CISSP ebook

Contents

Dedication

Acknowledgments

About the Authors

Introduction

Assessment Test

Chapter 1: Access Control

Access Control Overview

Identification and Authentication Techniques

Access Control Techniques

Authorization Mechanisms

Identity and Access Provisioning Life Cycle

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 2: Access Control Attacks and Monitoring

Understanding Access Control Attacks

Preventing Access Control Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 3: Secure Network Architecture and Securing Network Components

OSI Model

Secure Network Components

Cabling, Wireless, Topology, and Communications Technology

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 4: Secure Communications and Network Attacks

Network and Protocol Security Mechanisms

Virtual Private Network

Remote Access Security Management

Network Address Translation

Switching Technologies

WAN Technologies

Virtualization

Miscellaneous Security Control Characteristics

Manage Email Security

Secure Voice Communications

Security Boundaries

Network Attacks and Countermeasures

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 5: Security Governance Concepts, Principles, and Policies

Security Management Planning

Security Governance

Security Roles and Responsibilities

Protection Mechanisms

Privacy Requirements Compliance

Control Frameworks: Planning to Plan

Security Management Concepts and Principles

Develop and Implement Security Policy

Change Control/Management

Data Classification

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 6: Risk and Personnel Management

Manage Third-Party Governance

Risk Management

Manage Personnel Security

Develop and Manage Security Education, Training, and Awareness

Manage the Security Function

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 7: Software Development Security

Application Issues

Databases and Data Warehousing

Data/Information Storage

Knowledge-Based Systems

Systems Development Controls

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 8: Malicious Code and Application Attacks

Malicious Code

Password Attacks

Application Attacks

Web Application Security

Reconnaissance Attacks

Masquerading Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 9: Cryptography and Symmetric Key Algorithms

Historical Milestones in Cryptography

Cryptographic Basics

Modern Cryptography

Symmetric Cryptography

Cryptographic Life Cycle

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 10: PKI and Cryptographic Applications

Asymmetric Cryptography

Hash Functions

Digital Signatures

Public Key Infrastructure

Asymmetric Key Management

Applied Cryptography

Cryptographic Attacks

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 11: Principles of Security Models, Design, and Capabilities

Understand the Fundamental Concepts of Security Models

Objects and Subjects

Understand the Components of Information Systems Security Evaluation Models

Understand Security Capabilities Of Information Systems

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 12: Security Architecture Vulnerabilities, Threats, and Countermeasures

Computer Architecture

Avoiding Single Points of Failure

Distributed Architecture

Security Protection Mechanisms

Common Flaws and Security Issues

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 13: Security Operations

Security Operations Concepts

Resource Protection

Patch and Vulnerability Management

Change and Configuration Management

Security Audits and Reviews

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 14: Incident Management

Managing Incident Response

Implement Preventive Measures Against Attacks

Understand System Resilience and Fault Tolerance

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 15: Business Continuity Planning

Planning for Business Continuity

Project Scope and Planning

Business Impact Assessment

Continuity Planning

BCP Documentation

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 16: Disaster Recovery Planning

The Nature of Disaster

Recovery Strategy

Recovery Plan Development

Training and Documentation

Testing and Maintenance

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 17: Laws, Regulations, and Compliance

