CISSP Certification: Howto
Hello, Khabravchans! 
I recently passed one of the top certifications in the field of information security: Certified Information Systems Security Professional or briefly CISSP. In the process of preparation, I bit by bit collected from colleagues, as well as various forums and sites, useful information about certification and exam. “But it can come in handy for someone!” I thought, understanding the desktop, and removed my finger from the Delete button.
Under the cut, I will talk about my training experience and share tips and tricks that I have tested on myself. I hope this material helps you better understand what CISSP is and whether it is worth taking, and also save valuable time in the preparation process.
Certified Information Systems Security Professional is a vendor-independent information security certification from the non-profit organization International Information Systems Security Certifications Consortium, better known as (ISC) ². This certification appeared back in 1991 and at the moment about 70,000 specialists are active CISSP.
CISSP certification is primarily intended for consultants, auditors, architects, analysts and managers in the field of information security (IS).
CISSP are among the highest certifications in the field of information security. CISSP is among the most popular vendor-independent certifications in Russia along with CISA (information systems auditor, including information security auditor), CISM (information security manager) and CEH (theoretical basis of ethical hacking). In my opinion, passing the last two is somewhat easier.
Certification includes 10 topics (domains):
• Access Control
• Telecommunications and Network Security
• Information Security Governance and Risk Management
• Software Development Security
• Cryptography
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations , Investigations and Compliance
• Physical (Environmental) Security
CISSP certification is said to be 20 miles wide and an inch deep. You can’t say better. You do not need to thoroughly understand each topic, but your knowledge should cover all 10 domains with an even layer without spaces.
To obtain the CISSP title, you must pass a six-hour written exam of 250 questions on 10 domains, sign an agreement with the Code of Ethics (ISC) ², and also confirm at least five years of experience in at least 2 out of 10 domains with a guarantee from a specialist with a valid CISSP certificate.
I would highlight the following main reasons:
• Knowledge. Many probably heard mournful reasoning that all these certifications are not needed by anyone, are not related to real knowledge, etc. It seems to me that this is the opinion of people who either did not pass the certification under discussion or did not pass what they need. It is naive to believe that a certificate = knowledge or that a piece of paper can replace real experience. However, nothing organizes knowledge and identifies gaps like preparing for certification. This applies to vendor certifications and doubly to such “conceptual” certifications like CISSP. For me, this motivation was basic and I am pleased with the result.
• Employment.No doubt, venerable certification in a resume looks good, but here I would not want to be particularly encouraging. The vast majority of employers in Russia have never heard of any CISSPs, and if the company is mature enough in this matter, then they will be primarily interested in the real knowledge and experience that lies behind certification. The exception is system integrators who are constantly forced to prove their experience to customers by presenting lists of completed projects and the very certificates of their employees.
• Professional pride. Recognition of the professional community and colleagues. Well, or, more simply, FAC. The military has orders, athletes get black belts and CCMs, at MacDonald's they hang the employee of the month on the wall. I think there is nothing wrong with healthy ambition.
The Internet is full of heated battles on the need and sufficiency of CISSP certification. They will have time to get tired of you while you prepare for the exam. You find a forum thread with a discussion of the Operational Security domain and you find that 80% of the comments are controversial. If it is customary for foreigners to get a certificate, and then brag about the photo of its burning, then our compatriots have a more popular position: “I didn’t read, but condemn”.
To make a decision, you need to know all the opinions. So a couple of links:
An article and a classic Hollywood in the comments:
www.infosecisland.com/blogview/22257-Your-CISSP-is-Worthless-So-Now-What.html# !
An ancient article from the current icon of the Russian “paper” information security Alexei Lukatsky, which still hangs in the tops of searches on the Runet:
www.pcweek.ru/infrastructure/article/detail.php?ID=65988
Presentation “Why You Should Not Get a CISSP ”(thanks jekap for the tip):
attrition.org/security/conferences/why_you_should_not_get_a_CISSP-public.pdf# !
Below I will talk about my experience of passing, but for now the dry facts:
The exam consists of 250 questions on all domains. It is given 6 hours without interruption. It turns out an average of 1.5 minutes. to the question. You can go out to rest, drink some water or use the toilet only at the expense of your time. By the end of stress and tension, you exhaust yourself completely, the speed drops. Therefore, it is really necessary to spend no more than a minute on a question.
All questions have 4 answers, from which you need to choose the best. In this word, all the salt and all the complexity of the CISSP exam. Questions on the knowledge of some unambiguous fact at least. Almost all questions have several correct answers, and you need to choose the best in terms of methodologies and best practices that are part of the course (there are hundreds of this kind). Well, common sense has not been canceled.
Previously, they took the exam on paper and passed it 2-3 times a year. However, the last year the change is made on the computer and at any time when there is a place in the test center. Older CISSPs grumble that certification is not the same. Yes, the feeling of some special solemn ritual is no longer there, but taking it on a familiar computer is much more comfortable, and this, in my opinion, really saves time on the exam. Previously, it was necessary to transfer the answers from the draft and carefully sketch the squares opposite the answers. Now this is not there, which, it seems to me, gives the dealer 40 minutes extra time. However, questions do not become easier, and new topics are added to the course every year, so it will not be easy for sure.
Passing the exam is not enough, you still have to confirm your five-year experience in at least 2 out of 10 domains. This scares away many young professionals or people who previously worked in other areas. However, there are a couple of features that will help bring certification closer. Higher education in the field of information security counts for a year of experience. If there is no such education, then a year of experience can be gained by obtaining one certification from this list . For the most part, it’s all exotic, but you could have CCSP / CCNP Security if you were involved in Cisco. And the CompTIA Security + exam can be passed simply in preparation for the CISSP, because it’s about the same thing, it’s only 10 times easier. The list also includes CISM with CISA, but if you have them, then with experience, most likely everything is fine.
Your experience should confirm the current CISSP. If one is not found, you will find it (ISC) ².
As I taught:
When I was just thinking about preparing for CISSP, I came across Dmitry Orlov's blog , where he posted a full (well, almost) translation of the 5th edition of Sean Harris's CISSP All-In-One Exam Guide into Russian. This work is truly titanic, and it is performed at the highest level. Excellent Russian language, attention to terms and formatting. Reading is a pleasure. Hats off to Dmitry.
However, my goal was certification, and to pass the English exam by reading a Russian textbook, I think, is almost impossible. Therefore, I slowly read the Russian version before the preparation, I try to understand the general essence.
Searching for books on Amazon using CISSP gives you a lot of tutorials, collections of questions, etc. But basic tutorials are an official guide from (ISC) ²and a book from the same Sean Harris (yes, Sean is a woman - see photo on the right). At the end of 2012, new editions of these books were to appear on sale. I waited for this moment and in February, a week after ordering on Amazon, both books were on my desk. Two heavy bricks of 1,500 p. Each hinted that it was time to get down to business.
And then I made my main mistake. Without heeding the advice of colleagues in the forums, I decided that I had already read the previous edition of Sean Harris in Russian, and that the Official (ISC) ² Guide probably covered the exam topics more fully, so it was he who was chosen as the main textbook. It was a lot of stupidity. Official (ISC) ² Guide is not just written less clearly than Harris’s book. It is written just awfully. Material served inconveniently, confused, illogical. The chapters do not have numbering, and the style of the headings changes arbitrarily throughout the book, so it is not clear what is invested in. Confused or duplicate paragraphs occur. There are spelling errors even in the names of chapters (domains)! Traditionally, the description of the RADIUS protocol in all books on information security is for some reason very crooked, but all records were broken here. The forums suggested that that the English language and terms in the Official (ISC) ² Guide are closer to the exam, but even this seems dubious to me (different people are preparing the exam and the book). I would recommend not spending money on this book at all, even as a second source of information.
