199,99 zł
Fully updated Sybex Study Guide for the industry-leadingsecurity certification: CISSP Security professionals consider the Certified InformationSystems Security Professional (CISSP) to be the most desiredcertification to achieve. More than 200,000 have taken the exam,and there are more than 70,000 CISSPs worldwide. This highlyrespected guide is updated to cover changes made to the CISSP Bodyof Knowledge in 2012. It also provides additional advice on how topass each section of the exam. With expanded coverage of key areas,it also includes a full-length, 250-question practice exam. * Fully updated for the 2012 CISSP Body of Knowledge, theindustry-leading standard for IT professionals * Thoroughly covers exam topics, including access control,application development security, business continuity and disasterrecovery planning, cryptography, operations security, and physical(environmental) security * Examines information security governance and risk management,legal regulations, investigations and compliance, andtelecommunications and network security * Features expanded coverage of biometrics, auditing andaccountability, software security testing, and many more keytopics CISSP: Certified Information Systems Security ProfessionalStudy Guide, 6th Edition prepares you with both the knowledgeand the confidence to pass the CISSP exam.
Ebooka przeczytasz w aplikacjach Legimi na:
Liczba stron: 1653
Contents
Dedication
Acknowledgments
About the Authors
Introduction
Assessment Test
Chapter 1: Access Control
Access Control Overview
Identification and Authentication Techniques
Access Control Techniques
Authorization Mechanisms
Identity and Access Provisioning Life Cycle
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 2: Access Control Attacks and Monitoring
Understanding Access Control Attacks
Preventing Access Control Attacks
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 3: Secure Network Architecture and Securing Network Components
OSI Model
Secure Network Components
Cabling, Wireless, Topology, and Communications Technology
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 4: Secure Communications and Network Attacks
Network and Protocol Security Mechanisms
Virtual Private Network
Remote Access Security Management
Network Address Translation
Switching Technologies
WAN Technologies
Virtualization
Miscellaneous Security Control Characteristics
Manage Email Security
Secure Voice Communications
Security Boundaries
Network Attacks and Countermeasures
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 5: Security Governance Concepts, Principles, and Policies
Security Management Planning
Security Governance
Security Roles and Responsibilities
Protection Mechanisms
Privacy Requirements Compliance
Control Frameworks: Planning to Plan
Security Management Concepts and Principles
Develop and Implement Security Policy
Change Control/Management
Data Classification
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 6: Risk and Personnel Management
Manage Third-Party Governance
Risk Management
Manage Personnel Security
Develop and Manage Security Education, Training, and Awareness
Manage the Security Function
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 7: Software Development Security
Application Issues
Databases and Data Warehousing
Data/Information Storage
Knowledge-Based Systems
Systems Development Controls
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 8: Malicious Code and Application Attacks
Malicious Code
Password Attacks
Application Attacks
Web Application Security
Reconnaissance Attacks
Masquerading Attacks
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 9: Cryptography and Symmetric Key Algorithms
Historical Milestones in Cryptography
Cryptographic Basics
Modern Cryptography
Symmetric Cryptography
Cryptographic Life Cycle
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 10: PKI and Cryptographic Applications
Asymmetric Cryptography
Hash Functions
Digital Signatures
Public Key Infrastructure
Asymmetric Key Management
Applied Cryptography
Cryptographic Attacks
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 11: Principles of Security Models, Design, and Capabilities
Understand the Fundamental Concepts of Security Models
Objects and Subjects
Understand the Components of Information Systems Security Evaluation Models
Understand Security Capabilities Of Information Systems
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 12: Security Architecture Vulnerabilities, Threats, and Countermeasures
Computer Architecture
Avoiding Single Points of Failure
Distributed Architecture
Security Protection Mechanisms
Common Flaws and Security Issues
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 13: Security Operations
Security Operations Concepts
Resource Protection
Patch and Vulnerability Management
Change and Configuration Management
Security Audits and Reviews
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 14: Incident Management
Managing Incident Response