Categories of Laws

Laws

Compliance

Contracting and Procurement

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 18: Incidents and Ethics

Investigations

Major Categories of Computer Crime

Incident Handling

Ethics

Summary

Exam Essentials

Written Lab

Review Questions

Chapter 19: Physical Security Requirements

Site and Facility Design Considerations

Forms of Physical Access Controls

Technical Controls

Environment and Life Safety

Equipment Failure

Privacy Responsibilities and Legal Requirements

Summary

Exam Essentials

Written Lab

Review Questions

Appendix A: Answers to Review Questions

Appendix B: Answers to Written Labs

Appendix C: About the Additional Study Tools

Index

Free Online Study Tools

Senior Acquisitions Editor: Jeff Kellum

Development Editor: Stef Jones

Technical Editors: David Seidl and Debbie Dahlin

Production Editor: Dassi Zeidel

Copy Editors: Judy Flynn and Liz Welch

Editorial Manager: Pete Gaughan

Production Manager: Tim Tate

Vice President and Executive Group Publisher: Richard Swadley

Vice President and Publisher: Neil Edde

Media Project Manager 1: Laura Moss-Hollister

Media Associate Producer: Josh Frank

Media Quality Assurance: Marilyn Hummel

Book Designer: Judy Fung

Proofreader: Josh Chase, Word One New York

Indexer: Ted Laux

Project Coordinator, Cover: Katherine Crocker

Cover Designer: Ryan Sneed

Copyright © 2012 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-118-31417-3

ISBN: 978-1-118-46389-5 (ebk.)

ISBN: 978-1-118-33210-8 (ebk.)

ISBN: 978-1-118-33539-0 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2012940018

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISSP is a registered trademark of the International Information Systems Security Certifications Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Dear Reader,

Thank you for choosing CISSP: Certified Information Systems Security Professional Study Guide, Sixth Edition. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at [email protected] If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde

Vice President and Publisher

Sybex, an Imprint of Wiley

To Cathy, whenever there is trouble, just remember “Some beach, somewhere. . .”

—James Michael Stewart

To Robert Riley, a credit to our profession who left us far too soon.

—Mike Chapple

To my wife: Thanks for sharing your life with me for the past 20 years. I look forward to 20 more.

—Darril Gibson

To Ed, we missed you on this one.

—Authors

Acknowledgments

I’d like to express my thanks to Sybex for continuing to support this project. Thanks to Mike Chapple for continuing to contribute to this project. Thanks to Darril Gibson for stepping up and taking over several chapters. Ed, we missed your input and perspective. Thanks also to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome. Extra thanks to the sixth edition developmental editor, Stef Jones, and technical editor, David Seidl, who performed amazing feats in guiding us to improve this book.

To my wonderful wife, Cathy: Our life together is getting more complicated and more wonderful every day. To my son, Xzavier Slayde, and daughter, Remington Annaliese: May you grow to be more than we could imagine; you’ve already outshined all our expectations. To my parents, Dave and Sue: Thanks for your love and consistent support. To Mark: No matter how much time has passed or how little we see each other, I have been and always will be your friend. And finally, as always, to Elvis—the world could use a little “Hunka Hunka Burnin’ Love!”

—James Michael Stewart

Special thanks go to the information security team at the University of Notre Dame who provided hours of interesting conversation and debate on security issues that inspired and informed much of the material in this book.

I would like to thank the team at Wiley who provided invaluable assistance throughout the book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson, were great collaborators. It would be remiss not to also thank Ed Tittel, our coauthor on the first five editions of this book, who was unable to participate in this revision. David Seidl, who joined the team as our technical editor, provided valuable insight as we brought this edition to press.

I’d also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book to press.

—Mike Chapple

Thanks to Ed Tittel for thinking of me when his schedule was too full to take on the update of this book. No one can fill Ed’s shoes, but I am grateful for the opportunity to contribute to this book in his place. Thanks to James Michael Stewart and Mike Chapple for the work they’ve done with this book in the past, and especially in this edition. I’m also grateful to Jeff Kellum at Wiley for inviting me into the project and to Carole Jelen, my agent at Waterside Productions, for getting all the pieces to fit together. Last, thanks to all the editing, graphics, and production work done by the team at Wiley.

—Darril Gibson

About the Authors

James Michael Stewart, CISSP, has been writing and training for more than 18 years, with a current focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on Windows security and ethical hacking/penetration testing. He is the author of several books and courseware sets on security certification, Microsoft topics, and network administration. More information about Michael can be found at his website: www.impactonline.com.

