Easily this was the biggest test cram I’ve ever done. The (ISC)2 Review Seminar itself was 5 days of 8 hour reviews that covered the entire CISSP CBK. After each day I read chapters from the CBK book whenever I could find some spare time. I even color-coded the outside of the book so that it would be quicker to navigate:
Pretty, right? I even spelled DRP and BCP right! What do these acronyms mean? Excellent question! I’ll briefly explain all the sections covered by the CISSP CBK as of 2011. FYI: (ISC)2 revised the CBK after 2012, so don’t take these 100% at face value.
- Access Control – This is the fattest chapter in the book and hands-down the most important. Its so fundamental that I won’t explain it here, so just Google it or buy the CBK and read it. By a small margin, most of the exam questions are supposed to be from this section.
- Application Security -This chapter goes over the Software Development Life Cycle (SDLC), to what degree every part of the SDLC should be secured, an introduction to auditing, types of malware, everything you would want to know besides implementation details on managing the security of data and databases, and brief coverage on web application security.
- Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP) – This is the chapter that really drives home the importance of an organization’s full-on security initiative from the top-down. A quick and unofficial way to summarize this would be the ‘Bus Factor’, described to me by a baker I once met. Basically, someone has the ‘Bus Factor’ if their being hit by a bus at 60+mph would demolish your business.. For the baker, this would be the one guy who knows how to maintain and repair his stone wheat mill. For a poorly managed business operating an information system, this could be Joe sys admin who keeps the passwords in the pages of a random book only he knows about. This is like a miniature business impact analysis. Got it? Separation of duties is a very important concept here and a BCP takes it to an extreme. A business continuity planning as well of disaster planning. Disaster planning can be everything from backups, load balancers, to hot-sites ready to go when another system fails. This chapter goes over many aspects of DRPs. One thing that is stressed to no end is that an organization’s ‘overarching strategy’ should include security and that support for a security initiative must come from the top. If it gets mandated from the top, then everybody knows they need to be involved.
- Cryptography – To me, the most interesting chapter in the book. Fundamental cryptographic concepts are covered here. Be clear on the basics of symmetric ciphers before moving forward in this chapter. Then, gain an understanding of asymmetric encryption algorithms. Its very essential to be know how to differentiate between these. Another concept to wrap one’s head around is confidential messages with proof of origin (non-reputation). Understand hash functions, digital signatures, keys and key management, and then finally, attacks such as cryptanalysis attacks and statistical attacks.
- Information Security Governance and Risk Management – Do not spend too much time on this chapter. It is a great introduction to the concepts but Information Security Governance and especially Risk Management are different animals in the real world. (What do I mean by this? Just look at NIST SP 800-37’s rescription of the Risk Management Framework aka RMF) As with the BCP and DRP chapter, a common theme here is that an organization’s ‘overarching strategy’ should include security and that support for a security initiative must come from the top.
- Leal, Regulations, Investigations, and Compliance – The CISSP Code of Ethics states that all CISSPs must obey the law. This chapter is deceptively important. There are a number of tricky test questions that involve this material.
- Operations Security – Ever wondered why some restrictive policies exist? Read this chapter for a good discussion on that. The section about personnel is a definite highlight.
- Physical and Environmental Security – This chapter contains a lot of material that is used word-for-word on the test. While little of the test covers physical and environmental security, a read though this will guarantee at least a few correct answers on the exam, if not several.
- Security Architecture and Design – The instructor made a special effort to focus on this section of the book. Security architecture provides a framework for protecting assets business stakeholders care about. NIST’s 800 Series define a security architecture, i.e. Other security architectures include Zachman Framework, SABSA Framework, TOGAF Framework, and part of the ITIL. Its important to know what these are, the concepts shared by all of them, and key differences among them.
- Telecommunications and Network Security – Anyone who does not know TCP/IP and the 7 layer OSI model will need to pay extra attention to this chapter. For each layer the CBK describes security concerns. For others, everything in here is a basic review.
Overall the experience was quite exciting because I got to meet a classroom’s worth of security professionals. Genius me lost all of their contact info but regardless, I realized that it isn’t so hard to talk security speak. Half of it is understanding some very important distinctions that the CISSP CBK can be a good introduction to.
This introduction to the CISSP CBK has really evoked from me a lot of questions on the more technical side of what we learned. Half of why this curiosity remains is because many of the security professionals there actually didn’t understand the technical / implementation side of information security. As it turns out, the CISSP is actually a management certification. Other certifications like CEH go more in depth on the technical side of information security. In addition to CEH, network and cryptographic security topics are probably the most feasible topics for me to learn more about as long as I have access to Google. I’d wager that because the strategic and tactical side of information security changes less, the technical and implementation side is the most active.
Other aspects of the CBK like security architecture are much more high level and probably unique to any given organization. For this, the NIST 800 SPs are probably the best peek one can get into information security on an organizational level.