I ordered the exam for June 4, so I had 3 months to study. If before that I had not read the Russian version of the textbook, time would not be enough. I recommend that you prepare a training plan in advance. This will allow you to track the backlog of the plan much earlier. If you study for 2-3 hours on weekdays and for 6-8 hours on weekends, then one domain can be learned in a week. Plus, at the end of the study, everything needs to be repeated and solved as many test questions as possible. I didn’t have the opportunity to learn at work, on the weekend there were always some things to do, so I got out of the schedule almost immediately. As a result, in May vacation was taken between the holidays, and by the end of the month I had to turn into a recluse.
Many people pass this exam not the first time precisely because at first they mistakenly believe that you can read the textbook and go to take it. With this approach, there is practically no chance to turn in. Towards the end of the book, the first domains evaporate from memory completely. Therefore, I decided to write a summary in English, and in the end repeat it and solve questions. In the compendium he wrote only that which he did not know or was afraid to forget. One and a half notebooks with 80 sheets came out in loose handwriting. The point here is that the CISSP textbooks on material stuffing themselves are more like synopses. If Sean Harris still allows himself occasionally lyrical digressions and life examples, then the Official (ISC) ² Guide simply scribbles with facts, like a machine gun.
In addition to these books, the following sources of information are popular:
www.logicalsecurity.com/education/education_cbt.html - video courses by Sean Harris. I never understood how people teach certification on video courses: a lot of time is wasted, but the depth is still insufficient and you will have to read the book anyway. However, courses are always popular. Perhaps this format will suit you.
www.amazon.com/CISSP-CAP-Prep-Guide-Platinum/dp/0470007923 - many praise Ronald Krutz’s books on preparing for CISSP. I did not have the opportunity to evaluate. This book is often called as an alternative to the textbook Sean Harris, as Sean is a big lover of lyrical digressions and children's humor, which is some of them crazy.
www.amazon.com/CISSP-Study-Guide-Second-Edition/dp/1597499617- Eric Conrad's book is distinguished by its brevity and clarity. A trained reader can use it for training, referring to other guides for additional details. Thanks for recommending bugaga0112358 .
Incredibly important in the preparation is resolving as many questions as possible across all 10 domains. This allows you to identify weaknesses that will definitely be even after the most careful study of the book, as well as get used to the format of the exam.
There are questions in the textbooks after each domain, plus a book with 1,400 questions goes with the book. Sean Harris The minus of the questions in the textbooks on any certification is that the questions there are given for knowledge of the text of the chapter just read, and not “like in an exam”. Those who passed the Cisco exams will understand me.
So I bought for $ 40 a six-month subscription to test questions from www.cccure.organd subsequently did not regret it. The engine with questions is convenient, albeit a bit slow. It works well on a tablet or phone, so I solved the questions exclusively lying on the sofa or basking in the spring sun on the balcony. Some of the questions on the site are free, so you can evaluate everything yourself before buying. The correct answer is explained in great detail. Large chunks of theory and external links are given.
For the exam, I solved a little over 1700 questions on all domains (this is quite a bit, there wasn’t enough time for more), which allowed me to cheer up my knowledge. Experienced recommend reaching 80% for each domain and only after that assume that you are prepared. Believe me, this is not easy. I took on a domain that I thought was well studied, and received 60 percent and a slight shock. It soberes and destroys the illusion that after reading the book 1 time, you will all know.
All the Internet is full of messages that any questions are good, but the questions of a real exam can still not be compared with anything in complexity. I didn’t think so. In my opinion, questions from www.cccure.orgeven a little harder than the exam. In addition, the exam does not contain frankly idiotic questions that come across in all collections (in the style of “how much weight the floor must withstand under each of the 4 legs of a class 3 fireproof cabinet according to the Brazilian classification of 1973”).
Test questions help you get used to the format of the exam and it greatly saves time and nerves in a real "battle". Eyes habitually run through the text of the question, the brain almost automatically discards incorrect answers, as he already did a couple of thousand times, you tune into the working mood and click the question after question, without being distracted by anything.
Here are a couple of sources of test questions:
www.isc2.org/studiscope/default.aspx- questions from the authors of the exam. They are prohibitively expensive and the issues themselves are few. If you have extra money, you can buy.
booksite.syngress.com/companion/conrad - free questions from Eric Conrad, author of the CISSP book and podcast.
www.amazon.com/CISSP-Practice-Exams-Second-Edition/dp/0071792341 - a book by Sean Harris with additional test questions.
As of September 3, 2013, 184 people had valid CISSP certificates in Russia ( 84,430 in total ). Belarus, Ukraine and Kazakhstan add another 1, 16 and 7 people respectively. Even in total, we have less CISSP, for example, than in Malaysia, Ireland, Poland or South Africa. Hence the conclusion: looking for sensible materials and information in Russian is not a good idea. It is better to immediately go to English-language resources.
Materials are not particularly exotic, so almost everything is googled. As one of those who are preparing correctly noted, "Google is my wife, and Wikipedia is my mistress." You can chat with colleagues, ask a question or read about the experience of passing the exam on the cccure.org forum or in thematic groups on Linkedin (there are really powerful communities there, a lot of people who have already passed and helping newcomers, even Sean Harris herself sometimes appears).
securhotel.blogspot.ru is Andrey Shishkin's blog, where he uploads mindmap on CISSP domains. In recent years, everything is just crazy about mindmap, but I personally prefer the good old notes.
www.securityhelp.ru/cissp/naiz.pdf , www.securityhelp.ru/cissp/Overley_Updated.pdf - "Cheat sheets" at the rate, convenient for repeating material in transport, for example.
securitycerts.org/review/cissp-acronyms.htm - A list of abbreviations for all domains. Useful for repeating material.
Boot Camp training is very popular in the West. We are not far behind either.
Offhand, preparation for the CISSP is carried out in at least 2 training centers in Moscow: Microinform and Echelon . Microinform was the first in this area (before, when the exam was on paper, they passed it there), and Echelon had an interesting offer for post-work training.
Advertising claims that courses will prepare you for the exam in the best possible way. However, you should not overestimate full-time study. There is so much material that no course will give it to you. You need to go there already partially prepared to ask questions and listen to the advice of seasoned ones.
My personal opinion: such training is rational only if your company sends you there. That is, as an alternative to sitting in the office, this is effective, but in the same week of self-study at home, you will learn 10 times more.
The exam is ordered through the Pearson VUE system (I ordered for $ 599). First you need to register on the site www.isc2.org and get an ID.
I would recommend ordering an exam at the very beginning of preparation, in order to clearly indicate for myself the moment of completion of this work. This will help to get ready and begin to prepare intensively earlier. Otherwise, the preparation may last forever.
In Moscow, at the moment, you can take in two testing centers (at the Academy of National Economy in South-West and at the ACET center on Oktyabrskaya), there are also centers in St. Petersburg and Kiev.
There are so few test centers, because the requirements for them are increased. I have not seen such security measures in any exam before.
The description of how I took the exam turned out too much in the style of LJ, not really, I think, appropriate on Habré. Those who are not interested in reading the soul-breaking lytbydr are invited to go directly to the Tips section.
I decided to write some useful, in my opinion, tips for passing the exam.
1 . You need to learn "with a margin." The story above was supposed to illustrate this point. You can get sick, get excited at the exam, you will be distracted by something in the test center (noise, people, etc.). In addition, exam questions are updated more often than textbooks. That is, there will be a certain percentage of questions that were not covered at all in the textbook.
