Professional Certification tifi - TABPI Professional Certification INSIDE… 76 Candidate Comments 82 Frustrating Questions 85 Briney’s Stack O’ Reading I just took the CISSP exam,

CertifiP ro fe s s i o n a l C e r t i f i c a t i o n

I N S I D E …

76 Candidate Comments

82 Frustrating Questions

85 Briney’s Stack O’ Reading

Ijust took the CISSP exam, and I’m here to testify: Everything

you’ve heard about it is true. It’s both disarmingly easy and bewil-

deringly difficult. It’s both legitimately challenging and totally

unfair. It’s both incredibly rewarding and pull-out-your-hair-and-

scream-to-the-heavens aggravating. It’s a mystery wrapped in riddle

inside an enigma.

And here’s the punch line: The exam is a metaphor for the CISSP

credential itself. The CISSP is the undisputed heavyweight champion

of infosec certifications, the gold standard, the pièce de résistance. Yet

it’s routinely ridiculed as a “paper certification,” lacking depth or prac-

tical application. Even those who proudly use it like a third name—

“Hi, I’d like to order a pizza; name’s John Doe, CISSP”—privately

acknowledge that the cert isn’t all that it’s cracked up to be.

Did I pass? Yeah, I passed. And oh, what a relief. After I finished, I

had absolutely no idea how I did. OK, everybody says that, but for some

reason I thought I’d be different. I walked out with this feeling like I’d

simultaneously way overprepared and yet…somehow…failed anyway.

I still haven’t decided if that’s a good thing. It’s all part of the general

weirdness surrounding this exam and certification.

p h o t o g r a p h s b y D A N A S M I T H / B L A C K S T A R

ableA newly minted CISSP gives you the

inside scoop on infosecurity’s most

coveted—and controversial—certification.

b y A N D R E W B R I N E Y

www.infosecuri tymag.com 73

This article is an attempt to explore, exposeand possibly resolve some of these issues. Overthe past eight months, I took the “full immer-sion” route to preparing for the CISSP exam. Iread a half-dozen CISSP prep books, includingtwo 1,000-page tomes. I attended two week-longexam cram classes, including one offered by the(ISC)2 Institute. I completed thousands of sampletest questions from a variety of print and onlinesources. And I interviewed dozens of current andwould-be CISSPs about the exam and credential.For comparative purposes, I also studied for andobtained another IT security certification—theTICSA.

What I learned along the way should help thethousands of would-be test-takers gear up for thisexam. Perhaps more importantly, the process hastaught me a little about what’s right and wrongabout the CISSP—both the exam and the certifica-tion itself.

1. What is the CISSP?CISSP stands for Certified Information SystemsSecurity Professional. The credential was createdin 1991 by the International Information SystemsSecurity Certification Consortium (ISC)2 (www.isc2.org), a nonprofit organization that is the sole care-taker and credentialing body for the CISSP.

(ISC)2 is very specific about the purpose andscope of the CISSP. It’s not intended to certifyhands-on expertise in any infosecurity technolo-gy. Nor does it certify practical expertise in anyone of the 10 domains covered under its CommonBody of Knowledge (or CBK—more on this later).In fact, it doesn’t certify expertise in anything,other than, perhaps, mastering the material inthe CBK.

(ISC)2 officials are quite vocal about this focus—in part, one assumes, to deflect criticism of theCISSP. “Its ultimate purpose is to be able to pro-vide an independent benchmark of your knowl-edge of the fundamentals of information security,”says (ISC)2 president Jim Duffy. “It proves mini-mal competency. CISSPs do not walk on water,but they certainly do understand the informationsecurity profession.”

One of the things that gives the certificationweight in the industry is the sheer size of theCISSP community. We’re definitely not talkingAugusta National here. By the time you read this,nearly 20,000 people will hold a CISSP. By theend of 2003, that number will climb to 25,000.That’s up from just 6,900 in 2001.

The jury’s out on whether this growth enhancesor detracts from the credibility of the certificationand those who hold it. Some say it reinforces the CISSP’s image as infosec’s de facto credential.Others say it only proves that the exam and certifi-cation process aren’t stringent enough.