Mike Chapple, CISSP, PhD, is an IT professional with the University of Notre Dame. In the past, he was chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. His primary areas of expertise include network intrusion detection and access controls. Mike is a frequent contributor to TechTarget’s SearchSecurity site and the author of several information security titles, including The GSEC Prep Guide from Wiley and Information Security Illuminated from Jones and Bartlett Publishers.

Darril Gibson, CISSP, is the CEO of Security Consulting and Training, LLC, and has authored or coauthored 25 books and served as the technical editor on many others. He has been a Microsoft Certified Trainer (MCT) since 1999 and holds a multitude of certifications. He regularly teaches classes on security and Microsoft topics as a traveling trainer and as an adjunct professor at ECPI University. Darril regularly blogs at blogs.GetCertifiedGetAhead.com.

CISSP: Certified Information Systems Security Professional Study Guide, 6th Edition

CISSP Common Body of Knowledge

KEY AREA OF KNOWLEDGE

CHAPTER

1. ACCESS CONTROL

A. Control access by applying the following concepts/methodology/techniques

1, 2

B. Understand access control attacks

2

C. Assess effectiveness of access controls

2

D. Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)

1

2. TELECOMMUNICATIONS AND NETWORK SECURITY

A. Understand secure network architecture and design (e.g., IP & non-IP protocols, segmentation)

B. Securing network components

3

C. Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN)

4

D. Understand network attacks (e.g., DDoS, spoofing)

4

3. INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT

A. Understand and align security function to goals, mission, and objectives of the organization

5

B. Understand and apply security governance

5

C. Understand and apply concepts of confidentiality, availability, and integrity

5

D. Develop and implement security policy

5

E. Manage the information life cycle (e.g., classification, categorization, and ownership)

5

F. Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)

6

G. Understand and apply risk management concepts

6

H. Manage personnel security

6

I. Develop and manage security education, training, and awareness

6

J. Manage the Security Function

6

4. SOFTWARE DEVELOPMENT SECURITY

A. Understand and apply security in the software development life cycle

7

B. Understand the environment and security controls

7, 8

C. Assess the effectiveness of software security

7

5. CRYPTOGRAPHY

A. Understand the application and use of cryptography

9

B. Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)

9

C. Understand encryption concepts

9, 10

D. Understand key management process

9, 10

E. Understand digital signatures

10

F. Understand non-repudiation

9, 10

G. Understand methods of cryptanalytic attacks

10

H. Use cryptography to maintain network security

10

I. Use cryptography to maintain application security

10

J. Understand Public Key Infrastructure (PKI)

10

K. Understand certificate related issues

10

L. Understand information hiding alternatives (e.g., steganography, watermarking)

10

6. SECURITY ARCHITECTURE & DESIGN

A. Understand the fundamental concepts of security models (e.g., Confidentiality; Integrity; and Multi-level Models

11

B. Understand the components of information systems security evaluation models

11

C. Understand security capabilities of information systems (e.g., memory protection; virtualization, trusted platform module)

11

D. Understand the vulnerabilities of security architectures

12

E. Understand software and system vulnerabilities and threats

7, 8, 12

F. Understand countermeasure principles (e.g., defense in depth)

12

7. SECURITY OPERATIONS

A. Understand security operations concepts

13

B. Employ resource protection

13

C. Manage incident response

14

D. Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, denial of service)

8, 14

E. Implement and support patch and vulnerability management

8, 13

F. Understand change and configuration management (e.g., versioning, baselining)

13

G. Understand system resilience and fault tolerance requirements

14

8. BUSINESS CONTINUITY & DISASTER RECOVERY

A. Understand business continuity requirements

15

B. Conduct business impact analysis

15

C. Develop a recovery strategy

16

D. Understand disaster recovery process

16

E. Exercise, assess and maintain the plan (e.g., version control, distribution)

15, 16

9. LEGAL, REGULATIONS, INVESTIGATIONS, AND COMPLIANCE

A. Understand legal issues that pertain to information security internationally

17, 18

B. Understand professional ethics

18

C. Understand and support investigations

18

D. Understand forensic procedures

18

E. Understand compliance requirements and procedures

17

F. Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)

