Updated February 20, 2023
Introduction to CISSP Study Guide
The following article provides an outline for CISSP Study Guide. Certified information systems security professional, in short, it is known as CISSP; CISSP is a certification for security services. CISSP is famous among individuals who want to pursue a management role in the information security field. This certification was developed by the international information systems security certificate consortium, which in short is known as (ISC)2. This certificate is a pathway for professionals and managers who want to enter the security leadership career; this is well received for eligibility by companies and organizations in the IT sector.
CISSP certification can get you into the role of chief security officer (CSO), Chief Information security officer (CISO), chief technical officer (CTO). The CISSP certification is a prime requirement for several positions in the private and government sector. The CISSP exam requirements are extensive, requiring a good amount of IT security and risk management knowledge. After passing the CISSP exam, it can be confirmed that the individual possesses good knowledge of IT security, which can be counted as an asset for the individual in management and leadership positions.
Important Domains for CISSP Exam
The CISSP exam covers a broad range of information from security subjects.
These are divided into ten different domains, and each of these is broken to exam objectives; before taking the exam, you must be proficient in each domain:
- Access control systems and methodology
- Telecommunications and network security
- Security management practices
- Application and systems development security
- Security architecture and models
- Operations security
- Business continuity planning and disaster recovery planning
- Law, investigation, and ethics
- Physical security
1. Access control systems and methodology
Access control systems and methodology under this the topics will be:
You should define common access control techniques in detail with:
- Discretionary access control
- Mandatory access control
- Lattice-based access control
- Rule-based access control
- Role-based access control
- The use of access control lists
- Details of access control administration.
- Explanation of access control models:
- Information flow model
- Non-inference model
- Clark and Wilson
- State machine model
- Access matrix model
Its explanation of identification and authentication techniques, centralized/ decentralized control describes common attack methods and explains intrusion detection.
2. Network and telecommunications
The identification of key areas of telecommunication and network security.
International standards of organization/ open systems (ISO/OSI) interconnection layers and characteristics which includes:
- Physical layer
- Application layer
- Transport layer
- Datalink layer
- Session layer
- Network layer
- Presentation layer
The knowledge from the design and function of communications and network security with the following topics:
- Physical media characteristics which are twisted pair, fiber optics, coaxial.
- Wide area networks (WAN’s).
- Local area networks (LAN’s).
- The secure remote procedure call.
- Network topologies are star bus and ring topology.
- IPSec authentication and confidentially.
- Network monitor and packet sniffers.
- TCP/IP characteristics and confidentiality.
- Remote access/telecommuting techniques.
- Remote access Dial-in user system/terminal access control.
- Access system Radius and Tacacs.
Also describe the protocols, components, and services which are involved in internet or intranet or extranet design which are:
- Services- SDLC, ISDN, HDLC, frame relay, x.25
- Protocols –TCP/IP, IPSec, SKIP, SWIPE, SSL, S/MIME, SSL, SET, PEM, CHAP, PAP, PPP, SLIP
The knowledge about detecting, preventing, correcting errors techniques in the communication security system are asked so this can maintain the integrity, availability, and confidentiality of transactions over networks may be maintained it can be done through:
- Ash tools
- Network monitors and packet sniffers
- Virtual private network
- Network address translation
- Re-transmission controls
- Record sequence checking
- Transmission logging
- Transmission error correction
Knowledge regarding areas of communication and methods of securing these cover the following points deeply:
- Secure voice communication
- Email security
- Security boundaries and their translation
- Forms of network attack knowledge- ARP, Brute force, Worms, flooding, eavesdropping, sniffers, spamming, PBX fraud and abuse
3. Security management and practices
- The understanding of principles of security management and management responsibility in the information security environment.
- Understanding of risk management and its solutions.
- Detailed understanding of classifying data and determination of policies and practices to enhance information security.
- Change control is used to maintain security and awareness with training regarding security.
4. Applications and systems development
Explore issues of data and demonstrate the understanding of:
- Database and warehouse issues.
- Web services, storage and storage systems.
- Knowledge-based systems and challenges of distributed and non-distributed environments.
- Study System development control and define malicious code.
- Make use of coding practices that reduce system vulnerability.
- You should study the detailed use of cryptography, including confidentiality, integrity, authentication, and non-repudiation.
- PKI management and detailed common methods of attacking encryption with basic and specific attacks.
6. Security and architecture models
Under this, you must understand the security system for public and government models differently.
- Study models- bell- LaPadula, Biba, Clark-Wilson, access control lists.
- Understanding of TCSEC, ITSEC, common criteria, IPSec.
7. Operations security
Under this identification of key roles of operations security lies.
- You should read the identity of protected, restricted, control and OPSEC process.
- Define threats and countermeasures, explanation about audit logs, intrusion detection, and penetration testing techniques.
- Antivirus controls and secure emails, data backup understanding.
8. Business continuity and disaster recovery
- Under this section, you must study the difference between disaster recovery planning and business continuity planning.
- This can be done by documenting the natural and man-made events that need to be considered in making disaster recovery and business continuity plans.
9. Law, investigation, and ethics
- This should explain abut fundamentals of the law of computer crime which is proven in court. And discuss computer ethics.
10. Physical security
- Understanding the most common vulnerabilities and their effects on asset classes. Understanding of theft principles for information and assets.
- Knowledge of designing, constructing, and maintaining a secure site and removable electronic media.
Tips on Taking the Exam
- Individuals must read all the topics before the exam.
- Step by step, complete the question and exercise of each topic.
- Access your knowledge by practicing; this can help you with which topic you need more focus on.
References of CISSP Study Guide
- Harris, S: CISSP exam guide, 2016.
- Gordan, A: official ISC2 guide to CISSP CBK, 2015.
- ISC2 II, ISC2 III, ISC2 IV: CISSP detailed content outline, 2017.
- IT governance ltd, what is CISSP, 2016.
This has been a guide to the CISSP Study Guide. Here we discuss important domains for the CISSP study guide and also some useful tips on taking exams. You may also look at the following articles to learn more –