Either way, the CISSP has become its own self-promoting marketing vehicle. Perception is real-ity. The more people who obtain it, the widerexposure it gets. The wider the exposure, thestronger the perception that you’ve gotta have it. Run through this cycle a few times, and it’s not surprising that even those who ridicule theCISSP are now lining up to get one.

2. What are the requirements

for obtaining a CISSP?There are basically three steps. I won’t dwell on these, since they’re explained in detail on the(ISC)2 Web site and elsewhere.

First, you have to apply for certification. Toqualify, you have to have at least four years of pro-fessional experience across the 10 CBK domains.Alternatively, you must have three years experi-ence plus a college degree. You also have to agreeto the (ISC)2 Code of Ethics and provide back-ground information on things like felony convic-tions and involvement with “hackers.”

The second step is to pass the exam, whichcosts $450 a sitting. If you fail the first time, youcan retake it as soon (and often) as you want,though you have to pay $450 each time.

Third, if you pass, you’re required to obtainwritten endorsement from someone who is “famil-iar with your professional experience,” preferablyanother CISSP.

The certification is valid for three years, duringwhich time you have to accumulate 120 continu-ing professional education (CPE) units throughactivities such as serving on industry boards, de-livering presentations or publishing security arti-cles or books.

74 Information Securi ty June 2003

P ro fe s s i o n a l C e r t i f i c a t i o n

10 F A Q s R E : C I S S P

1. What is the CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

2. What are the requirements for obtaining a CISSP? . . . . . . . 74

3. Why get a CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

4. What’s the exam like? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

5. What subjects does the exam cover?. . . . . . . . . . . . . . . . . . . 76

6. How hard is the exam? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

7. What should I study? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

8. Do I need to take one of the CISSP exam-cram classes? . . . 84

9. What other security certifications are available?

And which one is “best” for me? . . . . . . . . . . . . . . . . . . . . . . 86

10. Does the CISSP deserve its reputation? . . . . . . . . . . . . . . . . 88


3. Why get a CISSP?Most current and would-be CISSPs say the prima-ry reason they want a CISSP is to increase theirmarketability. “The reason I put the effort intogetting the certification in the first place was toadvance my career,” says Brian Taylor, a networkanalyst with New England Research Institutes(NERI). “The job postings out there frequently re-quire or mention the certification as an advantage.”

Other motivations include filling in knowledgegaps, earning peer recognition, expanding one’sprofessional network and contributing to the de-velopment and maturation of the profession.

“It’s worth the effort if it keeps one marketablein a down-turned economy,” says George Johnson,a software engineer at EMC. “As for my currentjob, I’m not sure that it matters a great deal ormeans anything to my immediate line of manage-ment in the short term, but there is anotherprocess at work that is raising the security aware-ness of management.”

One benefit of CISSP certification—for me, thelargest benefit—is that in preparing for the exam,you’re going to learn a lot about subjects you didn’t know about before, and probablywouldn’t have an excuse or occasion tolearn about otherwise. I’ve always wantedto learn about how Kerberos works underthe hood, but it wasn’t until I started study-ing for the CISSP that I was compelled todo so. The same thing applies to hundredsof subjects covered in the CBK.

Sure, some of this material is boring andimpractical. But if you’re genuinely inter-ested in information security, studying forthe CISSP exam will give you a very strongknowledgebase. The exam covers maybe 1 percent of what you study. But no matterwhat you think about the exam or the cre-dential itself, the important thing is thatyou’ve learned the material anyway—pro-vided you’ve done your homework, ofcourse. And that, I think, is what sets theCISSP apart from other security certifica-tions. You’re simply not going to get asbroad an overview of all-things securityfrom other certifications.

4. What’s the exam like?The exam is 250 multiple-choice ques-tions. Only 225 of these questions are usedin computing your score; the other 25 are“experimental” questions that (ISC)2 mightuse as actual questions on future tests.However, you won’t know which 25 areexperimental, so give your best effort onall 250. Also, don’t leave any questionsblank; there’s no penalty for guessing.