Implement Preventive Measures Against Attacks
Understand System Resilience and Fault Tolerance
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 15: Business Continuity Planning
Planning for Business Continuity
Project Scope and Planning
Business Impact Assessment
Continuity Planning
BCP Documentation
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 16: Disaster Recovery Planning
The Nature of Disaster
Recovery Strategy
Recovery Plan Development
Training and Documentation
Testing and Maintenance
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 17: Laws, Regulations, and Compliance
Categories of Laws
Laws
Compliance
Contracting and Procurement
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 18: Incidents and Ethics
Investigations
Major Categories of Computer Crime
Incident Handling
Ethics
Summary
Exam Essentials
Written Lab
Review Questions
Chapter 19: Physical Security Requirements
Site and Facility Design Considerations
Forms of Physical Access Controls
Technical Controls
Environment and Life Safety
Equipment Failure
Privacy Responsibilities and Legal Requirements
Summary
Exam Essentials
Written Lab
Review Questions
Appendix A: Answers to Review Questions
Appendix B: Answers to Written Labs
Appendix C: About the Additional Study Tools
Index
Free Online Study Tools
Senior Acquisitions Editor: Jeff Kellum
Development Editor: Stef Jones
Technical Editors: David Seidl and Debbie Dahlin
Production Editor: Dassi Zeidel
Copy Editors: Judy Flynn and Liz Welch
Editorial Manager: Pete Gaughan
Production Manager: Tim Tate
Vice President and Executive Group Publisher: Richard Swadley
Vice President and Publisher: Neil Edde
Media Project Manager 1: Laura Moss-Hollister
Media Associate Producer: Josh Frank
Media Quality Assurance: Marilyn Hummel
Book Designer: Judy Fung
Proofreader: Josh Chase, Word One New York
Indexer: Ted Laux
Project Coordinator, Cover: Katherine Crocker
Cover Designer: Ryan Sneed
Copyright © 2012 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-31417-3
ISBN: 978-1-118-46389-5 (ebk.)
ISBN: 978-1-118-33210-8 (ebk.)
ISBN: 978-1-118-33539-0 (ebk.)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2012940018
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISSP is a registered trademark of the International Information Systems Security Certifications Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
Dear Reader,
Thank you for choosing CISSP: Certified Information Systems Security Professional Study Guide, Sixth Edition. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.
Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.
I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at [email protected] If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.
Best regards,
Neil Edde
Vice President and Publisher
Sybex, an Imprint of Wiley
To Cathy, whenever there is trouble, just remember “Some beach, somewhere. . .”
—James Michael Stewart
To Robert Riley, a credit to our profession who left us far too soon.
—Mike Chapple
To my wife: Thanks for sharing your life with me for the past 20 years. I look forward to 20 more.
—Darril Gibson
To Ed, we missed you on this one.
—Authors
Acknowledgments
I’d like to express my thanks to Sybex for continuing to support this project. Thanks to Mike Chapple for continuing to contribute to this project. Thanks to Darril Gibson for stepping up and taking over several chapters. Ed, we missed your input and perspective. Thanks also to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome. Extra thanks to the sixth edition developmental editor, Stef Jones, and technical editor, David Seidl, who performed amazing feats in guiding us to improve this book.
To my wonderful wife, Cathy: Our life together is getting more complicated and more wonderful every day. To my son, Xzavier Slayde, and daughter, Remington Annaliese: May you grow to be more than we could imagine; you’ve already outshined all our expectations. To my parents, Dave and Sue: Thanks for your love and consistent support. To Mark: No matter how much time has passed or how little we see each other, I have been and always will be your friend. And finally, as always, to Elvis—the world could use a little “Hunka Hunka Burnin’ Love!”
—James Michael Stewart
Special thanks go to the information security team at the University of Notre Dame who provided hours of interesting conversation and debate on security issues that inspired and informed much of the material in this book.
I would like to thank the team at Wiley who provided invaluable assistance throughout the book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions. My coauthors, James Michael Stewart and Darril Gibson, were great collaborators. It would be remiss not to also thank Ed Tittel, our coauthor on the first five editions of this book, who was unable to participate in this revision. David Seidl, who joined the team as our technical editor, provided valuable insight as we brought this edition to press.