2 . Questions, especially long ones with a lot of information, are best read from the end. First, the question itself, and then the data. Otherwise, you can make your way through the text in the A4 page with a bunch of details and numbers and find at the end that the question is purely methodological and all the information above is completely unnecessary. And precious time wasted.
3. Doubtful questions can be flagged to return to them at the end. My advice: be sure to put down the most likely answer right away. There may not be time to return, you are hardly wiser by the sixth hour, and intuition helps a lot in many methodological issues.
4. There are very few questions that you can immediately give the right answer to. Questions in the style of “What is the length of the MD5 hash?” or “What is the name of the technology for logically dividing a local network into broadcast domains at the switch level?” 10 percent, no more. They need to spend 5 seconds on them in order to have time to answer most of the questions, where the correct answers are 2-4 of 4 and you need to choose the best. Here it is necessary to act from the opposite and immediately delete mentally incorrect answers. This seems to be obvious advice, but on my own I will say that after the third hour the attention begins to dissipate and you catch yourself rereading again and again the options that you have already discarded. It is necessary to tightly control yourself. Crossed out the question - it no longer exists for you.
5. Try to solve test questions with a timer in advance to make sure that there is no time for doubts and long thoughts. You stalled on 1 question, and as a result, you do not have enough time for 3 questions much easier. We must act decisively. Do not know for sure, re-read the question, there may be clues. You still don’t know - intuition helps to choose from 2-3 most probable answers. There will be no time for long doubts and drawing squiggles in a notebook.
6 . There are fundamental concepts that run like a red thread through all 10 domains. They must always be borne in mind. Primary:
a . Human life and health are always most valuable. No data or rules can be more important than human life (even the life of the offender).
b. CISSP is not an engineer, admin or pentester. This is primarily a manager who establishes a controlled process approach to security in the organization and thinks in terms of cost of ownership, risk, value of assets, legislation, etc. Keep this in mind and many questions will be much easier to answer.
7. It is not for nothing that 5 years of work in the specialty is required from applicants for the title of CISSP. Real experience helps a lot. However, one must be careful. When passing the exam, always prefer the concept from the book to real experience. Judging by the holivars on the forums on relatively simple questions from the course, the curve of real experience makes it very difficult for many to answer the questions correctly. CISSP pass to streamline knowledge and master key concepts. Rather than breaking spears in forum skirmishes, it’s better to think about why your experience is different from the concept and what you can improve in your work.
8. Previously, the CISSP exam was accused of being very focused on US law. When I saw in the test questions something like “What is the essence of the fourth amendment to the constitution from the point of view of information security?” I came in quiet horror. According to my feelings, now about 40 percent of the dealers are specialists from India, Pakistan, etc. (usually from the big audit four). Therefore, the exam was well cleaned from American specifics. The rule follows from this: the answers to the questions must be universal. If it is not indicated, for example, that there is case law in the country, then the answer should be suitable for any widespread system of law.
9. Many questions are very intricate (this is not for you Cisco or Microsoft). Any double negation (“what should not be done to prevent ...) and unnecessary information should not confuse you. Mentally reformulate the question easier (for example, no + no = yes).
10 . To pass the exam, it is important to have a good knowledge of English and far from only technical. However, one can well compensate for their gaps in language skills by reading CISSP textbooks and solving test questions. It is very important to clearly understand the difference between the “keywords” and the features of their application: must, should, may, most, least, enough, etc.
eleven. In questions there are financial and managerial terms that may not be entirely clear to the techie. I understood this at the preparation stage and therefore actively consulted with Google, as well as with my mom (accountant) and girl (financial auditor) on issues related to the valuation of tangible and intangible assets, revenue, income, depreciation, stocks, etc. I learned a lot.
12 . (ISC) ² has a Code of Ethics ( (ISC) ² Code Of Ethics ). Often they ignore it, simply signing it as another agreement. This is a big mistake. You need to know the Code practically by heart (since it’s very short) and start from it in matters related to ethics and decision making.
thirteen. Just as not all yogurts are equally useful, so not all domains are equally important. It is usually recommended that you pay particular attention to the following domains: Information Security and Risk management, Access Control, Security Architecture, Telecommunication and Network Security, BCP and DRP. However, according to my feelings, there were enough questions for all domains.
Let's talk about cheaters.
Traditionally in Russia, many exams are passed through dumping, that is, memorization of answers to stolen exam questions. In the West, the situation is slightly different (they have better understanding of the need for personal professional growth, and they may be asked from work if the fraud is revealed), but freeloaders are a dime a dozen anyway. All popular certifications (the same Cisco, Microsoft) can be passed without knowing anything. One acquaintance of a friend passed the two-hour exam in 15 minutes because he had learned the answers to the questions in the first letters - he did not even have to read them on the exam. The Americans requested a video from the training center, but he did not have cribs, so I had to give a certificate. Such a talent, but in a peaceful direction ...
At the same time, dumps are not even necessary to buy - stolen questions are stolen repeatedly from sellers and posted on the Internet.
When the CISSP surrendered on paper at the same time all over the world, it was almost impossible to steal questions in advance, because they were being prepared anew for each new exam. Now the situation has changed. Exam organizers understand that the weakest point is the training centers. Therefore, you can take the exam in a very small number of CAs with enhanced security measures. However, the "plum" is likely to be anyway. I hope this does not discredit certification in the future.
According to the forums, there were no up-to-date dumps in the public domain or on sale in the summer. At the same time there is a bunch of fake collections of questions compiled from assignments from textbooks, ancient exams and other trash. I saw a touching comment under a dump of 215 questions: “Thank you very much, I passed 1000 out of 1000! The dump is completely correct! ” Given that there are 250 questions in the exam (from a database of unknown size), and scores are not reported with success, it is hard to believe. But someone who is naive may even waste money and attempt to surrender.
Dumps, of course, can be used as a free source of trial questions of dubious quality, but this is completely contrary to the CISSP code of ethics. Decide for yourself.
Now about cribs. You can probably drag the spurs to the exam, but using them will be very problematic. In test centers, they really monitor this closely (unlike UCs that take "ordinary" exams). Yes, and not enough time. As one of my colleagues correctly noted, even having a computer with the Internet will not help at all in passing the exam. Only your brains can work at the speed necessary for surrender.
I hope that what is written above discourages your desire to stand on the slippery track of deception. An honest exam of this level will allow you to respect yourself a little more.
CISSP often do not pass the first time, it is not worth killing about this. As a rule, after the exam, people themselves understand why they did not pass. Plus problematic topics will be highlighted in the exam report.
The first retake is possible after 30 days, then the intervals grow: the second - after 90 days, the third - after 180. If you have not passed 2 times, then you are doing something wrong. On the forums, of course, there are sad posts in the spirit of “today I rent 5th time, if I don’t, I don’t know whether it is worth living on”. But they should not be discouraging. Usually, after failure, a person simply realizes that he has not taught enough, harnesses himself to study with double strength and surrenders the second time. Well, or throws this thing.
You are not CISSP yet. You are CISSP Associate. The rules strictly forbid at this stage to call themselves CISSP anywhere. Punishment is a lifelong ban on certification.
A couple of working days after the exam, you will receive congratulations and a description of the many opportunities that have now opened up for you: participation in thematic parties and conferences, subscriptions to closed publications, various services for “club members”, etc. The most interesting thing at the end is how, in fact, to get the long-awaited certificate.
I read flirtatious comments more than once that the exam is only the first stage, and certification itself begins further. I do not think that the design of a pair of pieces of paper requires such solemnity.