The questions are weighted differently, addingup to 1,000 points. To pass, you have to get 700out of 1,000. Approximately 70 percent of candi-dates pass on their first try.

(ISC)2 reveals your numerical score only if youfail the exam. Candidates who pass the examaren’t told their scores for two reasons, says LeeSchroeder, president of Schroeder MeasurementTechnologies, the CISSP exam contractor.

“The primary reason is that we don’t intendthis exam to be used to differentiate betweenpassing candidates for things such as hiring orpromotion,” he says. “We don’t want to facilitate a setting where an employer is looking at twoCISSPs, and uses their scores to differentiate between them.”

The other reason, Schroeder says, has to dowith the exam’s scoring system, a complex mathe-matical model called “item response theory.”Questions are constantly cycled in and out of theCISSP exam, creating different exam forms. Theobjective with each form is to create a consistentrange of difficulty. But since no two forms have exactly the same difficulty level, the number of


questions constituting a passing score varies fromtest to test.

It’s a valid scoring system, but one in which twocandidates with the exact same scaled score (say,750 points) may have answered a different num-ber of questions correctly. Rather than try to ex-plain all this to successful candidates, (ISC)2 optsto simply reveal that they “passed.”

5. What subjects does the exam cover?Before I tell you about the exam, I’ll tell you whatI can’t tell you. Before you sit for the exam, youhave to agree not to discuss the exam’s content orquestions with anyone during or after the test. Bybreaking the seal on the exam booklet, you agreeto abide by these rules.

So, while I can’t tell you about the exam content


“I attended [the Intense School bootcamp] class and studied for two hoursbefore the test. I didn’t study outside of class or take any of the practice tests.I did take almost six hours to completethe test, as I considered each question in the context of my own career of 15years in computer security.”

–RANDY CROLLEY, Senior Computer

Security Engineer, Department of

Energy’s Savannah River Site

“I came out of the exam feeling like I had underprepared. I was fairly confident that I hadpassed, but not confidentenough to tell people Ipassed. I knew that if I failedit would be very close.

“I felt and continue to feelthat the worst enemy youcan have in that exam is to over-think the questions. The(ISC)2 [boot camp] class was very good at making you get in the mind-set of thinking in a manner that would allow you know what (ISC)2 was looking for.”

–DAVE DRAPER, Director of Engineering Services, GeoTrust

“The CISSP certification is widely recognized as being thesecurity certification to have. [The exam is] more difficultthan the Microsoft certifications.”

–DAVID BURNS, British Petroleum

“It reminded me of taking a Navy promotion exam—thesame format, but an additional 100 questions. Because Idon’t use most of the information in daily [activities], thedepth of the exam questions took me by surprise. I wasconfused by some of the questions.”

–LT. GEORGE KONEN, Naval War College

“A lot of the questions were kind of misleading. And a lot were just plain common sense. I felt you either knew the answer or you didn’t. The exam should only take three hours at the max.”

–JOHN MILLS

“Here are some tips when taking theexam. First, don’t jump ahead. The testseems to have a lot of double negatives,so it’s critical to read the whole questionbefore answering. I brought a magnify-ing ruler to the exam. I used it to forcemyself to read line by line. It helped im-mensely. Second, if I knew the answerwith 90 percent certainty, I chose the answer and never looked back. Third, if I didn’t with 90 percent certainty knowthe answer, I circled the test question in the booklet and moved on. Fourth, I went back through the circled test

questions and eliminatedanswers I knew with 90 percent certainty werewrong. Fifth, I worked theunanswered questions oneat a time and then erasedthe circle around the

question once I had answered. Sixth—when all else failed—I guessed! One last thing: Save enough time to transfer the answers from the work booklets to the answer sheet. It takes about 30 minutes.”

