7Step Guide to Pass the CISSP Exam

1
7-Step Guide to Pass the CISSP Exam

• Phoenix ISSA
• February 3, 2003
• Debbie Christofferson
• Sapphire-Security Services
• DebbieChristofferson_at_earthliink.net 480-988-4194

2

• 31 percent of the certificants in the
• 2002 study received a job promotion
• within the first year after receiving
• their primary technical certification.
• - CertMag.com

3
Agenda

• Specific criteria you must meet to become a CISSP
• Exactly what the CISSP exam includes
• Tips and tricks to pass the CISSP exam in the
  shortest easiest way
• Secrets of successful CISSP exam preparation
• What works and what doesnt
• Options to help you prepare in the way that works
  best for you
• What happens after you pass the CISSP exam
• Other certification options

4
Bio Debbie Christofferson

• CISSP CISM
• Practiced leading edge Fortune 500 security
  management and consulting for 14 years, with 20
  overall years in the technology field.
• Consultant, speaker, and published author.

5
CISSP

• Certified Information Systems Security
  Professional
• The certification is from the International
  Information Systems Security Certification
  Consortium, or ISC(2) (www.isc2.org).

6
Security Value

• e-Business heightened the need for secure
  computing
• Homeland Security heightened the visibility
• The Information Security profession is hot!

7
Industry Credential

• The Certified Information Security Systems
  Professional (CISSP) is a recognized industry
  credential for information security
  professionals. It can open doors for you, give
  you instant credibility, and demonstrate a
  specific level of valuable knowledge

8
CISSP Designation

• CISSP designation is to security people what CPA
  is to accountants

9
Certification Demand

• Specialized certifications could cinch IT
  applicant job deal
• Pay raises and bonuses based on certifications
  dropped with the economy, but demand for some
  coveted certifications has been rising, and the
  value of those certifications is predicted to
  increase.
• Source Specialty certifications carry clout
  in 2003,
• By Ellen O'Brien, News Editor, 20 Dec 2002,
  SearchDatabase.com

10
Security Demand

• "People are scanning resumes for certifications
  and tossing aside ones that don't have any.
  "Employers have to start somewhere."
• David Foote, president of Foote Partners, a New
  Canaan, Conn., research firm that specializes in
  tracking certification.
• Security topped the list of certifications that
  increased in value in 2002, according to several
  surveys.
• By most accounts, the prestigious Certified
  Information Security Systems Professional (CISSP)
  should retain its celebrity status in the coming
  year.
• Source Specialty certifications carry clout
  in 2003,
• By Ellen O'Brien, News Editor, 20 Dec 2002,
  SearchDatabase.com

11
CISSP Value

• Recognizable industry credential, often required
  for many of the IS jobs
• Enhances IS career
• Guarantee of a specific set of skills knowledge
  in the field
• For companies paying for certification, employee
  morale is greater

12
CISSP Benefits (ISC)2

• Establishes best practices
• Provides a solutions-orientation, not
  specialization, particularly with the broader
  understanding of the IS CBK
• Access to a network of global industry and
  subject matter/domain experts
• Resource for broad-based security information
• Adds to credibility with the rigor and regimen of
  the certification examinations
• Provides a business and technology orientation to
  risk management
• Confirms a working knowledge of information
  security
• Confirms passing of a rigorous examination
• Career differentiator, with peer networking and
  added IS credibility
• Broadening expectation of credentials

13
CISSP Benefits bfq.com

• Wide-spread acceptance of certification
  credentials.
• Simplified recruiting and hiring - assures a
  minimum knowledge level in applicants, higher
  quality candidates, minimizes applicant
  screening.
• Validated technical knowledge without being tied
  to a particular vendor's products. Gives
  substantial advantage in the fast-changing
  technology marketplace.
• Competitive advantage in highly competitive
  technology markets, for certificate holder and
  hiring organization.
• Beachfront Quizzer at www.bfq.com

14
CISSP Benefits bfq.com

• Wide-spread acceptance of certification
  credentials.
• Enhanced job opportunities as many recruiters and
  hiring organization employ certification
  requirements.
• Surveys consistently show enhanced salary and
  career advancement opportunities for certified
  individuals.
• Recognized proof of professional achievement -
  Enhanced creditability and a respected
  credential.
• Beachfront Quizzer at www.bfq.com

15
Certification Value

• Price/value of a certification is one of the most
  important factors candidates consider when
  choosing a program
• IBMs certifications rated as providing best
  price/value
• Overall and against all attributes of vendors
  certification programs, (ISC)2 was rated the
  highest
• The more years a certificant has been in IT, the
  more money he or she makes
• Source Certification Magazine, December 2002,
• Certification, Salaries the IT Market, By
  Gary Gabelhouse

16
Top Certification Salaries

• HP/Compaq Master ASE 81,131
• (ISC)2 CISSP 80,195
• Novell Master CNE 77,568
• Oracle DBA 75,941
• HP/Compaq Accredited Professional 72,285
• HP/Compaq API 71,961
• Lotus CLP 69,835 Citrix
• CCEA 68,578 Novell
• CNE 68,095
• HP/Compaq APS 67,721

