Testing Your Mettle: The Six-Hour, 250-Question CISSP Exam
Roberta sits for the grueling Certified Information Systems Security Professional exam and survives.
by Roberta Bragg
3/25/2001 --
 |
|
|
| Exam |
|
|
|
Certified Information Systems Security Professional (CISSP) exam |
|
| Certification, Vendor |
|
|
|
CISSP, ISC2 |
|
| Status |
|
|
|
Live, updated yearly. |
|
| Reviewer's Rating |
|
|
|
"Covers a huge amount of material, but the questions themselves are fairly straightforward." |
|
| Test Information |
|
|
|
250 questions per exam, 6 hour time limit. Test is paper-based; given only in select locations. Cost: $450 (U.S.) Candidates must document experience level and agree to ethics requirements before sitting this exam. |
|
| Who Should Take This Exam? |
|
|
|
Networking/security professionals who can document three years of experience in a specific area of study covered by this exam. |
|
|
| Test Objectives |
|
|
|
Click here |
|
|
|
|
|
|
|
|
|
|
|
|
|
Does an alphabet soup of acronyms, which stand for certifications that you've obtained, follow your signature? Are you wondering which, if any, are really valuable? Are you contemplating a worthwhile certification challenge? Have you been working in the information system security arena? If so, the Certified Information Systems Security Professional (CISSP) designation may be right for you.
Now, I don't like taking examinations, and I'm convinced that most IT certification programs don't produce professionals worth the piece of paper their certificates are printed on. So why did I sit a six-hour certification exam over 10 areas of information system security knowledge, sans water or coffee, with six sharpened pencils and a big eraser as my only company? Why did I pay $200 for some study guides, a $450 examination fee, and several hundreds of dollars to attend a workshop? Why, for three months, did I give up my Thursday nights to attend a study group, and many other hours to study things like lattice-based access controls, ALE calculations, the Montreal protocol, Bell-LaPadula and Biba models?
Why indeed.
When I grew up I was taught to value professionalism. Daddy taught me how to judge qualifications not by the letters behind someone's name but by what those letters stood for and how the person got them. We may not have had Internet-available 'brain dumps' or electronic exam discs but we had paper mills: When I was growing up, every matchbook cover had instructions on getting your advanced degrees by mail. The issue among the true professional then, as now, was not what to do to guarantee success and a high income, it was what career path to choose, and then, what are the important career markers that one should have to pursue it? If a program, certification or stamp of approval had status or recognition in the industry, good. If it didn't, then it was meaningless and ignored.
You see, the certification mills and their frantic attendees have got it all wrong: It's not about collecting certifications, it's about obtaining the knowledge and experience that these certifications should represent.
Today, like yesterday, it's important to seek out those programs that are recognized as serving as evidence of your ability to excel. The CISSP certification is one of them. It was first developed to help identify professionals who had the knowledge base, ethics and commitment to manage information systems security for government and industry. Today there are more than 4,000 holders of this certification, and the demand for professionals who are CISSPs is skyrocketing. Thousands of employers require, or desire, applicants to have this International Information Systems Security Certification Consortium (ISC2)-sponsored certification. It is recognized worldwide as a symbol of professionalism and accomplishment in the field. I took the exam to obtain it. Here's how you can get there too.
Requirements
To be a CISSP you must do three things:
- Have and be able to prove three years of direct experience in one or more of the 10 domains of the information systems security Common Body of Knowledge (outlined below).
- Subscribe to the ISC2 Code of Ethics.
- Pass a 250 question examination based on the 10 domains.
In order to apply to take the exam, each candidate has to identify the jobs and experience that fulfill the three years of qualifying experience. You don't have to have the word "security" in your job title, but you do have to offer evidence of a career path that equates to three years in the information system security field. While the best teacher is experience, ISC2 recognizes that not all security professionals have, or will ever work in, all 10 domains. Some knowledge can come from study -- either self-study, or attendance at workshops, seminars and/or participation in study groups. More on how to prepare for this exam later in this article.
During the application process as well as at the examination, you'll be asked if you have read and agree to the ISC2 code of ethics. The code of can be found at the ISC2 Web site (www.isc2.org) and consists of four mandatory cannons followed by additional direction. Of course, supporting this code of ethics is not only the purview of CISSPs, all information system groups might consider it a highwater mark for membership.
The Common Body of Knowledge
It is easier for people to communicate and work together if they share common goals and knowledge. The Common Body of Knowledge (CBK) is a list of 10 information system security domains of knowledge, developed to help information systems people better communicate with each other. While no one is expected to be an expert in all domains, all are expected to know a fair amount in each. Passing the exam means that you have the minimal requisite knowledge. The 10 domains along with a description of each can be found in the table below:
|
DOMAIN
|
DESCRIPTION
|
| 1. Access Control Systems and Methodology |
Methods of limiting, controlling and monitoring system access. Do you understand current industry and government techniques? Can you explain the risks, exposures and ultimate consequences of using or not using each technique? |
| 2. Telecommunications & Network Security |
What are the basic mechanisms on which networks work? A solid knowledge of TCP/IP is expected. How can transmissions be secured? How do firewalls, routers and other engines work? |
| 3. Business Continuity & Disaster Recovery Planning |
If a major disruption to normal business operations (Flood? Hurricane? Earthquake, explosion, etc.) happened, would the business operations continue? How could they be recovered? What's the plan? |
| 4. Security Management Practices |
What are the organization's information assets and its policies for their protection? How are standards, procedures and policies managed? How is data classified, risks assessed and analyzed? What are the roles within an organization? |
| 5. Security Architecture & Models |
How are operating systems designed, implemented and monitored for security. What are the controls used? |
| 6. Law, Investigations and Ethics |
Current law, regulations, investigative measures. Evidence gathering. Has a crime been committed? |
| 7. Application & Systems Development |
What controls exist within software? What steps are taken during development to insure security? What about change control, date warehousing, program interfaces? |
| 8. Cryptography |
How does cryptography provide Integrity, authentication, confidentiality, non-repudiation? What algorithms are used to provide key distribution, digital signatures? How are attacks mounted? |
| 9. Computer Operations Security |
Controls for hardware, media and operators. |
| 10. Physical Security |
Biometric, lighting, locks, alarms, fences. |
Preparing for the Exam
The first thing you'll want to do is download the official study guide from the ISC2 Web site. (Note: Candidates must fill out a request form to get this document.) Each of the 10 domains should suggest areas for you to study. A good course of action is to locate at least one good resource for each domain that you have no practical experience with.