–TOM MADDEN, CISO, Centers for Disease Control

“Looking back, [the exam] seemed easy. I only did CCCuretests for a few days after [the (ISC)2 exam-cram] course. Got a passing grade on most of them (“hard” level, not“pro” level). So that gave me confidence as well. I neveropened the two books I bought. I thought the (ISC)2 classshould have put more emphasis on crypto and access control.”

–VENKAT PERUMAL, CFO, AGCS Inc.

“I could have studied until I was blue in the face. However,nothing could have prepared me for this examination. Iwould say that [number omitted] of the questions don’t require too much guesswork, [number omitted] are goodfor interpretation, and the last [number omitted], youshould bring a coin and flip it.”

—VINCENT JETTE, Senior Network Engineer, BIC International

Here’s what other recent CISSP candidates had to say about the exam,

their study plan and the certification itself.

“ ”C AN D I DAT E C O MM E N T S

ph

oto

gra

ph

by

CR

EA

TA

S/P

ICT

UR

EQ

UE

ST


itself, I can tell you about the scope andtype of content, at least in general terms.This may not seem like much, but theCISSP test is like no other I’ve evertaken, at any level. Simply knowing whattypes of questions to expect when youwalk in that room will definitely give youa leg up.

The company line is that the CISSPexam tests the candidate’s knowledge ofsubjects covered in the 10 CBK domains.Dozens of books and online resourcesdive into these domains in great detail,so I’ll merely list them here:

• Access Control Systems and Methodology

• Application and Systems Development Security

• Business Continuity and Disaster Recovery Planning

• Cryptography• Law, Investigations and Ethics• Operations Security• Physical Security• Security Architecture and Models• Security Management Practices• Telecommunications and

Networking Security

Some of these domains cover a lotmore material (and in greater depth)than others. For instance, Telecommuni-cations/Network Security and Crypto-graphy are both huge domains, whilePhysical Security and Law, Investigationsand Ethics are comparatively small.

The quantity of topics and depth ofdetail can be deceiving. Many candidatesscore poorly on the Physical Security andLaw sections because they overprepareon the big domains and underprepareon the small ones. It’s unlikely that theexam will present you with an equal dis-tribution of questions across all 10 do-mains. But even if I could tell you whichdomains were hit hardest on my exam, it wouldn’t matter, because the examconstantly changes. The only safe bet isto study each domain thoroughly, anddon’t be surprised when the exam seemsweighted toward a handful of domains orsubjects.

Another common mistake is to adopta single, uniform approach to learningthe material. The domains are very dif-ferent, requiring different learning tech-niques. Let me explain what I mean.

In some domains—for example, Cryp-

to, Architectures/Models and Telcom/Networking—the topics are fact-orientedand black and white. You either knowthe bit size of an MD5 message digest oryou don’t; you either know what Bell-LaPadula’s star-property rule is or youdon’t; you either know what OSI layerIPSec operates at or you don’t. Learningthis material requires a lot of rote mem-orization. You may know some of thismaterial from your daily work, but youwon’t know most of it.

While memorizing a bunch of factsand details is an effective strategy forsome domains, it won’t work as well forothers, such as Security Management,BC/DR, Physical Security or Law/Ethics.The material in these sections is morecontextual and interpretative, focusingmore on standards, principles or bestpractices. Here, you should focus on theapplication of the facts, not the factsthemselves.

For example, there are eight steps toperform in a business impact analysis.The exam is unlikely to ask you to identi-fy what happens in a particular step—that much is intuitive. Rather, it wouldask you to identify the appropriate orderof the steps, or to determine the most or least important step within a givenscenario.

These are oversimplified examples,and, of course, each domain contains amix of factual and interpretive material.The point is that the CISSP exam has a way of exposing flaws in your studyhabits. If you haven’t memorized enoughin the “black and white” domains—or ifyou can’t apply your knowledge in oth-ers—you might struggle on the exam.

6. How hard is the exam?This is probably the most frequentlyasked question about the CISSP exam.It’s also the hardest to answer.

The exam is best characterized as an“inch deep and a mile wide.” Whetherthis makes it easy or difficult is a matterof perspective.