You will need to write a resume in English with data on experience by domain (this is the main thing - this is the emphasis), education, other certifications and publications that you have. The second document is the Endorsement form . It should bear the signature of the current CISSP, confirming the data from your resume, as well as in general that you are a worthy and positive person.
Resume data can be further verified. For example, I was asked for a diploma scan (higher education in information security I counted over a year of experience, since I was short of 3 months to 5 years).
If you have not gained the necessary experience, you can remain in the CISSP Associate status until you gain the missing year or two.
The exam does not need to be retaken to maintain CISSP status. Instead, you must pay the Annual Maintenance Fee (AMF) and earn Continuing Professional Education (CPE) points. AMF is now $ 85. CPEs are given for training in a specialty, attending conferences, reading professional literature, etc. Most points are given for speaking and teaching in the field of information security. At least 120 CPE for 3 years must be recruited, and at least 20 CPE for each year. At first glance it seems that this is a lot, but in fact it turns out that if you really work by profession, then gaining these points is not so difficult.
Many people ask this question after they pass CISSP. There is no direct path “above”. In its class, this certification is recognized by the majority as the highest. Therefore, it is logical to develop specializations that are relevant to you.
(ISC) ² has several specializations for CISSP, but they are not very popular with us.
If you are an auditor or manager, then you can look towards certification from ISACA. Certifications CISA and CISM are popular and well-known in Russia. I haven’t heard anyone hand over the venerable CGEIT (Governance of Enterprise IT) and CRISC (Risk and Information Systems Control).
Certifications according to ISO 27000, PCI-DSS, ITIL, COBIT, etc., are quite popular among information security specialists (especially auditors). But if you are engaged in these areas, my advice, I think, is already useless to you.
In the field of penetration tests, CEH certification from EC-Council is popular. A rare penetration tests specialist avoided the temptation to amuse his ego by walking on it with a steam rink of criticism. However, if you perceive CEH as a kind of baseline and a collection of methodologies (journalists need scandalous hacks and 0-day, and corporate customers need primarily predictable and reproducible testing), then it is not bad at all.
Vendor certification lines are selected by specialization. The most popular (not by chance, of course) certification in the field of information security from Cisco and Microsoft. Any more or less large vendor has its own certifications.
The material turned out to be voluminous, but I think a person who has embarked on the difficult path of preparing for CISSP will find time to read it and, as a result, will save a lot of time.
I wish you to pass the first time. And for this you need to learn from the right textbooks, and not from your mistakes. I hope the article helps you with this a bit.
I will be glad to answer questions and supplement the article with your materials.
Yankin Andrey, CISSP
I recently passed one of the top certifications in the field of information security: Certified Information Systems Security Professional or briefly CISSP. In the process of preparation, I bit by bit collected from colleagues, as well as various forums and sites, useful information about certification and exam. “But it can come in handy for someone!” I thought, understanding the desktop, and removed my finger from the Delete button.
Under the cut, I will talk about my training experience and share tips and tricks that I have tested on myself. I hope this material helps you better understand what CISSP is and whether it is worth taking, and also save valuable time in the preparation process.
What is CISSP?
Certified Information Systems Security Professional is a vendor-independent information security certification from the non-profit organization International Information Systems Security Certifications Consortium, better known as (ISC) ². This certification appeared back in 1991 and at the moment about 70,000 specialists are active CISSP.
CISSP certification is primarily intended for consultants, auditors, architects, analysts and managers in the field of information security (IS).
CISSP are among the highest certifications in the field of information security. CISSP is among the most popular vendor-independent certifications in Russia along with CISA (information systems auditor, including information security auditor), CISM (information security manager) and CEH (theoretical basis of ethical hacking). In my opinion, passing the last two is somewhat easier.
Certification includes 10 topics (domains):
• Access Control
• Telecommunications and Network Security
• Information Security Governance and Risk Management
• Software Development Security
• Cryptography
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations , Investigations and Compliance
• Physical (Environmental) Security
CISSP certification is said to be 20 miles wide and an inch deep. You can’t say better. You do not need to thoroughly understand each topic, but your knowledge should cover all 10 domains with an even layer without spaces.
To obtain the CISSP title, you must pass a six-hour written exam of 250 questions on 10 domains, sign an agreement with the Code of Ethics (ISC) ², and also confirm at least five years of experience in at least 2 out of 10 domains with a guarantee from a specialist with a valid CISSP certificate.
Why take it?
I would highlight the following main reasons:
• Knowledge. Many probably heard mournful reasoning that all these certifications are not needed by anyone, are not related to real knowledge, etc. It seems to me that this is the opinion of people who either did not pass the certification under discussion or did not pass what they need. It is naive to believe that a certificate = knowledge or that a piece of paper can replace real experience. However, nothing organizes knowledge and identifies gaps like preparing for certification. This applies to vendor certifications and doubly to such “conceptual” certifications like CISSP. For me, this motivation was basic and I am pleased with the result.
• Employment.No doubt, venerable certification in a resume looks good, but here I would not want to be particularly encouraging. The vast majority of employers in Russia have never heard of any CISSPs, and if the company is mature enough in this matter, then they will be primarily interested in the real knowledge and experience that lies behind certification. The exception is system integrators who are constantly forced to prove their experience to customers by presenting lists of completed projects and the very certificates of their employees.
• Professional pride. Recognition of the professional community and colleagues. Well, or, more simply, FAC. The military has orders, athletes get black belts and CCMs, at MacDonald's they hang the employee of the month on the wall. I think there is nothing wrong with healthy ambition.
A thousand reasons not to give up
The Internet is full of heated battles on the need and sufficiency of CISSP certification. They will have time to get tired of you while you prepare for the exam. You find a forum thread with a discussion of the Operational Security domain and you find that 80% of the comments are controversial. If it is customary for foreigners to get a certificate, and then brag about the photo of its burning, then our compatriots have a more popular position: “I didn’t read, but condemn”.
To make a decision, you need to know all the opinions. So a couple of links:
An article and a classic Hollywood in the comments:
www.infosecisland.com/blogview/22257-Your-CISSP-is-Worthless-So-Now-What.html# !
An ancient article from the current icon of the Russian “paper” information security Alexei Lukatsky, which still hangs in the tops of searches on the Runet:
www.pcweek.ru/infrastructure/article/detail.php?ID=65988
Presentation “Why You Should Not Get a CISSP ”(thanks jekap for the tip):
attrition.org/security/conferences/why_you_should_not_get_a_CISSP-public.pdf# !
Examination and proof of experience
Below I will talk about my experience of passing, but for now the dry facts:
The exam consists of 250 questions on all domains. It is given 6 hours without interruption. It turns out an average of 1.5 minutes. to the question. You can go out to rest, drink some water or use the toilet only at the expense of your time. By the end of stress and tension, you exhaust yourself completely, the speed drops. Therefore, it is really necessary to spend no more than a minute on a question.
All questions have 4 answers, from which you need to choose the best. In this word, all the salt and all the complexity of the CISSP exam. Questions on the knowledge of some unambiguous fact at least. Almost all questions have several correct answers, and you need to choose the best in terms of methodologies and best practices that are part of the course (there are hundreds of this kind). Well, common sense has not been canceled.
Previously, they took the exam on paper and passed it 2-3 times a year. However, the last year the change is made on the computer and at any time when there is a place in the test center. Older CISSPs grumble that certification is not the same. Yes, the feeling of some special solemn ritual is no longer there, but taking it on a familiar computer is much more comfortable, and this, in my opinion, really saves time on the exam. Previously, it was necessary to transfer the answers from the draft and carefully sketch the squares opposite the answers. Now this is not there, which, it seems to me, gives the dealer 40 minutes extra time. However, questions do not become easier, and new topics are added to the course every year, so it will not be easy for sure.