17

10. PHYSICAL (ENVIRONMENTAL) SECURITY

A. Understand site and facility design considerations

19

B. Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)

19

C. Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)

19

D. Support the implementation and operation of operations or facility security (e.g., technology convergence)

19

E. Support the protection and securing of equipment

19

F. Understand personnel privacy and safety (e.g., duress, travel, monitoring)

19

Introduction

The CISSP: Certified Information Systems Security Professional Study Guide, Sixth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.

This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.

Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of experience (or four years if you have a college degree) in one of the 10 domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for it. For more information on (ISC)2, see the next section.

(ISC)2

The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2 organization. (ISC)2 is a global not-for-profit organization. It has four primary mission goals:

Maintain the Common Body of Knowledge (CBK) for the field of information systems security.

Provide certification for information systems security professionals and practitioners.

Conduct certification training and administer the certification exams.

Oversee the ongoing accreditation of qualified certification candidates through continued education.

The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners. You can obtain more information about (ISC)2 from its website at www.isc2.org.

CISSP and SSCP

(ISC)2 supports and provides two primary certifications: CISSP and SSCP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. The Certified Information Systems Security Professional credential is for security professionals responsible for designing and maintaining security infrastructure within an organization. The Systems Security Certified Practitioner (SSCP) is a credential for security professionals responsible for implementing or operating a security infrastructure in an organization.

The CISSP certification covers material from the 10 CBK domains:

Access Control

Telecommunications and Network Security

Information Security Governance and Risk Management

Software Development Security

Cryptography

Security Architecture and Design

Security Operations

Business Continuity and Disaster Recovery Planning

Legal, Regulations, Investigations and Compliance

Physical (Environmental) Security

The SSCP certification covers material from seven CBK domains:

Access Controls

Cryptography

Malicious Code and Activity

Monitoring and Analysis

Networks and Communications

Risk, Response, and Recovery

Security Operations and Administration

The content for the CISSP and SSCP domains overlap significantly, but the focus is different for each set of domains. The CISSP focuses on theory and design, whereas the SSCP focuses more on implementation and best practices. This book focuses only on the domains for the CISSP exam.

Prequalifications

(ISC)2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ experience or with four years’ experience and a recent IT or IS degree. Professional experience is defined as security work performed for salary or commission within one or more of the 10 CBK domains.

Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines the (ISC)2 wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)2 website at www.isc2.org.

(ISC)2 also offers an entry program known as an Associate of (ISC)2. This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years’ of security experience. Only after providing proof of such experience, usually by means of endorsement and a resume, can the individual be awarded CISSP certification.

To sign up, visit the (ISC)2 website, and follow the instructions listed there for registering to take the CISSP exam. You’ll provide your contact information, payment details, and security-related professional experience. You’ll also select one of the available time and location settings for the exam. Once (ISC)2 approves your application to take the exam, you’ll receive a confirmation email with all the details you’ll need to find the testing center and take the exam. By the way, be sure to print out a copy of your confirmation letter with your assigned candidate ID number because this is the third form of proof required to enter the testing location (the first two forms are a picture ID and something with your signature on it).

Overview of the CISSP Exam

The CISSP exam consists of 250 questions, and you have 6 hours to complete it. The exam is still administered using a paper booklet and answer sheet. This means you’ll be using a pencil to fill in answer bubbles.

However, (ISC)2 just announced a new partnership with Pearson Vue. This partnership will allow the CISSP exam, and other (ISC)2 certification exams, to be taken at a Pearson Vue CBT (computer based testing) facility starting June 1, 2012. This change in testing venues will be implemented worldwide. For more details on this development, please visit www.isc2.org.

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you’ll need to be familiar with every domain in the CBK but not necessarily be a master of each domain.