On the one hand, the exam is easybecause it’s multiple choice, with fourpossible answers per question. Out ofthe 250 questions, the slight majority arefact-oriented questions. (I’m prohibitedfrom revealing the approximate numberof questions, and I probably wouldn’tanyway, since the distribution of question




types changes constantly). These questions arestraightforward, well-written questions with clearlydelineated answers. If you do your homework,you’ll answer most of these questions without anyproblem.

Another large chunk of questions are straight-forward interpretive questions. They set up a sce-nario in which you have to determine the bestcourse of action. Again, the answers are usuallyclear if you’ve studied.

One of the things that makes some of the ques-tions easy (or at least straightforward) is that theexam is almost totally devoid of platform-, device-or application-specific material. For example, youwon’t be asked to create a Group Policy Object inWin2K Active Directory, convert Unix file permis-sions from alpha to octal characters or createFireWall-1 ACLs. You might be tested on the dif-ference between block and stream ciphers, or be-tween asymmetric and symmetric encryption, butyou won’t be required to analyze algorithms orperform mathematical computations of any sort.You might be asked to explain the difference be-tween code assemblers, compilers and interpreters,

but you won’t be asked to assemble, compile or interpret code.

The remaining questions are difficult, but fordifferent reasons. Half of these are legitimatequestions about obscure facts, or legitimate inter-pretative questions where the answer just isn’tclear. These are good, tough questions. You justhave to know the answer or be able to dope it out.

However, there’s a chunk of questions that aredifficult for all the wrong reasons. They’re poorlyworded, misleading or simply evasive (see “Frustrat-ing Questions,” p. 82). Evasive: that’s the word thatfirst came to mind when I walked out of the exam.It just seems like these questions serve no purposeother than to confuse and frustrate you.

It’s because of these questions that you won’thave an intuitive sense if you passed the exam.And it’s because of these questions that the CISSPexam often gets a bad rap. Even though thesequestions comprise a comparatively small part ofthe exam, they’re the ones that stick in your crawas you walk out the door.

“I felt the questions themselves were short andCONTINUED ON PAGE 82


easy to read,” says Ty Whitten, a security engineerat Guardent Corp. “But I felt sometimes that theanswers didn’t represent the questions well at all.Either the answers were way off base, or I would beleft with two answers in which both could havebeen correct. I also felt the material I studied wasway more detailed than the vague questions andanswers that were on the test.”

(ISC)2 officials contend that the CISSP exam

doesn’t receive an unusual number of complaintsrelative to other certification exams. They point to the fact that candidates are encouraged to comment on questions when taking the exam—comments that are carefully evaluated when ex-amining test incongruities and deciding whichquestions should be retired.

Moreover, (ISC)2 and its test developers saythat the degree to which a question is annoying is

When taking the CISSP exam, expect to encounter at least a couple dozen questionsthat will frustrate the hell out of you. (ISC)2

exam designers claim these (and all) ques-tions are psychometrically valid. Annoying or not, they’re a useful mechanism for separating qualified candidates (infosecurity professionals who have mastered the CBK toan acceptable level) from unqualified professionals (thosewithout mastery of the material who are simply good attaking multiple-choice exams).

Whether you buy this line of reasoning or not, thesequestions will drive you nuts if you’re not expecting them.For discussion purposes, I’ve divided these questions intofour categories, comprising both the “factual” and “inter-pretive” question types. With each of these categories, I’lltry to explain what makes the question difficult, and offeran example. These examples may be a bit exaggerated toillustrate a point. That said, they’re not far from the truth,either.

1. Obscure facts. Several questions require you to recall very specific details from the CBK. These are absolutely legitimate, fact-oriented questions that don’t require a lot of interpretation. The problem is that youjust don’t know or can’t remember the answer unless youhappened to study it recently, have hands-on experiencewith it, or have a photographic memory.