Passing the exam is not enough, you still have to confirm your five-year experience in at least 2 out of 10 domains. This scares away many young professionals or people who previously worked in other areas. However, there are a couple of features that will help bring certification closer. Higher education in the field of information security counts for a year of experience. If there is no such education, then a year of experience can be gained by obtaining one certification from this list . For the most part, it’s all exotic, but you could have CCSP / CCNP Security if you were involved in Cisco. And the CompTIA Security + exam can be passed simply in preparation for the CISSP, because it’s about the same thing, it’s only 10 times easier. The list also includes CISM with CISA, but if you have them, then with experience, most likely everything is fine.
Your experience should confirm the current CISSP. If one is not found, you will find it (ISC) ².
Training
As I taught:
When I was just thinking about preparing for CISSP, I came across Dmitry Orlov's blog , where he posted a full (well, almost) translation of the 5th edition of Sean Harris's CISSP All-In-One Exam Guide into Russian. This work is truly titanic, and it is performed at the highest level. Excellent Russian language, attention to terms and formatting. Reading is a pleasure. Hats off to Dmitry.
However, my goal was certification, and to pass the English exam by reading a Russian textbook, I think, is almost impossible. Therefore, I slowly read the Russian version before the preparation, I try to understand the general essence.
Searching for books on Amazon using CISSP gives you a lot of tutorials, collections of questions, etc. But basic tutorials are an official guide from (ISC) ²and a book from the same Sean Harris (yes, Sean is a woman - see photo on the right). At the end of 2012, new editions of these books were to appear on sale. I waited for this moment and in February, a week after ordering on Amazon, both books were on my desk. Two heavy bricks of 1,500 p. Each hinted that it was time to get down to business.
And then I made my main mistake. Without heeding the advice of colleagues in the forums, I decided that I had already read the previous edition of Sean Harris in Russian, and that the Official (ISC) ² Guide probably covered the exam topics more fully, so it was he who was chosen as the main textbook. It was a lot of stupidity. Official (ISC) ² Guide is not just written less clearly than Harris’s book. It is written just awfully. Material served inconveniently, confused, illogical. The chapters do not have numbering, and the style of the headings changes arbitrarily throughout the book, so it is not clear what is invested in. Confused or duplicate paragraphs occur. There are spelling errors even in the names of chapters (domains)! Traditionally, the description of the RADIUS protocol in all books on information security is for some reason very crooked, but all records were broken here. The forums suggested that that the English language and terms in the Official (ISC) ² Guide are closer to the exam, but even this seems dubious to me (different people are preparing the exam and the book). I would recommend not spending money on this book at all, even as a second source of information.
I ordered the exam for June 4, so I had 3 months to study. If before that I had not read the Russian version of the textbook, time would not be enough. I recommend that you prepare a training plan in advance. This will allow you to track the backlog of the plan much earlier. If you study for 2-3 hours on weekdays and for 6-8 hours on weekends, then one domain can be learned in a week. Plus, at the end of the study, everything needs to be repeated and solved as many test questions as possible. I didn’t have the opportunity to learn at work, on the weekend there were always some things to do, so I got out of the schedule almost immediately. As a result, in May vacation was taken between the holidays, and by the end of the month I had to turn into a recluse.
Many people pass this exam not the first time precisely because at first they mistakenly believe that you can read the textbook and go to take it. With this approach, there is practically no chance to turn in. Towards the end of the book, the first domains evaporate from memory completely. Therefore, I decided to write a summary in English, and in the end repeat it and solve questions. In the compendium he wrote only that which he did not know or was afraid to forget. One and a half notebooks with 80 sheets came out in loose handwriting. The point here is that the CISSP textbooks on material stuffing themselves are more like synopses. If Sean Harris still allows himself occasionally lyrical digressions and life examples, then the Official (ISC) ² Guide simply scribbles with facts, like a machine gun.
In addition to these books, the following sources of information are popular:
www.logicalsecurity.com/education/education_cbt.html - video courses by Sean Harris. I never understood how people teach certification on video courses: a lot of time is wasted, but the depth is still insufficient and you will have to read the book anyway. However, courses are always popular. Perhaps this format will suit you.
www.amazon.com/CISSP-CAP-Prep-Guide-Platinum/dp/0470007923 - many praise Ronald Krutz’s books on preparing for CISSP. I did not have the opportunity to evaluate. This book is often called as an alternative to the textbook Sean Harris, as Sean is a big lover of lyrical digressions and children's humor, which is some of them crazy.
www.amazon.com/CISSP-Study-Guide-Second-Edition/dp/1597499617- Eric Conrad's book is distinguished by its brevity and clarity. A trained reader can use it for training, referring to other guides for additional details. Thanks for recommending bugaga0112358 .
Resolving issues
Incredibly important in the preparation is resolving as many questions as possible across all 10 domains. This allows you to identify weaknesses that will definitely be even after the most careful study of the book, as well as get used to the format of the exam.
There are questions in the textbooks after each domain, plus a book with 1,400 questions goes with the book. Sean Harris The minus of the questions in the textbooks on any certification is that the questions there are given for knowledge of the text of the chapter just read, and not “like in an exam”. Those who passed the Cisco exams will understand me.
So I bought for $ 40 a six-month subscription to test questions from www.cccure.organd subsequently did not regret it. The engine with questions is convenient, albeit a bit slow. It works well on a tablet or phone, so I solved the questions exclusively lying on the sofa or basking in the spring sun on the balcony. Some of the questions on the site are free, so you can evaluate everything yourself before buying. The correct answer is explained in great detail. Large chunks of theory and external links are given.
For the exam, I solved a little over 1700 questions on all domains (this is quite a bit, there wasn’t enough time for more), which allowed me to cheer up my knowledge. Experienced recommend reaching 80% for each domain and only after that assume that you are prepared. Believe me, this is not easy. I took on a domain that I thought was well studied, and received 60 percent and a slight shock. It soberes and destroys the illusion that after reading the book 1 time, you will all know.
All the Internet is full of messages that any questions are good, but the questions of a real exam can still not be compared with anything in complexity. I didn’t think so. In my opinion, questions from www.cccure.orgeven a little harder than the exam. In addition, the exam does not contain frankly idiotic questions that come across in all collections (in the style of “how much weight the floor must withstand under each of the 4 legs of a class 3 fireproof cabinet according to the Brazilian classification of 1973”).
Test questions help you get used to the format of the exam and it greatly saves time and nerves in a real "battle". Eyes habitually run through the text of the question, the brain almost automatically discards incorrect answers, as he already did a couple of thousand times, you tune into the working mood and click the question after question, without being distracted by anything.
Here are a couple of sources of test questions:
www.isc2.org/studiscope/default.aspx- questions from the authors of the exam. They are prohibitively expensive and the issues themselves are few. If you have extra money, you can buy.
booksite.syngress.com/companion/conrad - free questions from Eric Conrad, author of the CISSP book and podcast.
www.amazon.com/CISSP-Practice-Exams-Second-Edition/dp/0071792341 - a book by Sean Harris with additional test questions.
Internet
As of September 3, 2013, 184 people had valid CISSP certificates in Russia ( 84,430 in total ). Belarus, Ukraine and Kazakhstan add another 1, 16 and 7 people respectively. Even in total, we have less CISSP, for example, than in Malaysia, Ireland, Poland or South Africa. Hence the conclusion: looking for sensible materials and information in Russian is not a good idea. It is better to immediately go to English-language resources.