I’d also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book to press.
—Mike Chapple
Thanks to Ed Tittel for thinking of me when his schedule was too full to take on the update of this book. No one can fill Ed’s shoes, but I am grateful for the opportunity to contribute to this book in his place. Thanks to James Michael Stewart and Mike Chapple for the work they’ve done with this book in the past, and especially in this edition. I’m also grateful to Jeff Kellum at Wiley for inviting me into the project and to Carole Jelen, my agent at Waterside Productions, for getting all the pieces to fit together. Last, thanks to all the editing, graphics, and production work done by the team at Wiley.
—Darril Gibson
About the Authors
James Michael Stewart, CISSP, has been writing and training for more than 18 years, with a current focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on Windows security and ethical hacking/penetration testing. He is the author of several books and courseware sets on security certification, Microsoft topics, and network administration. More information about Michael can be found at his website: www.impactonline.com.
Mike Chapple, CISSP, PhD, is an IT professional with the University of Notre Dame. In the past, he was chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. His primary areas of expertise include network intrusion detection and access controls. Mike is a frequent contributor to TechTarget’s SearchSecurity site and the author of several information security titles, including The GSEC Prep Guide from Wiley and Information Security Illuminated from Jones and Bartlett Publishers.
Darril Gibson, CISSP, is the CEO of Security Consulting and Training, LLC, and has authored or coauthored 25 books and served as the technical editor on many others. He has been a Microsoft Certified Trainer (MCT) since 1999 and holds a multitude of certifications. He regularly teaches classes on security and Microsoft topics as a traveling trainer and as an adjunct professor at ECPI University. Darril regularly blogs at blogs.GetCertifiedGetAhead.com.
CISSP: Certified Information Systems Security Professional Study Guide, 6th Edition
CISSP Common Body of Knowledge
KEY AREA OF KNOWLEDGE
CHAPTER
1. ACCESS CONTROL
A. Control access by applying the following concepts/methodology/techniques
1, 2
B. Understand access control attacks
2
C. Assess effectiveness of access controls
2
D. Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)
1
2. TELECOMMUNICATIONS AND NETWORK SECURITY
A. Understand secure network architecture and design (e.g., IP & non-IP protocols, segmentation)
B. Securing network components
3
C. Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN)
4
D. Understand network attacks (e.g., DDoS, spoofing)
4
3. INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT
A. Understand and align security function to goals, mission, and objectives of the organization
5
B. Understand and apply security governance
5
C. Understand and apply concepts of confidentiality, availability, and integrity
5
D. Develop and implement security policy
5
E. Manage the information life cycle (e.g., classification, categorization, and ownership)
5
F. Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)
6
G. Understand and apply risk management concepts
6
H. Manage personnel security
6
I. Develop and manage security education, training, and awareness
6
J. Manage the Security Function
6
4. SOFTWARE DEVELOPMENT SECURITY
A. Understand and apply security in the software development life cycle
7
B. Understand the environment and security controls
7, 8
C. Assess the effectiveness of software security
7
5. CRYPTOGRAPHY
A. Understand the application and use of cryptography
9
B. Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)
9
C. Understand encryption concepts
9, 10
D. Understand key management process
9, 10
E. Understand digital signatures
10
F. Understand non-repudiation
9, 10
G. Understand methods of cryptanalytic attacks
10
H. Use cryptography to maintain network security
10
I. Use cryptography to maintain application security
10
J. Understand Public Key Infrastructure (PKI)
10
K. Understand certificate related issues
10
L. Understand information hiding alternatives (e.g., steganography, watermarking)
10
6. SECURITY ARCHITECTURE & DESIGN
A. Understand the fundamental concepts of security models (e.g., Confidentiality; Integrity; and Multi-level Models
11
B. Understand the components of information systems security evaluation models
11
C. Understand security capabilities of information systems (e.g., memory protection; virtualization, trusted platform module)
11
D. Understand the vulnerabilities of security architectures
12
E. Understand software and system vulnerabilities and threats
7, 8, 12
F. Understand countermeasure principles (e.g., defense in depth)
12
7. SECURITY OPERATIONS
A. Understand security operations concepts
13
B. Employ resource protection
13
C. Manage incident response
14
D. Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, denial of service)
8, 14
E. Implement and support patch and vulnerability management
8, 13
F. Understand change and configuration management (e.g., versioning, baselining)