You’ll need to register for the exam through the (ISC)2 website at www.isc2.org.

(ISC)2 has traditionally administered the exam under its own direct guidance and control. In most cases, the exams were held in large conference rooms at hotels. Existing CISSP holders were recruited to serve as proctors or administrators for these exams. However, with the upcoming change to offering CISSP as a computer-based test (CBT), the location-based test offerings may be eliminated or reduced (especially in areas where Pearson Vue locations are widely accessible). Once you are ready to schedule your exam, please check with (ISC)2 to see if you have the option of a CBT or a paper-based, location-based exam.

If you take a paper-based, location-based exam, be sure to arrive at the testing center around 8 a.m., and keep in mind that absolutely no one will be admitted into the exam after 8:30 a.m. Once all test takers are signed in and seated, the exam proctors will pass out the testing materials and read a few pages of instructions. This may take 30 minutes or more. Once that process is finished, the 6 hour window for taking the test will begin.

CISSP Exam Question Types

Every question on the CISSP exam is a four-option, multiple-choice question with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response. Here’s an example:

You must select the one correct or best answer and mark it on your answer sheet. In some cases, the correct answer will be very obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you’ll need to select the least incorrect answer.

Advice on Taking the Exam

The CISSP exam consists of two key elements. First, you need to know the material from the 10 CBK domains. Second, you must have good test-taking skills. With 6 hours to complete a 250-question exam, you have just less than 90 seconds for each question. Thus, it is important to work quickly, without rushing but also without wasting time.

One key factor to remember is that guessing is better than not answering a question. If you don’t answer a question, you will not get any credit. But if you guess, you have at least a 25 percent chance of improving your score. Wrong answers are not counted against you. So, near the end of the sixth hour, be sure an answer is selected for every line on the answer sheet.

You can write on the test booklet, but nothing written on it will count for or against your score. Use the booklet to make notes and keep track of your progress. We recommend circling your selected answer in the question booklet before you mark it on your answer sheet.

To maximize your test-taking activities, here are some general guidelines:

Answer easy questions first.

Skip harder questions, and return to them later. Consider creating a column on the front cover of your testing booklet to keep track of skipped questions.

Eliminate wrong answers before selecting the correct one.

Watch for double negatives.

Be sure you understand what the question is asking.

Manage your time. You should try to complete about 50 questions per hour. This will leave you with about an hour to focus on skipped questions and double-check your work. Be very careful to mark your answers by the correct question number on the answer sheet.

If you’re attending a paper-based, location-based test, be sure to bring food and drink to the test site. You will not be allowed to leave to obtain sustenance. Your food and drink will be stored against one wall of the testing room. You can eat and drink at any time, but only against that wall. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. Wear a watch, but make sure it is not a programmable one. Bring pencils, a manual pencil sharpener, and an eraser. We also recommend bringing foam ear plugs, wearing comfortable clothes, and taking a light jacket with you (some testing locations are a bit chilly).

If you take your exam at a Pearson Vue center, you may be prohibited from using your own paper and pen/pencil because they usually provide a dry erase board and marker. Pearson Vue testing centers usually have a no food or drink policy, but with a potentially 6-hour exam, new accommodations will be required. Please be sure to contact your testing location and inquire about the procedures and limitations for food and drink.

If English is not your first language, you can register for one of several other language versions of the exam. Or, if you choose to use the English version of the exam, a translation dictionary is allowed. You must be able to prove that you need such a dictionary; this is usually accomplished with your birth certificate or your passport.

Study and Exam Preparation Tips

We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:

Take one or two evenings to read each chapter in this book and work through its review material.

Answer all the review questions and take the practice exams provided in the book and on the test engine. Complete the written labs from each chapter, and use the review questions for each chapter to help guide you to topics for which more study or time spent working through key concepts and strategies might be beneficial.

Review the (ISC)

2

’s study guide from

www.isc2.org

.