Materials are not particularly exotic, so almost everything is googled. As one of those who are preparing correctly noted, "Google is my wife, and Wikipedia is my mistress." You can chat with colleagues, ask a question or read about the experience of passing the exam on the cccure.org forum or in thematic groups on Linkedin (there are really powerful communities there, a lot of people who have already passed and helping newcomers, even Sean Harris herself sometimes appears).
Useful resources
securhotel.blogspot.ru is Andrey Shishkin's blog, where he uploads mindmap on CISSP domains. In recent years, everything is just crazy about mindmap, but I personally prefer the good old notes.
www.securityhelp.ru/cissp/naiz.pdf , www.securityhelp.ru/cissp/Overley_Updated.pdf - "Cheat sheets" at the rate, convenient for repeating material in transport, for example.
securitycerts.org/review/cissp-acronyms.htm - A list of abbreviations for all domains. Useful for repeating material.
Full-time education
Boot Camp training is very popular in the West. We are not far behind either.
Offhand, preparation for the CISSP is carried out in at least 2 training centers in Moscow: Microinform and Echelon . Microinform was the first in this area (before, when the exam was on paper, they passed it there), and Echelon had an interesting offer for post-work training.
Advertising claims that courses will prepare you for the exam in the best possible way. However, you should not overestimate full-time study. There is so much material that no course will give it to you. You need to go there already partially prepared to ask questions and listen to the advice of seasoned ones.
My personal opinion: such training is rational only if your company sends you there. That is, as an alternative to sitting in the office, this is effective, but in the same week of self-study at home, you will learn 10 times more.
Exam order
The exam is ordered through the Pearson VUE system (I ordered for $ 599). First you need to register on the site www.isc2.org and get an ID.
I would recommend ordering an exam at the very beginning of preparation, in order to clearly indicate for myself the moment of completion of this work. This will help to get ready and begin to prepare intensively earlier. Otherwise, the preparation may last forever.
In Moscow, at the moment, you can take in two testing centers (at the Academy of National Economy in South-West and at the ACET center on Oktyabrskaya), there are also centers in St. Petersburg and Kiev.
There are so few test centers, because the requirements for them are increased. I have not seen such security measures in any exam before.
The description of how I took the exam turned out too much in the style of LJ, not really, I think, appropriate on Habré. Those who are not interested in reading the soul-breaking lytbydr are invited to go directly to the Tips section.
How did I give
Everyone advises on the last day not to get ready, but to rest and sleep well. Like, if you do not know, then it's too late to tear. The main thing is that the exam should have a rested brain.
This tip is not for me. I always repeat the material the night before bedtime. All the evening before the exam, I reread my notes and repeated the classifications.
In the afternoon I bought a small snack and water, went to the bookstore for a paper dictionary. The rules allow you to bring the vocabulary of general vocabulary to the exam (specialized are prohibited). The dictionary is checked to ensure that it does not have cheat sheets, and also that it provides only translations of words and there are no expanded dictionary entries.
By the end of the day, I realized that getting cold juice from the heat was not a good idea - I got sick.
The night before the exam I had a sore throat like it had never hurt. From pain I could not fall asleep until 4 in the morning. Then the pain medication and Coldrex won and I fell asleep. At 8 in the morning I woke up completely sick, had breakfast, drank another Coldrex and went to the exam full of gloomy thoughts. Drops in nose and tablets were added to the snack and water.
I handed over to ACET on Oktyabrskaya. I specified in advance by telephone how to find them and did it for good reason: the center is right by the metro, but finding it the first time is not so simple.
The employee of the center turned out to be a very polite and pleasant grandmother, who, however, carefully checked my pockets, took all my things and watches and checked 2 identification documents (this can be a Russian passport, a foreign passport, rights, a credit card - the main thing is that at least one there was a photo). Only 1 document and a dictionary can be entered into the room. Even drops in the nose were not allowed to take. Only a scarf.
You are given a “washable” notepad, markers for it and ear plugs. The clerk also gave me yellow construction headphones in case the noise in the room would interfere and earplugs would not help (there are several cars there - people pass a variety of exams). In fact, it was very quiet all the time during the exam, no one was making noise.
In the hall you are sitting under a camera that takes you from above. There should always be a passport on the table. To enter and exit the hall, you need to put your hand to the scanner in order to exclude the possibility of substituting the dealer, when exiting the toilet, for example. By the way, the toilet is also separate there, so that the dealer could not leave the controlled territory. There were no cameras there, it seems :)
My plan was this: I answer the questions for 3 hours, then, between 3 and 4 hours, take a break for 10 minutes (toilet, water, chocolate bar). And again in battle. Taking a lot of breaks is pretty stupid: many do not have enough time (1.5 minutes for each of the 250 puzzling questions is very small). Productivity is rapidly dropping by the end, so in the first 3 hours I have to answer, I think, at least 150 questions.
I decided to avoid putting off the questions for later, leaving this opportunity to the most extreme case.
When I was taking my first Cisco exam as a student, the second question I got was a lab that was shamelessly buggy (almost all the stories about Cisco exams start with the words “Laba was buggy”). I fiddled with her for a very long time and started to get really nervous when after 25 minutes I was still on the second question. Fortunately, then I managed to catch up with the schedule. On this exam, the first questions on the contrary helped me calm my nerves and get to work. The format of the questions was very familiar after completing the training tasks from cccure.com, and their complexity seemed to me even lower.
For the next 3 hours, I worked like a car. Fully focused on the exam. People periodically entered and exited the hall, but I hardly noticed them. The heart was pounding accelerated, but evenly. Because of the adrenaline in my blood, it felt as if I had just gulped a can of energy. Apparently, due to the long stress of the last weeks of preparation, the culmination of which was this exam, now I felt some unusual harsh determination. Even if I did not know the answer, I quickly and without hesitation chose the best, in my opinion, answer and moved on.
As a result, after 3 hours I exceeded 200 questions, significantly ahead of the plan. But my nerves also smelled of burning contacts. I decided to slow down and calmly walk to the end of the exam. Then the disease took its toll. My head ached and my temperature rose. Every next 10 questions were given to me with great difficulty. The attention was scattered. At some point, it even became hard for me to read the dictionary. Lines scattered, and white pages began to float in different colors. My muscles were aching, and even sitting was very hard.
I realized that if I take a break and leave, it will be very difficult to return. Therefore, I reached the end of the exam, slowly answering the last questions. As a result, 4 hours after the start of the exam, I got to the 250th question and clicked on the end test button.
I don’t think that the creators of the exam consciously wanted to make fun of the dealers so cruelly, but the final window, I think, can cause a nervous attack in especially sensitive dealers. It starts with the phrase "Congratulations ...". But do not rush to dance "Bullseye" on the table. Congratulations on completing the test. The result is printed automatically on the printer of the center employee.
The realization that I passed, and the joy of it came only already outside the doors of the test center. In the process of preparation, I hoped to celebrate success (in a good situation), stretching out in the sun on the summer terrace of a cafe immediately after the exam, lazily sipping from a mug. In fact, I barely crawled to the house, fell into bed and lounged in it for almost a week with the most severe flu. Fortunately, then there was a vacation and I still had a good rest.
Before the exam
Everyone advises on the last day not to get ready, but to rest and sleep well. Like, if you do not know, then it's too late to tear. The main thing is that the exam should have a rested brain.
This tip is not for me. I always repeat the material the night before bedtime. All the evening before the exam, I reread my notes and repeated the classifications.