13
G. Understand system resilience and fault tolerance requirements
14
8. BUSINESS CONTINUITY & DISASTER RECOVERY
A. Understand business continuity requirements
15
B. Conduct business impact analysis
15
C. Develop a recovery strategy
16
D. Understand disaster recovery process
16
E. Exercise, assess and maintain the plan (e.g., version control, distribution)
15, 16
9. LEGAL, REGULATIONS, INVESTIGATIONS, AND COMPLIANCE
A. Understand legal issues that pertain to information security internationally
17, 18
B. Understand professional ethics
18
C. Understand and support investigations
18
D. Understand forensic procedures
18
E. Understand compliance requirements and procedures
17
F. Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)
17
10. PHYSICAL (ENVIRONMENTAL) SECURITY
A. Understand site and facility design considerations
19
B. Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)
19
C. Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)
19
D. Support the implementation and operation of operations or facility security (e.g., technology convergence)
19
E. Support the protection and securing of equipment
19
F. Understand personnel privacy and safety (e.g., duress, travel, monitoring)
19
Introduction
The CISSP: Certified Information Systems Security Professional Study Guide, Sixth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.
This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.
Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of experience (or four years if you have a college degree) in one of the 10 domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for it. For more information on (ISC)2, see the next section.
The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2 organization. (ISC)2 is a global not-for-profit organization. It has four primary mission goals:
Maintain the Common Body of Knowledge (CBK) for the field of information systems security.
Provide certification for information systems security professionals and practitioners.
Conduct certification training and administer the certification exams.
Oversee the ongoing accreditation of qualified certification candidates through continued education.
The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners. You can obtain more information about (ISC)2 from its website at www.isc2.org.
(ISC)2 supports and provides two primary certifications: CISSP and SSCP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. The Certified Information Systems Security Professional credential is for security professionals responsible for designing and maintaining security infrastructure within an organization. The Systems Security Certified Practitioner (SSCP) is a credential for security professionals responsible for implementing or operating a security infrastructure in an organization.
The CISSP certification covers material from the 10 CBK domains:
Access Control
Telecommunications and Network Security
Information Security Governance and Risk Management
Software Development Security
Cryptography
Security Architecture and Design
Security Operations
Business Continuity and Disaster Recovery Planning
Legal, Regulations, Investigations and Compliance
Physical (Environmental) Security
The SSCP certification covers material from seven CBK domains:
Access Controls
Cryptography
Malicious Code and Activity
Monitoring and Analysis
Networks and Communications
Risk, Response, and Recovery
Security Operations and Administration
The content for the CISSP and SSCP domains overlap significantly, but the focus is different for each set of domains. The CISSP focuses on theory and design, whereas the SSCP focuses more on implementation and best practices. This book focuses only on the domains for the CISSP exam.
(ISC)2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ experience or with four years’ experience and a recent IT or IS degree. Professional experience is defined as security work performed for salary or commission within one or more of the 10 CBK domains.
Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines the (ISC)2 wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)2 website at www.isc2.org.
(ISC)2 also offers an entry program known as an Associate of (ISC)2. This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years’ of security experience. Only after providing proof of such experience, usually by means of endorsement and a resume, can the individual be awarded CISSP certification.
To sign up, visit the (ISC)2 website, and follow the instructions listed there for registering to take the CISSP exam. You’ll provide your contact information, payment details, and security-related professional experience. You’ll also select one of the available time and location settings for the exam. Once (ISC)2 approves your application to take the exam, you’ll receive a confirmation email with all the details you’ll need to find the testing center and take the exam. By the way, be sure to print out a copy of your confirmation letter with your assigned candidate ID number because this is the third form of proof required to enter the testing location (the first two forms are a picture ID and something with your signature on it).