• The average certification provides a 3.2-to-1
  ROI.
• For every dollar invested in a certification, the
  certificant realizes a 3.20 return in the form
  of a pay raise.
• Up from 2001 study (2.3-to-1 in 2001).
• Vendors offering low-cost certifications provide
  best ROIs.
• Top quartile with regard to vendors
  certification ROI also includes (ISC)2, Lotus,
  Citrix and Cisco.
• Source http//www.certmag.com/issues/dec02/featu
  re_gabelhouse.cfm

17
CISSPs

• Earning and keeping the CISSP designation is no
  walk in the park

18
CISSP Application Criteria

• 3-4 years direct IS experience in these or other
  related fields
• Practitioner
• Auditor
• Consultant
• Vendor
• Investigator
• Instructor
• ISC)2) Code of Ethics
• College degree or equivalent life experience
• Pass the CISSP exam
• Renewed in 3-year increments
• Annual maintenance fee
• Continuous education

19
CISSP Exam

• 250 Multiple choice questions
• Up to 6 hours to complete the exam
• Ten domainsyou must pass them all
• Exam questions based on ISC(2) Common Body of
  Knowledge (CBK)
• The foundation for an experienced security
  professional

20
Ten Test Domains

• Access Control
• Applications Systems Development
• Business Continuity Planning
• Cryptography
• Law, Investigation Ethics
• Operations Security
• Physical Security
• Security Architecture
• Security Management Practices
• Telecommunications, Network Internet Security

21
Recertification

• Over 3 year period
• 120 CPE (continuing professional education)
  credits
• 80 CPEs (two-thirds) must be earned in activities
  directly related to the IS profession
• 40 CPEs (one-third) may be earned in other
  educational activities that enhance the CISSPs
  overall professional skills, knowledge, and
  competency.
• You must retake and pass the exam every three
  years as an alternative to achieving 120 CPEs

22
SSCP

• International standard for practitioners of
  information security and understanding of a
  Common Body of Knowledge (CBK).
• Focus on practices, roles and responsibilities as
  defined by experts from major IS industries.
• The SSCP Certification exam has 125
  multiple-choice questions, with up to 3 hours
  given for completion.

23
SSCP

• Seven domains
• Access Controls
• Administration
• Audit and Monitoring
• Risk, Response and Recovery
• Cryptography
• Data Communications
• Malicious Code/Malware

24
Study Strategies that Work

• Cold Turkey
• Practice tests
• Self-study
• Study groups
• Review seminar or course

25
CISSP Review Materials

• Certification online study guides at
  https//www.isc2.org/cgi-bin/request_studyguide.cg
  i
• www.srvbooks.com practice tests

26
CISSP Review Seminar

• (ISC)² CISSP CBK
• Scottsdale AZ, USA - The Training Camp
• May 05-10, 2003
• Jun 09-14, 2003
• Register online at
• https//www.isc2.org/cgi-bin/cbk_register.cgi?semi
  nardateid351
• Investment discounted for early registration and
  ISSA members (2245-2695)

27
CSI CISSP Review Seminar

• Computer Security Institute - 3 days
• Non-members 1695
• Members 1545
• Government rates available
• Baltimore, MD May 7-9
• New Orleans June 25-27 (right after the NetSec
  Conference).

28
CISSP or SSCP Exam

• Scottsdale AZ, USA - The Training Camp
• February 29, 2004
• Investment 450-550, based on early registration

29
After the Exam

• CISSP application endorsement by qualified third
  party before credential is awarded
• Candidates employer
• Any licensed, certified or commissioned
  professional may endorse a CISSP candidate
• Annual maintenance fee 85
• CISSP recertification every three years 120 CPEs
  or retake exam
• Random audits
• Certification certificate ID card
• Optional CISSP directory listing, Speakers
  Bureau participation, serve on committees,
  participate in annual ISC(2) elections.

30
Other Security Certifications

• ISACA CISA
• Certified Information Systems Auditor
• ISACA CISM
• Certified Information Security Manager
• SANS GIAC
• Global Information Assurance Certification
• ITAA ISA

31
CISA

• ISACA lists 29,000 worldwide
• While the CISSP is more technology focused, the
  CISA is geared toward information assurance, and
  business processes.
• Beginning of competence in auditing and IT
  auditing
• Auditing is biggest component
• Common in IT auditing with audit firms, banking,
  and finance

32
CISA Exam Focus

• Management, planning and organization of IS (11)
  
• Technical infrastructure and operational
  practices (13)
• Protection of information assets (25)
• Disaster recovery and business continuity (10)
• Business application system development,
  acquisition, implementation and maintenance (16)
  
• Business process evaluation and risk management
  (15)
• The IS audit process (10)

33
Sans Security Institute

• Global Information Assurance Certification
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Certified Firewall Analyst (GCFW)
• GIAC Security Essentials Certification (GSEC)
  Additional certifications will follow shortly,
  with the GIAC Certified UNIX Security
  Administrator (GCUX) next on the list for release.