In the afternoon I bought a small snack and water, went to the bookstore for a paper dictionary. The rules allow you to bring the vocabulary of general vocabulary to the exam (specialized are prohibited). The dictionary is checked to ensure that it does not have cheat sheets, and also that it provides only translations of words and there are no expanded dictionary entries.
By the end of the day, I realized that getting cold juice from the heat was not a good idea - I got sick.
Exam day
The night before the exam I had a sore throat like it had never hurt. From pain I could not fall asleep until 4 in the morning. Then the pain medication and Coldrex won and I fell asleep. At 8 in the morning I woke up completely sick, had breakfast, drank another Coldrex and went to the exam full of gloomy thoughts. Drops in nose and tablets were added to the snack and water.
I handed over to ACET on Oktyabrskaya. I specified in advance by telephone how to find them and did it for good reason: the center is right by the metro, but finding it the first time is not so simple.
The employee of the center turned out to be a very polite and pleasant grandmother, who, however, carefully checked my pockets, took all my things and watches and checked 2 identification documents (this can be a Russian passport, a foreign passport, rights, a credit card - the main thing is that at least one there was a photo). Only 1 document and a dictionary can be entered into the room. Even drops in the nose were not allowed to take. Only a scarf.
You are given a “washable” notepad, markers for it and ear plugs. The clerk also gave me yellow construction headphones in case the noise in the room would interfere and earplugs would not help (there are several cars there - people pass a variety of exams). In fact, it was very quiet all the time during the exam, no one was making noise.
In the hall you are sitting under a camera that takes you from above. There should always be a passport on the table. To enter and exit the hall, you need to put your hand to the scanner in order to exclude the possibility of substituting the dealer, when exiting the toilet, for example. By the way, the toilet is also separate there, so that the dealer could not leave the controlled territory. There were no cameras there, it seems :)
My plan was this: I answer the questions for 3 hours, then, between 3 and 4 hours, take a break for 10 minutes (toilet, water, chocolate bar). And again in battle. Taking a lot of breaks is pretty stupid: many do not have enough time (1.5 minutes for each of the 250 puzzling questions is very small). Productivity is rapidly dropping by the end, so in the first 3 hours I have to answer, I think, at least 150 questions.
I decided to avoid putting off the questions for later, leaving this opportunity to the most extreme case.
When I was taking my first Cisco exam as a student, the second question I got was a lab that was shamelessly buggy (almost all the stories about Cisco exams start with the words “Laba was buggy”). I fiddled with her for a very long time and started to get really nervous when after 25 minutes I was still on the second question. Fortunately, then I managed to catch up with the schedule. On this exam, the first questions on the contrary helped me calm my nerves and get to work. The format of the questions was very familiar after completing the training tasks from cccure.com, and their complexity seemed to me even lower.
For the next 3 hours, I worked like a car. Fully focused on the exam. People periodically entered and exited the hall, but I hardly noticed them. The heart was pounding accelerated, but evenly. Because of the adrenaline in my blood, it felt as if I had just gulped a can of energy. Apparently, due to the long stress of the last weeks of preparation, the culmination of which was this exam, now I felt some unusual harsh determination. Even if I did not know the answer, I quickly and without hesitation chose the best, in my opinion, answer and moved on.
As a result, after 3 hours I exceeded 200 questions, significantly ahead of the plan. But my nerves also smelled of burning contacts. I decided to slow down and calmly walk to the end of the exam. Then the disease took its toll. My head ached and my temperature rose. Every next 10 questions were given to me with great difficulty. The attention was scattered. At some point, it even became hard for me to read the dictionary. Lines scattered, and white pages began to float in different colors. My muscles were aching, and even sitting was very hard.
I realized that if I take a break and leave, it will be very difficult to return. Therefore, I reached the end of the exam, slowly answering the last questions. As a result, 4 hours after the start of the exam, I got to the 250th question and clicked on the end test button.
I don’t think that the creators of the exam consciously wanted to make fun of the dealers so cruelly, but the final window, I think, can cause a nervous attack in especially sensitive dealers. It starts with the phrase "Congratulations ...". But do not rush to dance "Bullseye" on the table. Congratulations on completing the test. The result is printed automatically on the printer of the center employee.
The realization that I passed, and the joy of it came only already outside the doors of the test center. In the process of preparation, I hoped to celebrate success (in a good situation), stretching out in the sun on the summer terrace of a cafe immediately after the exam, lazily sipping from a mug. In fact, I barely crawled to the house, fell into bed and lounged in it for almost a week with the most severe flu. Fortunately, then there was a vacation and I still had a good rest.
Tips ...
I decided to write some useful, in my opinion, tips for passing the exam.
1 . You need to learn "with a margin." The story above was supposed to illustrate this point. You can get sick, get excited at the exam, you will be distracted by something in the test center (noise, people, etc.). In addition, exam questions are updated more often than textbooks. That is, there will be a certain percentage of questions that were not covered at all in the textbook.
2 . Questions, especially long ones with a lot of information, are best read from the end. First, the question itself, and then the data. Otherwise, you can make your way through the text in the A4 page with a bunch of details and numbers and find at the end that the question is purely methodological and all the information above is completely unnecessary. And precious time wasted.
3. Doubtful questions can be flagged to return to them at the end. My advice: be sure to put down the most likely answer right away. There may not be time to return, you are hardly wiser by the sixth hour, and intuition helps a lot in many methodological issues.
4. There are very few questions that you can immediately give the right answer to. Questions in the style of “What is the length of the MD5 hash?” or “What is the name of the technology for logically dividing a local network into broadcast domains at the switch level?” 10 percent, no more. They need to spend 5 seconds on them in order to have time to answer most of the questions, where the correct answers are 2-4 of 4 and you need to choose the best. Here it is necessary to act from the opposite and immediately delete mentally incorrect answers. This seems to be obvious advice, but on my own I will say that after the third hour the attention begins to dissipate and you catch yourself rereading again and again the options that you have already discarded. It is necessary to tightly control yourself. Crossed out the question - it no longer exists for you.
5. Try to solve test questions with a timer in advance to make sure that there is no time for doubts and long thoughts. You stalled on 1 question, and as a result, you do not have enough time for 3 questions much easier. We must act decisively. Do not know for sure, re-read the question, there may be clues. You still don’t know - intuition helps to choose from 2-3 most probable answers. There will be no time for long doubts and drawing squiggles in a notebook.
6 . There are fundamental concepts that run like a red thread through all 10 domains. They must always be borne in mind. Primary:
a . Human life and health are always most valuable. No data or rules can be more important than human life (even the life of the offender).
b. CISSP is not an engineer, admin or pentester. This is primarily a manager who establishes a controlled process approach to security in the organization and thinks in terms of cost of ownership, risk, value of assets, legislation, etc. Keep this in mind and many questions will be much easier to answer.
7. It is not for nothing that 5 years of work in the specialty is required from applicants for the title of CISSP. Real experience helps a lot. However, one must be careful. When passing the exam, always prefer the concept from the book to real experience. Judging by the holivars on the forums on relatively simple questions from the course, the curve of real experience makes it very difficult for many to answer the questions correctly. CISSP pass to streamline knowledge and master key concepts. Rather than breaking spears in forum skirmishes, it’s better to think about why your experience is different from the concept and what you can improve in your work.
8. Previously, the CISSP exam was accused of being very focused on US law. When I saw in the test questions something like “What is the essence of the fourth amendment to the constitution from the point of view of information security?” I came in quiet horror. According to my feelings, now about 40 percent of the dealers are specialists from India, Pakistan, etc. (usually from the big audit four). Therefore, the exam was well cleaned from American specifics. The rule follows from this: the answers to the questions must be universal. If it is not indicated, for example, that there is case law in the country, then the answer should be suitable for any widespread system of law.
