From: Eric Wolbrom (ericSHTECH.NET)
Date: Mon Apr 02 2001 - 15:09:35 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://certcities.com/editorial/exams/story.asp?EditorialsID=25

Testing Your Mettle: The Six-Hour, 250-Question CISSP Exam

Roberta sits for the grueling Certified Information Systems Security
Professional exam and survives.
by Roberta Bragg
3/25/2001 --

        Does an alphabet soup of acronyms, which stand for
certifications that you've obtained, follow your signature? Are you
wondering which, if any, are really valuable? Are you contemplating a
worthwhile certification challenge? Have you been working in the
information system security arena? If so, the Certified Information
Systems Security Professional (CISSP) designation may be right for
you.

Now, I don't like taking examinations, and I'm convinced that most IT
certification programs don't produce professionals worth the piece of
paper their certificates are printed on. So why did I sit a six-hour
certification exam over 10 areas of information system security
knowledge, sans water or coffee, with six sharpened pencils and a big
eraser as my only company? Why did I pay $200 for some study guides,
a $450 examination fee, and several hundreds of dollars to attend a
workshop? Why, for three months, did I give up my Thursday nights to
attend a study group, and many other hours to study things like
lattice based access controls, ALE calculations, the Montreal
protocol, Bell-LaPadula and Biba models?

Why indeed.

When I grew up I was taught to value professionalism. Daddy taught me
how to judge qualifications not by the letters behind someone's name
but by what those letters stood for and how the person got them. We
may not have had Internet-available 'brain dumps' or electronic exam
discs but we had paper mills: When I was growing up, every matchbook
cover had instructions on getting your advanced degrees by mail. The
issue among the true professional then, as now was not what to do to
guarantee success and a high income, it was what career path should
to choose, and then, what were the important career markers that one
should have to pursue it? If a program, certification or stamp of
approval had status or recognition in the industry, good. If it
didn't, then it was meaningless and ignored.

You see, the certification mills and their frantic attendees have got
it all wrong: It's not about collecting certifications, it's about
obtaining the knowledge and experience that these certifications
should represent.

Today, like yesterday, it's important to seek out those programs that
are recognized as serving as evidence of your ability to excel. The
CISSP certification is one of them. It was first developed to help
identify professionals who had the knowledge base, ethics and
commitment to manage information systems security for government and
industry. Today there are more than 4,000 holders of this
certification, and the demand for professionals who are CISSPs is
skyrocketing. Thousands of employers require, or desire, applicants
to have this International Information Systems Security Certification
Consortium (ISC2)-sponsored certification. It is recognized worldwide
as a symbol of professionalism and accomplishment in the field. I
took the exam to obtain it. Here's how you can get there too.

Requirements
To be a CISSP you must do three things:

*Have and be able to prove three years of direct experience in one or
more of the 10 domains of the information systems security Common
Body of Knowledge (outlined below).
*Subscribe to the ISC2 Code of Ethics.

*Pass a 250 question examination based on the 10 domains.

In order to apply to take the exam, each candidate has to identify
the jobs and experience that fulfill the three years of qualifying
experience. You don't have to have the word 'security' in your job
title, but you do have to offer evidence of a career path that
equates to three years in the information system security field.
While the best teacher is experience, ISC2 recognizes that not all
security professionals have, or will ever work in, all 10 domains.
Some knowledge can come from study either self-study, or attendance
at workshops, seminars, and/or participation in study groups. More on
how to prepare for this exam later in this article.

During the application process as well as at the examination, you'll
be asked if you have read and agree to the ISC2 code of ethics. The
code of can be found at the ISC2 web site (www.isc2.org) and consists
of four mandatory cannons followed by additional direction. Of
course, supporting this code of ethics is not only the purview of
CISSPs, all information system groups might consider it a highwater
mark for membership.

The Common Body of Knowledge
It is easier for people to communicate and work together if they
share common goals and knowledge. The Common Body of Knowledge (CBK)
is a list of 10 information system security domains of knowledge,
developed to help information systems people better communicate with
each other. While no one is expected to be an expert in all domains,
all are expected to now a fair amount in each. Passing the exam means
that you have the minimal requisite knowledge. The 10 domains along
with a description of each can be found in the table below:
DOMAIN

DESCRIPTION

1. Access Control Systems and Methodology
Methods of limiting, controlling and monitoring system access. Do you
understand current industry and government techniques? Can you
explain the risks, exposures and ultimate consequences of using or
not using each technique?

2. Telecommunications & Network Security
What are the basics mechanisms on which networks work? A solid
knowledge of TCP/IP is expected. How can transmissions be secured?
How do firewalls, routers, and other engines work?

3. Business Continuity & Disaster Recovery Planning
If a major disruption to normal business operations (flood?
Hurricane? Earthquake, explosion, etc.) happened, would the business
operations continue? How could they be recovered? What's the plan?

4. Security Management Practices
What are organizations information assets and its policies for their
protection? How are standards, procedures and policies managed? How
is data classified, risks assessed and analyzed? What are the roles
within an organization?

5. Security Architecture & Models
How are operating systems designed, implemented and monitored for
security. What are the controls used?

6. Law, Investigations and Ethics
Current law, regulations, investigative measures. Evidence gathering.
Has a crime been committed?

7. Application & Systems Development
What controls exist within software? What steps are taken during
development to insure security? What about change control, date
warehousing, program interfaces?