Here’s an example:

1. Which of the following characterizes the Data Encryption

Standard (DES) Electronic Code Book (ECB) mode?

a. “Stream mode” cipher, first ciphertext block is

XORed with next text block.

b. “Block mode” cipher, 64-bit plaintext blocks loaded

sequentially.

c. “Block mode” cipher, 64-bit data blocks processed

individually one at a time.

d. “Stream mode” cipher, keystream is XORed with

message stream; simulates one-time pad.

The answer is “C,” but it’s a really hard question becauseit’s very detailed and technical. Moreover, the options include both legitimate DES modes that aren’t ECB (answerB is cipher block chaining (CBC); answer D is output feed-back mode (OFB)) and a made-up answer (answer “A” also describes CBC, except CBC is a block mode cipher).You either know the answer here or you don’t. It’s impossible to dope it out if you didn’t study it.

2. Misleading interpretive questions. A chunk ofquestions ask you to pinpoint the “best” answer or courseof action given a scenario or context. Granted, by their verynature, these questions are very difficult to craft, but theCISSP exam seems to have more than its share of doozies.

Selecting the best answer to these questions is problem-atic because (a) what you would consider “best” isn’t oneof the options; or (b) you need more context to determinewhat the exam-creators would consider best. Here’s an example question that captures both of these problems:

2. Which of the following is usually considered to be

the best type of firewall:

a. Static packet filter

b. Application-layer proxy

c. Circuit-level firewall

d. PC firewall

Many people would consider a dynamic/stateful-inspec-tion firewall to be the “best” general-purpose firewallavailable today. But that’s not one of the answers. Soyou’re left to determine what’s best from the list of four“next-best-but-not-really-best” alternatives.

Compounding the problem, you’re not given any contextin which to make an educated decision. “Best” under whatcircumstances? What type of access control or traffic filter-ing are you trying to enforce? What type of network orhosts is the firewall intended to protect?

Moreover, the answers are not “equal” in the sense that

Frustrating QuestionsAnybody who says the CISSP exam is easy isn’t telling the whole story. There are plenty of difficult questions—some legitimate, some goofy.


CONTINUED FROM PAGE 80


of little significance in determining its statisticalvalidity. The goal with the exam and exam ques-tions is to show an acceptable level of discrimina-tion between high-scoring candidates and low-scoring candidates. If the cluster of high-scoringcandidates—those who have adequately masteredthe CBK—consistently answer a question correct-ly while the low-scoring candidates answer it in-correctly, then the degree to which the question is

subjectively “vague” or “evasive” to either groupis inconsequential.

“We want questions such that high-scoring candi-dates tend to get them right, and low-scoring candi-dates tend to get them wrong,” says Lee Schroeder.

One other thing: the CISSP exam is long—gru-elingly long, in my opinion. You’re allotted sixhours to complete it, and most people take atleast three. It took me about five hours.

they’re not all of the same type or quality. Is this on purpose or by accident? Again, you can only guess.

OK, you probably wouldn’t select “D,” because a PC firewall is a specific example of a host application filter. The other three options are core technologies, not form-factor examples of those technologies.

Option A, static packet filter, is a “first-generation” network-layer firewall that does basic IP address and portfiltering. It’s probably the widest deployed firewall today, so if “best” means “most accepted,” option A would beyour answer.

However, if by “best” they mean “most able to filter traffic at a granular application header or payload level,”then “application-layer proxy” is your answer. But wait:Circuit-level firewalls are “better” than static packet filtersbecause they filter on Transport layer headers as well as IP headers; and they’re “better” than application proxiesbecause they can filter on a wider variety of protocols andare easier to maintain. But do two “betters” add up to one“best”?

You get the point. You have to determine what “best”means before you can select the “best” (er, “next-best”)answer. This question is aggravating because it doesn’t testyour knowledge of firewalls—how they work, how theycompare, which one’s most applicable to a given sce-nario—but rather your ability to guess how the exam cre-ators would define “best.”

3. Questions where more than one answer is correct. In some questions, more than one answer seemscorrect. And, indeed, more than one is correct, dependingon your perspective.

