Testing Your Mettle: The Six-Hour, 250-Question CISSP Exam Roberta sits for the grueling Certified Information Systems Security Professional exam and survives.
by Roberta Bragg
3/25/2001 --
Exam
Certified
Information Systems Security Professional (CISSP) exam
"Covers
a huge amount of material, but the questions themselves are
fairly straightforward."
Test
Information
250
questions per exam, 6 hour time limit. Test is paper-based;
given only in select
locations. Cost: $450 (U.S.) Candidates must document experience
level and agree to ethics requirements before sitting this exam.
Who
Should Take This Exam?
Networking/security
professionals who can document three years of experience in
a specific area of study covered by this exam.
Does an alphabet soup of acronyms, which stand for certifications that you've
obtained, follow your signature? Are you wondering which, if any, are really valuable?
Are you contemplating a worthwhile certification challenge? Have you been working
in the information system security arena? If so, the Certified Information Systems
Security Professional (CISSP) designation may be right for you.
Now, I don't like taking examinations, and I'm convinced that most IT certification
programs don't produce professionals worth the piece of paper their certificates
are printed on. So why did I sit a six-hour certification exam over 10 areas
of information system security knowledge, sans water or coffee, with six sharpened
pencils and a big eraser as my only company? Why did I pay $200 for some study
guides, a $450 examination fee, and several hundreds of dollars to attend a
workshop? Why, for three months, did I give up my Thursday nights to attend
a study group, and many other hours to study things like lattice-based access
controls, ALE calculations, the Montreal protocol, Bell-LaPadula and Biba models?
Why indeed.
When I grew up I was taught to value professionalism. Daddy taught me how to
judge qualifications not by the letters behind someone's name but by what those
letters stood for and how the person got them. We may not have had Internet-available
'brain dumps' or electronic exam discs but we had paper mills: When I was growing
up, every matchbook cover had instructions on getting your advanced degrees
by mail. The issue among the true professional then, as now, was not what to
do to guarantee success and a high income, it was what career path to
choose, and then, what are the important career markers that one should have
to pursue it? If a program, certification or stamp of approval had status or
recognition in the industry, good. If it didn't, then it was meaningless and
ignored.
You see, the certification mills and their frantic attendees have got it all
wrong: It's not about collecting certifications, it's about obtaining the knowledge
and experience that these certifications should represent.
Today, like yesterday, it's important to seek out those programs that are recognized
as serving as evidence of your ability to excel. The CISSP certification is
one of them. It was first developed to help identify professionals who had the
knowledge base, ethics and commitment to manage information systems security
for government and industry. Today there are more than 4,000 holders of this
certification, and the demand for professionals who are CISSPs is skyrocketing.
Thousands of employers require, or desire, applicants to have this International
Information Systems Security Certification Consortium (ISC2)-sponsored certification.
It is recognized worldwide as a symbol of professionalism and accomplishment
in the field. I took the exam to obtain it. Here's how you can get there too.
Requirements
To be a CISSP you must do three things:
Have and be able to prove three years of direct experience in one or more
of the 10 domains of the information systems security Common Body of Knowledge
(outlined below).
Subscribe to the ISC2 Code of Ethics.
Pass a 250 question examination based on the 10 domains.
-- advertisement (story continued below) --
In order to apply to take the exam, each candidate has to identify the jobs
and experience that fulfill the three years of qualifying experience. You don't
have to have the word "security" in your job title, but you do have to offer
evidence of a career path that equates to three years in the information system
security field. While the best teacher is experience, ISC2 recognizes that not
all security professionals have, or will ever work in, all 10 domains. Some
knowledge can come from study -- either self-study, or attendance at workshops,
seminars and/or participation in study groups. More on how to prepare for this
exam later in this article.
During the application process as well as at the examination, you'll be asked
if you have read and agree to the ISC2 code of ethics. The code of can be found
at the ISC2 Web site (www.isc2.org) and consists
of four mandatory cannons followed by additional direction. Of course, supporting
this code of ethics is not only the purview of CISSPs, all information system
groups might consider it a highwater mark for membership.
