISSP from point # 1. Further, the commission (ISC) ² should once again check the information provided, and make a conclusion - whether you are worthy to wear the CISSP title or not, it takes up to 6 weeks.
December 12, 2017 successfully passed the exam, and only on February 13, 2018 the commission confirmed the certification.
6. Support CISSP certificate in active state
And again to get certified is still not enough: it needs to be maintained in the active status. Each year, you need to submit a certain amount of Continuing Education (CPE) credits, and the support of the certificate itself will cost about 85 USD per year.
Conclusion
- Whether you like it or not, modern regulations (the same GDPR) require technical and organizational measures to protect data, so safety management will affect everyone.
- Cool certification requires very good preparation, it will not work out
- You can not put an end to the examination of security (as in any other), this is a constant increase
- "The devil is not so bad as he is described." The main desire.
Denis Koloshko
Source: https://habr.com/ru/post/358726/
All Articles