The CISSP exam consists of 250 questions, and you have 6 hours to complete it. The exam is still administered using a paper booklet and answer sheet. This means you’ll be using a pencil to fill in answer bubbles.
However, (ISC)2 just announced a new partnership with Pearson Vue. This partnership will allow the CISSP exam, and other (ISC)2 certification exams, to be taken at a Pearson Vue CBT (computer based testing) facility starting June 1, 2012. This change in testing venues will be implemented worldwide. For more details on this development, please visit www.isc2.org.
The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you’ll need to be familiar with every domain in the CBK but not necessarily be a master of each domain.
You’ll need to register for the exam through the (ISC)2 website at www.isc2.org.
(ISC)2 has traditionally administered the exam under its own direct guidance and control. In most cases, the exams were held in large conference rooms at hotels. Existing CISSP holders were recruited to serve as proctors or administrators for these exams. However, with the upcoming change to offering CISSP as a computer-based test (CBT), the location-based test offerings may be eliminated or reduced (especially in areas where Pearson Vue locations are widely accessible). Once you are ready to schedule your exam, please check with (ISC)2 to see if you have the option of a CBT or a paper-based, location-based exam.
If you take a paper-based, location-based exam, be sure to arrive at the testing center around 8 a.m., and keep in mind that absolutely no one will be admitted into the exam after 8:30 a.m. Once all test takers are signed in and seated, the exam proctors will pass out the testing materials and read a few pages of instructions. This may take 30 minutes or more. Once that process is finished, the 6 hour window for taking the test will begin.
Every question on the CISSP exam is a four-option, multiple-choice question with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response. Here’s an example:
You must select the one correct or best answer and mark it on your answer sheet. In some cases, the correct answer will be very obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you’ll need to select the least incorrect answer.
The CISSP exam consists of two key elements. First, you need to know the material from the 10 CBK domains. Second, you must have good test-taking skills. With 6 hours to complete a 250-question exam, you have just less than 90 seconds for each question. Thus, it is important to work quickly, without rushing but also without wasting time.
One key factor to remember is that guessing is better than not answering a question. If you don’t answer a question, you will not get any credit. But if you guess, you have at least a 25 percent chance of improving your score. Wrong answers are not counted against you. So, near the end of the sixth hour, be sure an answer is selected for every line on the answer sheet.
You can write on the test booklet, but nothing written on it will count for or against your score. Use the booklet to make notes and keep track of your progress. We recommend circling your selected answer in the question booklet before you mark it on your answer sheet.
To maximize your test-taking activities, here are some general guidelines:
Answer easy questions first.
Skip harder questions, and return to them later. Consider creating a column on the front cover of your testing booklet to keep track of skipped questions.
Eliminate wrong answers before selecting the correct one.
Watch for double negatives.
Be sure you understand what the question is asking.
Manage your time. You should try to complete about 50 questions per hour. This will leave you with about an hour to focus on skipped questions and double-check your work. Be very careful to mark your answers by the correct question number on the answer sheet.
If you’re attending a paper-based, location-based test, be sure to bring food and drink to the test site. You will not be allowed to leave to obtain sustenance. Your food and drink will be stored against one wall of the testing room. You can eat and drink at any time, but only against that wall. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. Wear a watch, but make sure it is not a programmable one. Bring pencils, a manual pencil sharpener, and an eraser. We also recommend bringing foam ear plugs, wearing comfortable clothes, and taking a light jacket with you (some testing locations are a bit chilly).
If you take your exam at a Pearson Vue center, you may be prohibited from using your own paper and pen/pencil because they usually provide a dry erase board and marker. Pearson Vue testing centers usually have a no food or drink policy, but with a potentially 6-hour exam, new accommodations will be required. Please be sure to contact your testing location and inquire about the procedures and limitations for food and drink.