8. Cryptography
How does cryptography provide Integrity, authentication,
confidentiality, non-repudiation? What algorithms are used to provide
key distribution, digital signatures? How are attacks mounted?

9. Computer Operations Security
Controls for hardware, media and operators.

10. Physical Security
Biometric, lighting, locks, alarms, fences.

Preparing for the Exam
The first thing you'll want to do is download the official study
guide from the ISC2 Web site. (Note: Candidates must fill out a
request form to get this document.) Each of the 10 domains should
suggest areas for you to study. A good course of action is to locate
at least one good resource for each domain that you have no practical
experience with.

If you're looking for books, SRV Professional Publications sells a
set of CISSP examination textbooks. The first volume describes the
domains, while the second offers hundreds of sample questions that
can help you get oriented to the types of questions on the exam.

Another series of books I like is Hal Tipton's annual series:"The
Information Security Management Handbook." Each contains a large
number of articles written by a wide variety of authors. You won't
want to use this as your only source of study, but it is a must-have.

Another book, "The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security" by Ronald Krutz and Russell Dean Vines, will be
published in August 2001 by John Wiley & Sons.

There are no "bootcamps" available for the CISSP exam, or screaming
radio adds that claim to provide you with this coveted certification,
but then, that's not the point, right? You're supposed to learn this
stuff, so that, on the day of the exam, you can truly enter the
testing room with the attitude of "WellŠif I don't pass, look at all
the neat stuff I learned along the way.'

ISC2 does offer one-day, four-day and eight-day workshops, ranging in
price from $395 to $3, 075. Or you could always join a study group;
anyone can form one, and lots of people do. No workshop or study
group presents its offerings as a sure pathway to success, but they
do help. I was blessed with being able to both attend Hal Tipton's
one-day 'Introduction to the CISSP Exam' and participate in a 12-week
study group sponsored by our local Kansas City chapter of the
Information Systems Security Association (ISSA). Tipton's class
(given as a pre-conference workshop at the Computer Security
Institute conference in Chicago, November 2000), was invaluable in
providing me with a good review. Many people use it as a scorecard to
tell what they need to do to get ready for the exam. It's a good
thing to do prior to starting your studies to scope out the extent of
what you'll need to do, or at the end, as a sort of readiness review.

In the ISSA study group I joined, each domain was reviewed by a local
CISSP with expertise in that area. We also used the used the SRV
books as a study guide. There was, of course plenty of time at the
meetings for questions, and often one of the participants brought in
a book or article to further elucidate some point from a previous
meeting. One of the best benefits of the study group was getting to
know more of the information security folks from my area, and it was
sure nice to see friendly faces and hear words of encouragement just
prior to the actual exam.

My Exam Experience
I arrived slightly early for the exam. Since it was held in my city,
I didn't need to travel, but that was lucky -- you may need to quite
a distance in order to take this exam.

I did need to bring a registration letter, which was collected at the
exam, and picture ID. Our local ISSA chapter provided some snacks and
we were told we could bring some food and water. No breaks in the
six-hour long exam period are scheduled, and no food or drink could
be kept at the exam table. But by raising my hand, I was allowed to
escape to the restroom and then the food tables for a minute's
respite (one person at a time is allowed this privilege). It was
great to stand at the back of the room munching on cheese, drinking
coffee and thinking about something other than A? B? C? or D?

The exam was heavily proctored. Just in case anyone decided to ignore
their signature on the code of ethics, we were told that any hint of
cheating would get us removed from the room and our exam papers
destroyed.

The exam is paper-based, featuring a numbered booklet and a
computer-scanable test sheet (it'll bring back memories of college
entrance exams), both of which are provided. I was advised to bring a
number of number 2 pencils to mark answers. My seat for the exam was
assigned, and I was asked to record exam booklet numbers on the
answer sheet. Different versions of the exam exist, we were told, the
pool of questions is said to be 1200. The questions in the pool of
exam change each year, this keeps the exam current, and incidentally,
prevents knowledge of questions from leaking out.

Since the exam is not given on a computer, no result was available
when I finished. I was lucky, I was headed out of town on a gig and
didn't have to check the mail each day looking for a letter. The Web
site currently advertises an 18 day turnaround, but some CISSPs tell
me it hasn't always been so swift. By the way, if you pass, you'll
never know your score; if you fail, you'll get a score and pointers
to the areas you had trouble with.

Although I'll admit to some trepidation approaching the exam, I
didn't feel it was overwhelmingly difficult. The questions were
varied, comprehensive and reasonably straightforward. The main
problem with it is the huge amount of material it covers, and the
long time it takes to complete. There were some questions I had no
idea what the answer was, but I knew enough of them. When the letter
arrived, a little lapel pin accompanied it. Weeks later, a rather
nice wall plaque arrived. I am a CISSP.

Would I sit that exam again? That's a rather mute point at the
moment, but I'm sure not going to let it happen through negligence.
I'm well aware that to keep my CISSP cert, I'll have to obtain 120
continuing professional education (CPE) credits over the next three
years. It seems there's no rest for the weary.
--
____________________________________________________________________
Eric Wolbrom, CISSP Safe Harbor Technologies
President & GCD 106 Corporate Park Drive
Voice 914.644.6060 ext. 6000 White Plains, NY 10604
Fax 914.644.6050 http://www.shtech.net

We are here to help you keep your communications yours!!!
_____________________________________________________________________

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]