34
Other Security Certifications

• CISCO
• CCSP (Cisco Certified Security Professional) is
  for network professionals who design and
  implement secure CISCO networks.
• MCNS (Managing Cisco Network Security)
• CSPFA (Cisco Secure PIX Firewall Advanced)
• CSIDS (Secure Intrusion Detection System)
• CSVPN (Cisco Secure VPN)
• CSI (Cisco SAFE Implementation)

35
NSAs ISSEP Certification

• The Washington Technology online magazine
  reported that ISC2 has been selected by the NSA
  to develop a new certification called ISSEP
  (Information Systems Security Engineering
  Professional).
• Could become a best practice for people who want
  to do highly sophisticated information security
  work within the national security sector, and
  ultimately throughout government and private
  sector.
• (ISC)2 plans to offer the new certification to
  all federal agencies and private-sector companies
  that do business with the federal government.

36
ISSEP Certification

• The four new domains for the ISSEP certification
  are certification and accreditation, government
  policy and regulation, systems security
  engineering process and protection needs
  determination.
• "The U.S. government has a unique set of
  standards for information security," said
  Patricia Moreno, chief of staff for NSA's
  Information Assurance Directorate. "We believe
  (ISC)2's longtime international expertise in
  professional certification best suits our
  training needs within NSA."

37
ITAA Survey on CISSP Hiring

• Seventy-three percent said Certified
• Information Security Systems
• Professional (CISSP) certifications
• carry the most weight.
• September 15, 2003 Press Release at
  www.itaa.org/news

38
Terms Definitions

• CBK Common Body of Knowledge
• CISA - Certified Information Systems Auditor
• CISSP - Certified Information Security System
  Professional
• CSI Computer Security Institute
• DoS Denial of Service
• SANS Institute - SysAdmin, Audit, Network,
  Security
• SSCP System Security Certified Practitioner

39
Resources - Books

• CISSP All-in-One Exam Guideby Shon Harris
• The Total CISSP Exam Prep Book Practice
  Questions, Answers, and Test Taking Tips and
  Techniquesby Thomas Peltier, Patrick D. Howard
• CISSP for Dummies - Lawrence C. Miller

40
Resources - Books

• 1. Total CISSP Exam Prep Book Practice
  Questions, Answers, and Test Taking Tips and
  TechniquesThomas R. Peltier, Howard D., Patrick
  Howard, Contribution by Curran
  Paperback, July 2002
• 2. The CISSP Prep Guide Gold EditionRonald L.
  Krutz, Russell Dean Vines, Hardcover, October 2002
  
• 3. CISSP for DummiesLawrence C. Miller, Peter
  Gregory, Peter H. GregoryPaperback, September 200
  2
• 4. Mike Meyers' CISSP Certification
  PassportShon Harris, Paperback, August 2002
• 5. Cissp Certified Information Systems Security
  Professional Study GuideEd Tittel, James Michael
  Stewart, Mike ChappleHardcover, March 2003  
• 6. CISSP Exam CramMandy Andress
  Paperback, October 2001

41
Resources

• CISSP Review Seminars http//www.gocsi.com/
• ISC(2) web site www.isc2.org www.cissp.com
• Practice tests
• http//www.boson.com
• www.cccure.org
• www.srvbooks.com
• www.bfq.com
• Books www.amazon.com
• SANS Institute www.sans.org
• ISACA www.isaca.org
• CSI www.gocsi.org

42
Resources - Certification

• CISSP Certified Information Security Systems
  Professional (the CIS standard)
  http//web.idirect.com/iscwm/index.html
• CISSP Review Course https//www.isc2.org/cgi/cours
  e_schedule.cgi
• CISA Certified Information Systems Auditor
  http//www.isaca.org/cisacep2.htm
• Information Security Management Handbook, Fourth
  Edition, Volume I by Micki Krause (Editor),
  Harold F. Tipton (Editor)
• Information Security Management Handbook, Fourth
  Edition, Volume II by Harold F. Tipton (Editor),
  Micki Krause (Editor) (Hardcover)

43
Practice tests for misc certifications

• For Cisco, Microsoft and Novell certification,
  and others. Some are free. FreePractice
• (http//www.freepractice.com/default.htm)
• SkillDrill (http//www.skilldrill.com/)
  Vendor-specific SkillDrill tests for Allaire,
  Citrix, Lotus and Microsoft certifications. Other
  exams cover network-related topics such as
  security, routing, switching, thin clients and
  broadband technology. Registered users can take
  the tests at no charge.

44
More Practice Tests

• CertificationZone.com (http//www.certificatio
  nzone.com/) Specializes in Cisco CCNA, CCNP and
  CCIE exams. Free demos. Purchase the right to
  take a certification exam up to five times for
  39.95, or a one year subscription for 179 to
  take up to 48 practice exams during the period. A
  99 six-month subscription lets you take up to 24
  exams, and 67 three-month subscription gives you
  access to 12 exams.