The Common Body of Knowledge
It is easier for people to communicate and work together if they share common
goals and knowledge. The Common Body of Knowledge (CBK) is a list of 10 information
system security domains of knowledge, developed to help information systems
people better communicate with each other. While no one is expected to be an
expert in all domains, all are expected to know a fair amount in each. Passing
the exam means that you have the minimal requisite knowledge. The 10 domains
along with a description of each can be found in the table below:
DOMAIN
DESCRIPTION
1. Access
Control Systems and Methodology
Methods
of limiting, controlling and monitoring system access. Do you understand
current industry and government techniques? Can you explain the risks, exposures
and ultimate consequences of using or not using each technique?
2. Telecommunications
& Network Security
What are
the basic mechanisms on which networks work? A solid knowledge of TCP/IP
is expected. How can transmissions be secured? How do firewalls, routers
and other engines work?
3. Business
Continuity & Disaster Recovery Planning
If a major
disruption to normal business operations (Flood? Hurricane? Earthquake,
explosion, etc.) happened, would the business operations continue? How could
they be recovered? What's the plan?
4. Security
Management Practices
What are the
organization's information assets and its policies for their protection?
How are standards, procedures and policies managed? How is data classified,
risks assessed and analyzed? What are the roles within an organization?
5. Security
Architecture & Models
How are
operating systems designed, implemented and monitored for security. What
are the controls used?
6. Law,
Investigations and Ethics
Current
law, regulations, investigative measures. Evidence gathering. Has a crime
been committed?
7. Application
& Systems Development
What controls
exist within software? What steps are taken during development to insure
security? What about change control, date warehousing, program interfaces?
8. Cryptography
How does
cryptography provide Integrity, authentication, confidentiality, non-repudiation?
What algorithms are used to provide key distribution, digital signatures?
How are attacks mounted?
9. Computer
Operations Security
Controls
for hardware, media and operators.
10. Physical
Security
Biometric,
lighting, locks, alarms, fences.
Preparing for the Exam
The first thing you'll want to do is download the official
study guide from the ISC2 Web site. (Note: Candidates must fill out a request
form to get this document.) Each of the 10 domains should suggest areas for
you to study. A good course of action is to locate at least one good resource
for each domain that you have no practical experience with.
If you're looking for books, SRV Professional
Publications sells a set of CISSP examination textbooks. The first volume
describes the domains, while the second offers hundreds of sample questions
that can help you get oriented to the types of questions on the exam.
Another series of books I like is Hal Tipton's annual series:"The
Information Security Management Handbook." Each contains a large number
of articles written by a wide variety of authors. You won't want to use this
as your only source of study, but it is a must-have.
There are no "bootcamps" available for the CISSP exam, or screaming
radio ads that claim to provide you with this coveted certification, but then,
that's not the point, right? You're supposed to learn this stuff, so that, on
the day of the exam, you can truly enter the testing room with the attitude
of "Well…if I don't pass, look at all the neat stuff I learned along
the way."
ISC2 does offer one-day, four-day and eight-day workshops, ranging in price
from $395 to $3,075. Or you could always join a study group; anyone can form
one, and lots of people do. No workshop or study group presents its offerings
as a sure pathway to success, but they do help. I was blessed with being able
to both attend Hal Tipton's one-day "Introduction to the CISSP Exam" and
participate in a 12-week study group sponsored by our local Kansas City chapter
of the Information Systems Security Association (ISSA). Tipton's class (given
as a pre-conference workshop at the Computer Security Institute conference in
Chicago, November 2000), was invaluable in providing me with a good review.
Many people use it as a scorecard to tell what they need to do to get ready
for the exam. It's a good thing to do prior to starting your studies to scope
out the extent of what you'll need to do, or at the end, as a sort of readiness
review.
In the ISSA study group I joined, each domain was reviewed by a local CISSP
with expertise in that area. We also used the SRV books as a study
guide. There was, of course, plenty of time at the meetings for questions, and
often one of the participants brought in a book or article to further elucidate
some point from a previous meeting. One of the best benefits of the study group
was getting to know more of the information security folks from my area, and
it was sure nice to see friendly faces and hear words of encouragement just
prior to the actual exam.
My Exam Experience
I arrived slightly early for the exam. Since it was held in my city, I didn't
need to travel, but that was lucky -- you may need to quite a distance in order
to take this exam.