9. Many questions are very intricate (this is not for you Cisco or Microsoft). Any double negation (“what should not be done to prevent ...) and unnecessary information should not confuse you. Mentally reformulate the question easier (for example, no + no = yes).
10 . To pass the exam, it is important to have a good knowledge of English and far from only technical. However, one can well compensate for their gaps in language skills by reading CISSP textbooks and solving test questions. It is very important to clearly understand the difference between the “keywords” and the features of their application: must, should, may, most, least, enough, etc.
eleven. In questions there are financial and managerial terms that may not be entirely clear to the techie. I understood this at the preparation stage and therefore actively consulted with Google, as well as with my mom (accountant) and girl (financial auditor) on issues related to the valuation of tangible and intangible assets, revenue, income, depreciation, stocks, etc. I learned a lot.
12 . (ISC) ² has a Code of Ethics ( (ISC) ² Code Of Ethics ). Often they ignore it, simply signing it as another agreement. This is a big mistake. You need to know the Code practically by heart (since it’s very short) and start from it in matters related to ethics and decision making.
thirteen. Just as not all yogurts are equally useful, so not all domains are equally important. It is usually recommended that you pay particular attention to the following domains: Information Security and Risk management, Access Control, Security Architecture, Telecommunication and Network Security, BCP and DRP. However, according to my feelings, there were enough questions for all domains.
... & Tricks
Let's talk about cheaters.
Traditionally in Russia, many exams are passed through dumping, that is, memorization of answers to stolen exam questions. In the West, the situation is slightly different (they have better understanding of the need for personal professional growth, and they may be asked from work if the fraud is revealed), but freeloaders are a dime a dozen anyway. All popular certifications (the same Cisco, Microsoft) can be passed without knowing anything. One acquaintance of a friend passed the two-hour exam in 15 minutes because he had learned the answers to the questions in the first letters - he did not even have to read them on the exam. The Americans requested a video from the training center, but he did not have cribs, so I had to give a certificate. Such a talent, but in a peaceful direction ...
At the same time, dumps are not even necessary to buy - stolen questions are stolen repeatedly from sellers and posted on the Internet.
When the CISSP surrendered on paper at the same time all over the world, it was almost impossible to steal questions in advance, because they were being prepared anew for each new exam. Now the situation has changed. Exam organizers understand that the weakest point is the training centers. Therefore, you can take the exam in a very small number of CAs with enhanced security measures. However, the "plum" is likely to be anyway. I hope this does not discredit certification in the future.
According to the forums, there were no up-to-date dumps in the public domain or on sale in the summer. At the same time there is a bunch of fake collections of questions compiled from assignments from textbooks, ancient exams and other trash. I saw a touching comment under a dump of 215 questions: “Thank you very much, I passed 1000 out of 1000! The dump is completely correct! ” Given that there are 250 questions in the exam (from a database of unknown size), and scores are not reported with success, it is hard to believe. But someone who is naive may even waste money and attempt to surrender.
Dumps, of course, can be used as a free source of trial questions of dubious quality, but this is completely contrary to the CISSP code of ethics. Decide for yourself.
Now about cribs. You can probably drag the spurs to the exam, but using them will be very problematic. In test centers, they really monitor this closely (unlike UCs that take "ordinary" exams). Yes, and not enough time. As one of my colleagues correctly noted, even having a computer with the Internet will not help at all in passing the exam. Only your brains can work at the speed necessary for surrender.
I hope that what is written above discourages your desire to stand on the slippery track of deception. An honest exam of this level will allow you to respect yourself a little more.
And it’s worth all the trouble.
After exam
If you have not passed
CISSP often do not pass the first time, it is not worth killing about this. As a rule, after the exam, people themselves understand why they did not pass. Plus problematic topics will be highlighted in the exam report.
The first retake is possible after 30 days, then the intervals grow: the second - after 90 days, the third - after 180. If you have not passed 2 times, then you are doing something wrong. On the forums, of course, there are sad posts in the spirit of “today I rent 5th time, if I don’t, I don’t know whether it is worth living on”. But they should not be discouraging. Usually, after failure, a person simply realizes that he has not taught enough, harnesses himself to study with double strength and surrenders the second time. Well, or throws this thing.
So you passed
You are not CISSP yet. You are CISSP Associate. The rules strictly forbid at this stage to call themselves CISSP anywhere. Punishment is a lifelong ban on certification.
A couple of working days after the exam, you will receive congratulations and a description of the many opportunities that have now opened up for you: participation in thematic parties and conferences, subscriptions to closed publications, various services for “club members”, etc. The most interesting thing at the end is how, in fact, to get the long-awaited certificate. I read flirtatious comments more than once that the exam is only the first stage, and certification itself begins further. I do not think that the design of a pair of pieces of paper requires such solemnity.
You will need to write a resume in English with data on experience by domain (this is the main thing - this is the emphasis), education, other certifications and publications that you have. The second document is the Endorsement form . It should bear the signature of the current CISSP, confirming the data from your resume, as well as in general that you are a worthy and positive person.
Resume data can be further verified. For example, I was asked for a diploma scan (higher education in information security I counted over a year of experience, since I was short of 3 months to 5 years).
If you have not gained the necessary experience, you can remain in the CISSP Associate status until you gain the missing year or two.
Certification support
The exam does not need to be retaken to maintain CISSP status. Instead, you must pay the Annual Maintenance Fee (AMF) and earn Continuing Professional Education (CPE) points. AMF is now $ 85. CPEs are given for training in a specialty, attending conferences, reading professional literature, etc. Most points are given for speaking and teaching in the field of information security. At least 120 CPE for 3 years must be recruited, and at least 20 CPE for each year. At first glance it seems that this is a lot, but in fact it turns out that if you really work by profession, then gaining these points is not so difficult.
What's next?
Many people ask this question after they pass CISSP. There is no direct path “above”. In its class, this certification is recognized by the majority as the highest. Therefore, it is logical to develop specializations that are relevant to you.
(ISC) ² has several specializations for CISSP, but they are not very popular with us.
If you are an auditor or manager, then you can look towards certification from ISACA. Certifications CISA and CISM are popular and well-known in Russia. I haven’t heard anyone hand over the venerable CGEIT (Governance of Enterprise IT) and CRISC (Risk and Information Systems Control).
Certifications according to ISO 27000, PCI-DSS, ITIL, COBIT, etc., are quite popular among information security specialists (especially auditors). But if you are engaged in these areas, my advice, I think, is already useless to you.
In the field of penetration tests, CEH certification from EC-Council is popular. A rare penetration tests specialist avoided the temptation to amuse his ego by walking on it with a steam rink of criticism. However, if you perceive CEH as a kind of baseline and a collection of methodologies (journalists need scandalous hacks and 0-day, and corporate customers need primarily predictable and reproducible testing), then it is not bad at all.
Vendor certification lines are selected by specialization. The most popular (not by chance, of course) certification in the field of information security from Cisco and Microsoft. Any more or less large vendor has its own certifications.
Conclusion
The material turned out to be voluminous, but I think a person who has embarked on the difficult path of preparing for CISSP will find time to read it and, as a result, will save a lot of time.
I wish you to pass the first time. And for this you need to learn from the right textbooks, and not from your mistakes. I hope the article helps you with this a bit.
I will be glad to answer questions and supplement the article with your materials.
Yankin Andrey, CISSP