If English is not your first language, you can register for one of several other language versions of the exam. Or, if you choose to use the English version of the exam, a translation dictionary is allowed. You must be able to prove that you need such a dictionary; this is usually accomplished with your birth certificate or your passport.
We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:
Take one or two evenings to read each chapter in this book and work through its review material.
Answer all the review questions and take the practice exams provided in the book and on the test engine. Complete the written labs from each chapter, and use the review questions for each chapter to help guide you to topics for which more study or time spent working through key concepts and strategies might be beneficial.
Review the (ISC)
2
’s study guide from
www.isc2.org
.
Use the flashcards included with the study tools to reinforce your understanding of concepts.
Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone who is a CISSP, or other (ISC)2 certification holder, in good standing and familiar with your work history to submit an endorsement form on your behalf. The endorsement form is accessible through the email notifying you of your achievement in passing the exam. The endorser must review your resume, ensure that you have sufficient experience in the 10 CISSP domains, and then submit the signed form to (ISC)2 via fax or post mail. You must have submitted the endorsement files to (ISC)2 within 90 days after receiving the confirmation-of-passing email. Once (ISC)2 receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via USPS.
If you happen to fail the exam, you may take the exam a second time as soon as you can find another open slot in a testing location. However, you will need to pay full price for your second attempt. In the unlikely case you need to test a third time, (ISC)2 requires that you wait six months.
(ISC)2 has added three concentrations to its certification lineup. These concentrations are offered only to CISSP certificate holders. The (ISC)2 has taken the concepts introduced on the CISSP exam and focused on specific areas, namely, architecture, management, and engineering. These three concentrations are as follows:
For more details about these concentration exams and certifications, please see the (ISC)2 website at www.isc2.org.
This book is designed to cover each of the 10 CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book comprises 19 chapters. The first 9 domains are each covered by 2 chapters, and the final domain, Physical (Environmental) Security, is covered in Chapter 19. The domain/chapter breakdown is as follows:
Each chapter includes elements to help you focus your studies and test your knowledge, detailed in the following sections.
You’ll see many recurring elements as you read through this study guide. Here are descriptions of some of those elements:
Readers of this book can get access to a number of additional study tools. We worked really hard to provide some essential tools to help you with your certification process. All of the following gear should be loaded on your workstation when studying for the test.
The test preparation software, made by experts at Sybex, prepares you for the CISSP exam. In this test engine, you will find all the review and assessment questions from the book plus additional bonus practice exams that are included with the study tools. You can take the assessment test, test yourself by chapter, take the practice exams, or take a randomly generated exam comprising all the questions.
Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam. Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam!
Sybex offers a robust glossary of terms in PDF format. This comprehensive glossary includes all of the key terms you should understand for the CISSP, in a searchable format.
Sybex includes bonus practice exams, each comprising questions meant to survey your understanding of key elements in the CISSP CBK. This book has three bonus exams, each comprised of 250 full-length questions.
This book has a number of features designed to guide your study efforts for the CISSP certification exam. It assists you by listing at the beginning of each chapter the CISSP body of knowledge domain topics covered in the chapter and by ensuring that each topic is fully discussed within the chapter. The review questions at the end of each chapter and the practice exams are designed to test your retention of the material you’ve read to make sure you are aware of areas in which you should spend additional study time. Here are some suggestions for using this book and study tools (found at www.sybex.com/go/cissp6e):
Take the assessment test before you start reading the material. This will give you an idea of the areas in which you need to spend additional study time as well as those areas in which you may just need a brief refresher.
Answer the review questions after you’ve read each chapter; if you answer any incorrectly, go back to the chapter and review the topic, or utilize one of the additional resources if you need more information.
Download the flashcards to your mobile device, and review them when you have a few minutes during the day.
Take every opportunity to test yourself. In addition to the assessment test and review questions, there are bonus practice exams included with the additional study tools. Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts.
Finally, find a study partner if possible. Studying for, and taking, the exam with someone else will make the process more enjoyable, and you’ll have someone to help you understand topics that are difficult for you. You’ll also be able to reinforce your own knowledge by helping your study partner in areas where they are weak.
1. Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity?
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!