I did need to bring a registration letter, which was collected at the exam,
and picture ID. Our local ISSA chapter provided some snacks and we were told
we could bring some food and water. No breaks in the six-hour long exam period
are scheduled, and no food or drink could be kept at the exam table. But by
raising my hand, I was allowed to escape to the restroom and then the food tables
for a minute's respite (one person at a time is allowed this privilege).
It was great to stand at the back of the room munching on cheese, drinking coffee
and thinking about something other than A? B? C? or D?
The exam was heavily proctored. Just in case anyone decided to ignore their
signature on the code of ethics, we were told that any hint of cheating would
get us removed from the room and our exam papers destroyed.
The exam is paper-based, featuring a numbered booklet and a computer-scanable
test sheet (it'll bring back memories of college entrance exams), both
of which are provided. I was advised to bring a number of number 2 pencils to
mark answers. My seat for the exam was assigned, and I was asked to record exam
booklet numbers on the answer sheet. Different versions of the exam exist, we
were told, the pool of questions is said to be 1200. The questions in the pool
of exam change each year, this keeps the exam current, and incidentally, prevents
knowledge of questions from leaking out.
Since the exam is not given on a computer, no result was available when I finished.
I was lucky, I was headed out of town on a gig and didn't have to check the
mail each day looking for a letter. The Web site currently advertises an 18
day turnaround, but some CISSPs tell me it hasn't always been so swift. By the
way, if you pass, you'll never know your score; if you fail, you'll get a score
and pointers to the areas you had trouble with.
Although I'll admit to some trepidation approaching the exam, I didn't feel
it was overwhelmingly difficult. The questions were varied, comprehensive and
reasonably straightforward. The main problem with it is the huge amount of material
it covers, and the long time it takes to complete. There were some questions
I had no idea what the answer was, but I knew enough of them. When the letter
arrived, a little lapel pin accompanied it. Weeks later, a rather nice wall
plaque arrived. I am a CISSP.
Would I sit that exam again? That's a rather moot point at the moment, but
I'm sure not going to let it happen through negligence. I'm well aware that
to keep my CISSP cert, I'll have to obtain 120 continuing professional education
(CPE) credits over the next three years. It seems there's no rest for the weary.
Have you taken this exam? How difficult was it? Rate it below or discuss
it in our Forums.
For more on security-related certifications, click here.
Roberta Bragg, MCSE, MCT, CISSP, runs her company, Have Computer Will Travel Inc.,
out of a notebook carrying case. She's an independent consultant specializing
in security, operating systems and databases. She is a contributing editor for
Microsoft Certified Professional magazine. You can reach her at freouwebbe@msn.com.
There are 94 user Comments for “Testing Your Mettle: The Six-Hour, 250-Question CISSP Exam” The current user rating is:
Page 1 of 10
3/27/01: Ken says:
With almost 15 years of experience in information security I still found the test to be very challenging. I would not have wanted to try testing for it without having done additional reading and preparation. It made me realize there was more out there than just what I'd been in contact with as well as how much I'd forgotten over time. I'd rate it as probably the most difficult test I've ever taken.
3/28/01: Andrew says:
The subject matter is very extensive however a solid security professional who has had experience in more than one of the ten domains for the required (by ISC2) length of time should be able to take this exam with some additional reading and research. The toughest security exam I've come accross yet, although the CISCO security and SANS GIAC exams could be tougher as more indepth knowledge is required for both.
3/28/01: Adnan says:
I wana know every thing about the encryption tools:):)
3/30/01: William Hugh says:
I would like to thank Roberta Bragg for her great review.<BR><BR>I had more than thirty years experience when I took the exam. I chaired the committee on the Common Body of knowledge. I qualified for waiver of the exam under a program no longer available.<BR><BR>If you have five years experience and are well read, no problem. With three years experience, very well read and some preparation, you will pass.
4/1/01: Clément says:
What makes this exam so hard is the scope that you must cover. You cannot only excel in one domain, you must be familiar with all of the domains.
There is now resources that are slowly being developed and put online for Free to help with the exam. I welcome you to visit the CISSP Open Study Guide at http://www.cccure.org, I got some very positive comments from students that have been able to fill the area they were the weakest using the study guides and other tools available at the site.
Last but not least, you must have been involved in the security field for a while if you wish to pass this one.