Use the flashcards included with the study tools to reinforce your understanding of concepts.

Completing the Certification Process

Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone who is a CISSP, or other (ISC)2 certification holder, in good standing and familiar with your work history to submit an endorsement form on your behalf. The endorsement form is accessible through the email notifying you of your achievement in passing the exam. The endorser must review your resume, ensure that you have sufficient experience in the 10 CISSP domains, and then submit the signed form to (ISC)2 via fax or post mail. You must have submitted the endorsement files to (ISC)2 within 90 days after receiving the confirmation-of-passing email. Once (ISC)2 receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via USPS.

If you happen to fail the exam, you may take the exam a second time as soon as you can find another open slot in a testing location. However, you will need to pay full price for your second attempt. In the unlikely case you need to test a third time, (ISC)2 requires that you wait six months.

Post-CISSP Concentrations

(ISC)2 has added three concentrations to its certification lineup. These concentrations are offered only to CISSP certificate holders. The (ISC)2 has taken the concepts introduced on the CISSP exam and focused on specific areas, namely, architecture, management, and engineering. These three concentrations are as follows:

For more details about these concentration exams and certifications, please see the (ISC)2 website at www.isc2.org.

Notes on This Book’s Organization

This book is designed to cover each of the 10 CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book comprises 19 chapters. The first 9 domains are each covered by 2 chapters, and the final domain, Physical (Environmental) Security, is covered in Chapter 19. The domain/chapter breakdown is as follows:

Each chapter includes elements to help you focus your studies and test your knowledge, detailed in the following sections.

The Elements of This Study Guide

You’ll see many recurring elements as you read through this study guide. Here are descriptions of some of those elements:

What’s Included With the Additional Study Tools

Readers of this book can get access to a number of additional study tools. We worked really hard to provide some essential tools to help you with your certification process. All of the following gear should be loaded on your workstation when studying for the test.

The Sybex Test Preparation Software

The test preparation software, made by experts at Sybex, prepares you for the CISSP exam. In this test engine, you will find all the review and assessment questions from the book plus additional bonus practice exams that are included with the study tools. You can take the assessment test, test yourself by chapter, take the practice exams, or take a randomly generated exam comprising all the questions.

Electronic Flashcards

Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam. Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam!

Glossary of Terms in PDF

Sybex offers a robust glossary of terms in PDF format. This comprehensive glossary includes all of the key terms you should understand for the CISSP, in a searchable format.

Bonus Practice Exams

Sybex includes bonus practice exams, each comprising questions meant to survey your understanding of key elements in the CISSP CBK. This book has three bonus exams, each comprised of 250 full-length questions.

How to Use This Book’s Study Tools

This book has a number of features designed to guide your study efforts for the CISSP certification exam. It assists you by listing at the beginning of each chapter the CISSP body of knowledge domain topics covered in the chapter and by ensuring that each topic is fully discussed within the chapter. The review questions at the end of each chapter and the practice exams are designed to test your retention of the material you’ve read to make sure you are aware of areas in which you should spend additional study time. Here are some suggestions for using this book and study tools (found at www.sybex.com/go/cissp6e):

Take the assessment test before you start reading the material. This will give you an idea of the areas in which you need to spend additional study time as well as those areas in which you may just need a brief refresher.

Answer the review questions after you’ve read each chapter; if you answer any incorrectly, go back to the chapter and review the topic, or utilize one of the additional resources if you need more information.

Download the flashcards to your mobile device, and review them when you have a few minutes during the day.

Take every opportunity to test yourself. In addition to the assessment test and review questions, there are bonus practice exams included with the additional study tools. Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts.

Finally, find a study partner if possible. Studying for, and taking, the exam with someone else will make the process more enjoyable, and you’ll have someone to help you understand topics that are difficult for you. You’ll also be able to reinforce your own knowledge by helping your study partner in areas where they are weak.

Assessment Test

1. Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity?

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!