Introduction to CISSP Study Guide
Certified information systems security professional, in short, it is known as CISSP, CISSP is a certification for security services. CISSP is famous among individuals who want to pursue a management role in the information security field. This certification was developed by international information systems security certificate consortium which in short is known as (ISC)2. This certificate is a pathway for professionals and managers who want to enter the security leadership career, this is well received for eligibility by companies and organizations in the IT sector.
CISSP certification can get you into the role of chief security officer (CSO), Chief Information security officer (CISO), chief technical officer (CTO). The CISSP certification is a prime requirement for several positions in the private and government sector. The CISSP exam requirements are extensive which need a good amount of knowledge on IT security and risk management. After passing the CISSP exam, it can be confirmed that the individual possesses good knowledge of IT security, which can be counted as an asset for the individual in management and leadership positions.
Important Domains for CISSP Exam
The CISSP exam covers a broad range of information from security subjects. These are divided with ten different domains and each of these are broken to exam objectives, before taking the exam you must be proficient in each domain –
- Access control systems and methodology
- Telecommunications and network security
- Security management practices
- Application and systems development security
- Security architecture and models
- Operations security
- Business continuity planning and disaster recovery planning
- Law, investigation, and ethics
- Physical security
let us discuss each of these domains in detail:
1st domain – Access control systems and methodology
Access control systems and methodology under this the topics will be-
You should define common access control techniques in details with:
- Discretionary access control
- Mandatory access control
- Lattice-based access control
- Rule-based access control
- Role-based access control
- The use of access control lists
- Details of access control administration.
- Explanation of access control models:
- Information flow model
- Non-inference model
- Clark and Wilson
- State machine model
- Access matrix model
With its explanation of identification and authentication techniques, centralized/ decentralized control, describe common methods of attack, explanation of intrusion detection.
2nd domain – Network and Telecommunications
The identification of key areas of telecommunication and network security
International standards of organization/ open systems (ISO/OSI) interconnection layers and characteristics which includes-
- Physical layer
- Application layer
- Transport layer
- Datalink layer
- Session layer
- Network layer
- Presentation layer
The knowledge from the design and function of communications and network security with the following topics-
- Physical media characteristics which are twisted pair, fiber optics, coaxial.
- Wide area networks (WAN’s)
- Local area networks (LAN’s)
- The secure remote procedure call
- Network topologies that are star bus and ring topology.
- IPSec authentication and confidentially
- Network monitor and packet sniffers
- TCP/IP characteristics and confidentiality
- Remote access/telecommuting techniques
- Remote access Dial-in user system/terminal access control
- Access system Radius and Tacacs
Also describe the protocols, components, and services which are involved in internet or intranet or extranet design which are-
- Services- SDLC, ISDN, HDLC, frame relay, x.25
- Protocols –TCP/IP, IPSec, SKIP, SWIPE, SSL, S/MIME, SSL, SET, PEM, CHAP, PAP, PPP, SLIP.
The knowledge about detecting, preventing, correcting errors techniques in the communication security system are asked so this can maintain the integrity, availability, and confidentiality of transactions over networks may be maintained it can be done through-
- Ash tools
- Network monitors and packet sniffers
- Virtual private network
- Network address translation
- Re-transmission controls
- Record sequence checking
- Transmission logging
- Transmission error correction
Knowledge regarding areas of communication and methods of securing these, cover the following points deeply-
- Secure voice communication
- Email security
- Security boundaries and their translation
- Forms of network attack knowledge- ARP, Brute force, Worms, flooding, eavesdropping, sniffers, spamming, PBX fraud and abuse
3rd domain – security management and practices
- The understanding of principals of security management and management responsibility in the information security environment.
- Understanding of risk management and its solutions.
- Detailed understanding of classifying data and determination of policies and practices to enhance information security.
- Change control used to maintain security and awareness with training regarding security.
4th domain – Applications and Systems Development
Explore issues of data and demonstrate the understanding of-
- Database and warehouse issues.
- Web services, storage and storage systems.
- Knowledge-based systems and challenges of distributed and non-distributed environments.
- Study System development control and define malicious code.
- Make use of coding practices that reduce system vulnerability.
5th domain – Cryptography
- You should study the detailed use of cryptography which should include confidentiality, integrity, authentication, and non-repudiation.
- PKI management and detailed common methods of attacking encryption with basic and specific attacks.
6th domain – Security and Architecture models
Under this, you must understand the security system for public and government models differently.
- Study models- bell- LaPadula, Biba, Clark-Wilson, access control lists.
- Understanding of TCSEC, ITSEC, common criteria, IPSec.
7th domain – Operations security
Under this identification of key roles of operations security lies.
- You should read the identity of protected, restricted, control and OPSEC process.
- Define threats and countermeasures, explanation about audit logs, intrusion detection, and penetration testing techniques
- Antivirus controls and secure emails, data backup understanding.
8th domain – Business continuity and disaster recovery
Under this section, you must study the difference between disaster recovery planning and business continuity planning. This can be done by documenting the natural and man-made events that need to be considered in making disaster recovery and business continuity plans.
9th domain – LAW, Investigation, and ethics
This should explain abut fundamentals of the law of computer crime which is proven in court. And discuss computer ethics.
10th domain – Physical security
Understanding the most common vulnerabilities and their effects on asset classes. Understanding of theft principals for information and assets. Knowledge of designing, constructing and maintaining a secure site and removable electronic media.
Tips on Taking the Exam
- Individuals must read all the topics before the exam.
- Step by stem complete question and exercise of each topic.
- Access your knowledge by practicing, this can help you with which topic you need more focus.
References of CISSP Study Guide
- Harris, S: CISSP exam guide, 2016.
- Gordan, A: official ISC2 guide to CISSP CBK, 2015.
- ISC2 II, ISC2 III, ISC2 IV: CISSP detailed content outline, 2017.
- IT governance ltd, what is CISSP, 2016.
This has been a guide to the CISSP study guide. Here we discuss important domains for the CISSP study guide, also some useful tips on taking exams. You may also look at the following articles to learn more –