Introduction to CISSP Study Guide

The following article provides an outline for CISSP Study Guide. Certified information systems security professional, in short, it is known as CISSP; CISSP is a certification for security services. CISSP is famous among individuals who want to pursue a management role in the information security field. This certification was developed by the international information systems security certificate consortium, which in short is known as (ISC)2. This certificate is a pathway for professionals and managers who want to enter the security leadership career; this is well received for eligibility by companies and organizations in the IT sector.

CISSP certification can get you into the role of chief security officer (CSO), Chief Information security officer (CISO), chief technical officer (CTO). The CISSP certification is a prime requirement for several positions in the private and government sector. The CISSP exam requirements are extensive, requiring a good amount of IT security and risk management knowledge. After passing the CISSP exam, it can be confirmed that the individual possesses good knowledge of IT security, which can be counted as an asset for the individual in management and leadership positions.

Important Domains for CISSP Exam

The CISSP exam covers a broad range of information from security subjects.

These are divided into ten different domains, and each of these is broken to exam objectives; before taking the exam, you must be proficient in each domain:

Access control systems and methodology
Telecommunications and network security
Security management practices
Application and systems development security
Cryptography
Security architecture and models
Operations security
Business continuity planning and disaster recovery planning
Law, investigation, and ethics
Physical security

1. Access control systems and methodology

Access control systems and methodology under this the topics will be:

You should define common access control techniques in detail with:

Discretionary access control
Mandatory access control
Lattice-based access control
Rule-based access control
Role-based access control
The use of access control lists
Details of access control administration.
Explanation of access control models:
Biba
Information flow model
Non-inference model
Clark and Wilson
State machine model
Access matrix model

Its explanation of identification and authentication techniques, centralized/ decentralized control describes common attack methods and explains intrusion detection.

2. Network and telecommunications

The identification of key areas of telecommunication and network security.

International standards of organization/ open systems (ISO/OSI) interconnection layers and characteristics which includes:

Physical layer
Application layer
Transport layer
Datalink layer
Session layer
Network layer
Presentation layer

The knowledge from the design and function of communications and network security with the following topics:

Physical media characteristics which are twisted pair, fiber optics, coaxial.
Wide area networks (WAN’s).
Local area networks (LAN’s).
The secure remote procedure call.
Network topologies are star bus and ring topology.
IPSec authentication and confidentially.
Network monitor and packet sniffers.
TCP/IP characteristics and confidentiality.
Remote access/telecommuting techniques.
Remote access Dial-in user system/terminal access control.
Access system Radius and Tacacs.

Also describe the protocols, components, and services which are involved in internet or intranet or extranet design which are:

Proxies
Firewalls
Switches
Gateways
Services- SDLC, ISDN, HDLC, frame relay, x.25
Routers
Protocols –TCP/IP, IPSec, SKIP, SWIPE, SSL, S/MIME, SSL, SET, PEM, CHAP, PAP, PPP, SLIP

The knowledge about detecting, preventing, correcting errors techniques in the communication security system are asked so this can maintain the integrity, availability, and confidentiality of transactions over networks may be maintained it can be done through:

Tunneling
Ash tools
Network monitors and packet sniffers
Virtual private network
Network address translation
Transparency
Re-transmission controls
Record sequence checking
Transmission logging
Transmission error correction

Knowledge regarding areas of communication and methods of securing these cover the following points deeply:

Secure voice communication
Email security
Facsimile
Security boundaries and their translation
Forms of network attack knowledge- ARP, Brute force, Worms, flooding, eavesdropping, sniffers, spamming, PBX fraud and abuse

3. Security management and practices

The understanding of principles of security management and management responsibility in the information security environment.
Understanding of risk management and its solutions.
Detailed understanding of classifying data and determination of policies and practices to enhance information security.
Change control is used to maintain security and awareness with training regarding security.

4. Applications and systems development

Explore issues of data and demonstrate the understanding of:

Database and warehouse issues.
Web services, storage and storage systems.
Knowledge-based systems and challenges of distributed and non-distributed environments.
Study System development control and define malicious code.
Make use of coding practices that reduce system vulnerability.

5. Cryptography

You should study the detailed use of cryptography, including confidentiality, integrity, authentication, and non-repudiation.
PKI management and detailed common methods of attacking encryption with basic and specific attacks.

6. Security and architecture models

Under this, you must understand the security system for public and government models differently.

Study models- bell- LaPadula, Biba, Clark-Wilson, access control lists.
Understanding of TCSEC, ITSEC, common criteria, IPSec.

7. Operations security

Under this identification of key roles of operations security lies.

You should read the identity of protected, restricted, control and OPSEC process.
Define threats and countermeasures, explanation about audit logs, intrusion detection, and penetration testing techniques.
Antivirus controls and secure emails, data backup understanding.

8. Business continuity and disaster recovery

Under this section, you must study the difference between disaster recovery planning and business continuity planning.
This can be done by documenting the natural and man-made events that need to be considered in making disaster recovery and business continuity plans.

9. Law, investigation, and ethics

This should explain abut fundamentals of the law of computer crime which is proven in court. And discuss computer ethics.

10. Physical security

Understanding the most common vulnerabilities and their effects on asset classes. Understanding of theft principles for information and assets.
Knowledge of designing, constructing, and maintaining a secure site and removable electronic media.

Tips on Taking the Exam

Individuals must read all the topics before the exam.
Step by step, complete the question and exercise of each topic.
Assess your knowledge and identify the areas that require more attention by using CompTIA Security+ Practice Tests Dumps and Cisco CCNP 300-410: Practice Test Dumps for practice. This can help you determine which topic you need to focus on more.

References of CISSP Study Guide

Harris, S: CISSP exam guide, 2016.
Gordan, A: official ISC2 guide to CISSP CBK, 2015.
ISC2 II, ISC2 III, ISC2 IV: CISSP detailed content outline, 2017.
IT governance ltd, what is CISSP, 2016.

Quiz Result
Total Questions	Correct Answers	Wrong Answers	Percentage