If you're looking for books, SRV Professional Publications sells a set of CISSP examination textbooks. The first volume describes the domains, while the second offers hundreds of sample questions that can help you get oriented to the types of questions on the exam.
Another series of books I like is Hal Tipton's annual series:"The Information Security Management Handbook." Each contains a large number of articles written by a wide variety of authors. You won't want to use this as your only source of study, but it is a must-have.
Another book, "The CISSP Prep Guide: Mastering the Ten Domains of Computer Security" by Ronald Krutz and Russell Dean Vines, will be published in August 2001 by John Wiley & Sons.
There are no "bootcamps" available for the CISSP exam, or screaming radio ads that claim to provide you with this coveted certification, but then, that's not the point, right? You're supposed to learn this stuff, so that, on the day of the exam, you can truly enter the testing room with the attitude of "Well…if I don't pass, look at all the neat stuff I learned along the way."
ISC2 does offer one-day, four-day and eight-day workshops, ranging in price from $395 to $3,075. Or you could always join a study group; anyone can form one, and lots of people do. No workshop or study group presents its offerings as a sure pathway to success, but they do help. I was blessed with being able to both attend Hal Tipton's one-day "Introduction to the CISSP Exam" and participate in a 12-week study group sponsored by our local Kansas City chapter of the Information Systems Security Association (ISSA). Tipton's class (given as a pre-conference workshop at the Computer Security Institute conference in Chicago, November 2000), was invaluable in providing me with a good review. Many people use it as a scorecard to tell what they need to do to get ready for the exam. It's a good thing to do prior to starting your studies to scope out the extent of what you'll need to do, or at the end, as a sort of readiness review.
In the ISSA study group I joined, each domain was reviewed by a local CISSP with expertise in that area. We also used the SRV books as a study guide. There was, of course, plenty of time at the meetings for questions, and often one of the participants brought in a book or article to further elucidate some point from a previous meeting. One of the best benefits of the study group was getting to know more of the information security folks from my area, and it was sure nice to see friendly faces and hear words of encouragement just prior to the actual exam.
My Exam Experience
I arrived slightly early for the exam. Since it was held in my city, I didn't need to travel, but that was lucky -- you may need to quite a distance in order to take this exam.
I did need to bring a registration letter, which was collected at the exam, and picture ID. Our local ISSA chapter provided some snacks and we were told we could bring some food and water. No breaks in the six-hour long exam period are scheduled, and no food or drink could be kept at the exam table. But by raising my hand, I was allowed to escape to the restroom and then the food tables for a minute's respite (one person at a time is allowed this privilege). It was great to stand at the back of the room munching on cheese, drinking coffee and thinking about something other than A? B? C? or D?
The exam was heavily proctored. Just in case anyone decided to ignore their signature on the code of ethics, we were told that any hint of cheating would get us removed from the room and our exam papers destroyed.
The exam is paper-based, featuring a numbered booklet and a computer-scanable test sheet (it'll bring back memories of college entrance exams), both of which are provided. I was advised to bring a number of number 2 pencils to mark answers. My seat for the exam was assigned, and I was asked to record exam booklet numbers on the answer sheet. Different versions of the exam exist, we were told, the pool of questions is said to be 1200. The questions in the pool of exam change each year, this keeps the exam current, and incidentally, prevents knowledge of questions from leaking out.
Since the exam is not given on a computer, no result was available when I finished. I was lucky, I was headed out of town on a gig and didn't have to check the mail each day looking for a letter. The Web site currently advertises an 18 day turnaround, but some CISSPs tell me it hasn't always been so swift. By the way, if you pass, you'll never know your score; if you fail, you'll get a score and pointers to the areas you had trouble with.
Although I'll admit to some trepidation approaching the exam, I didn't feel it was overwhelmingly difficult. The questions were varied, comprehensive and reasonably straightforward. The main problem with it is the huge amount of material it covers, and the long time it takes to complete. There were some questions I had no idea what the answer was, but I knew enough of them. When the letter arrived, a little lapel pin accompanied it. Weeks later, a rather nice wall plaque arrived. I am a CISSP.
Would I sit that exam again? That's a rather moot point at the moment, but I'm sure not going to let it happen through negligence. I'm well aware that to keep my CISSP cert, I'll have to obtain 120 continuing professional education (CPE) credits over the next three years. It seems there's no rest for the weary.
Have you taken this exam? How difficult was it? Rate it below or discuss it in our Forums.
For more on security-related certifications, click here.
Roberta Bragg, MCSE, MCT, CISSP, runs her company, Have Computer Will Travel Inc., out of a notebook carrying case. She's an independent consultant specializing in security, operating systems and databases. She is a contributing editor for Microsoft Certified Professional magazine. You can reach her at .
More articles by Roberta Bragg:
|