4/1/01: Jay says:
I remember going to Scout camp one Summer when everyone in my troop came back with both leatherworking and metalworking merit badges. None of us had the slightest skills in those crafts, but the merit badge counselors were easy, and the idea of merit badges—or so we thought—was to get as many as of them as possible. Today, it seems like a lot of computer professionals are stuffing those merit badge sashes and strutting around in them, trying to win some bizarre contest of "Who'segotthemostletters".
My suggestion is that you earn the CISSP for yourself—don't go to all that trouble just to sew another merit badge on your sash. One of the reasons that the 10 domains are so broadly based, and the set of questions covers so many different subjects, is that many test takers have never been exposed to all of these ideas and may never take the opportunity again. It means that at least one time in your life, you've dealt with important concepts such as MAC vs. DAC, or you have to do some reading on fire suppression. You may never draw on that information again—but you can't use it if you don't have it. You may spend the rest of your career fiddling with firewalls—but after a couple of years of that, you may want an opportunity to be promoted to ISO.
The test is hard, and there are always complaints about the questions. Good. It isn't worth doing if it is easy, and there is no purpose in the program if it doesn't raise the bar of knowledge. Today, there are more people than ever with broad backgrounds in InfoSec who are better prepared to make strategic decisions about risk, countermeasure deployment, and security architectures. Much of this is due to the success of the ISC2. Do you want to be more knowledgeable in your specialty area? Do you want to increase your level of expert knowledge in a growing and demanding field? If so, then make a serious effort to improve yourself by studying topics that you hadn't spent much time on before. If you treat this examination as the beginning of a journey, instead of as the means to an end, you'll learn more, and go farther.
But if you are just trying to collect merit badges and don't really care to learn anything while you are doing it, do me a favor and don't bother coming to me looking for a consulting job.
4/2/01: William says:
After years of experience in the information security field and some intense studying the weeks prior to the exam I still left the exam site wondering if I had passed. As Roberta so aptly pointed out in her article "there is not boot camp for the CISSP". Study hard and then study some more, its worth it in the end.
4/2/01: Robert K. says:
Excellent descriptions of what lay ahead, but what about afterwards? You are expected to be be a CISSP with all that others are proving its value to be... Like Security as a profession; being a CISSP is a seeminly never-ending journey, not a destination. CISSP does not mean you have arrived. It means you have completed on checkpoint on the journey. For all the sweat, toil and tears, I bet that you will find it worth your time.
4/2/01: Rob says:
I have been a CISSP since 1998, and found this article very true to form. This exam must be tough to be of value to the holders, the achievement is in its difficulty. It should be attempted by those who have a good amount of experience with most of the CBK domains, and a whole lot of study in remaining weak areas. I took this exam with a decade of daily InfoSec under my belt, and found it very challenging. Very nice article about what to expect.
4/2/01: Keith says:
When I took the CISSP exam in 1995 I was at a crossroads in my career. Stay in security or go back into IT architecture & design. I saw the sign at a conference and asked if I could write the exam. No prep, no study guide, just me and my visa card. Well I sweated for a few months and when I received that envelope with CISSP behind my name I knew where I was going to stay. I recertified in '98 and am on track for recertification in '01. Am also proud that I have convinced and helped others to earn this certification.
Enjoyed Roberta's article very much.
Home | Microsoft® | Cisco® | Oracle® | A+/Network+™ | Linux/Unix | MOS | Security | List of Certs Advertise | Contact Us | Contributors | Features | Forums | News | Pop Quiz | Tips | Press Releases | RSS Feeds Search | Site Map | Redmond Media Group | TechMentor Conferences | Tech Library Webcasts This Web site is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc., Microsoft Corp., Oracle Corp., The Computing Technology Industry Association, Linus Torvolds, or any other certification or technology vendor. CiscoÆ and Cisco SystemsÆ are registered trademarks of Cisco Systems, Inc. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corp. OracleÆ is a registered trademark of Oracle Corp. A+Æ, i-Net+T, Network+T, and Server+T are trademarks and registered trademarks of The Computing Technology Industry Association. (CompTIA). LinuxT is a registered trademark of Linus Torvalds. All other trademarks belong to their respective owners.
Reprints allowed with written permission from the publisher. For more information, e-mail editor@certcities.com