3. Which OSI layer(s) does SSL operate at?

a. Layer 4

b. Layer 5

c. Layers 4 and 5

d. Layers 5 and 7

Each of these is correct under different scenarios. In prepar-ing for the exam, I came across different sources that actuallygave these answers. Which one is correct? More to the point:Which answer would (ISC)2 consider correct? Guess!

With questions like these, it’s clearly a matter of interpre-tation and context, and one would hope the CISSP examwould steer away from them. Unfortunately, it doesn’t.

4. Confusing wording in the question itself.Perhaps the most frustrating questions on the CISSP examare ones that force you to guess at exactly what the ques-tion is trying to ask. A sloppily written phrase forces you tointerpret the meaning of the question—do they mean this,or do they mean that?—which in turn affects your interpre-tation of the answers.

4. Which of the following best describes a “protective

profile”?

a. Implementation-dependent statement of security

needs for a set of general IT products.

b. Management-level description of resources necessary

to protect a security domain.

c. General framework of physical security requirements

for a data center.

d. Includes the “Target of Evaluation” description of

an IT product and its purpose, but not necessarily

from a security perspective.

If you studied the Common Criteria security evaluationstandard, you know that the “protection profile” is an implementation-independent statement of security require-ments within the CC. Ah, but the question says protectiveprofile—and what’s worse, it puts the phrase in quotes. Is this a simple spelling or usage mistake? Or are the examdevelopers specifically trying to bait you into answering the question as though it specifies “protection profile,”when in fact they mean something more generic and completely unrelated to the Common Criteria?

It may seem like I’m picking on (ISC)2 and the exam cre-ators by going into this level of detail. But to be forewarnedis to be forearmed, and no book, study guide or boot campprepared me for these types of questions, and no sampletest I came across quite captured the essence of these questions. Everybody talks about how some CISSP examquestions are frustrating. Hopefully, I’ve illustrated whythey can be frustrating. ◗ – A N D R E W B R I N E Y



7. What should I study?No one book covers everything you need to knowto prepare for the CISSP exam. There are at leastthree 1,000-page “all-in-one” prep guides outthere. I’ve read two of these, and as comprehen-sive as they are, neither is sufficient in and of itself.

On the other hand, you shouldn’t feel com-pelled to dive into everything in (ISC)2’s studyguide. Accept the fact that you’ll never haveenough time to study the CBK in depth, norshould you attempt to. There’s just too much information.

The first thing you should do is review themain topics in each domain. This will reveal yourstrengths and weaknesses. Then, take the plungeand buy at least one of the “all-in-one” books (see“Briney’s Stack O’ Reading,” opposite). As you readeach chapter/domain, take the practice exams inthe book and online. Among other sites, www.cccure.org allows you to develop practice quizzestargeting specified domains.

Plan to take at least two full-length practice testsbefore sitting for the exam. However, keep inmind that these practice exams are intended totest your knowledge and understanding of theCBK. None of the practice tests I came across adequately prepared me for the “difficult-for-the-wrong-reasons” questions.

8. Do I need to take one of

the CISSP exam-cram classes?It’s hard for me to say whether you need to sign upfor one of these courses. What I can tell you is thatI took two of them, and they were both very useful.

The first one I took was Intense School’s seven-day1 CISSP Boot Camp (www.intenseschool.com).The instructor was Shon Harris, who wrote one ofthe popular all-in-one prep books and developedall the materials for the course, including morethan 1,200 pages of PowerPoint slides, 30-40 prac-tice questions per domain and a full-length prac-tice exam.

The Intense School course also provides youwith a variety of supplemental materials, includingRFC 2196: The Site Security Handbook, NIST’sGuidelines for Network Security Testing, anInternet Firewalls FAQ and a half-dozen otherdocuments. Having all this stuff in one place savesa lot of time.

The second boot camp was offered by the (ISC)2

Institute, the for-profit arm of the nonprofit (ISC)2

certification body. If you think that (ISC)2’s ties tothis course will give you an inside track on theexam, think again. By design, the instructors haveno input into the exam itself, and they’re bound

by the same restrictions that all CISSPs are: theycan’t discuss exam content.

The five-day (ISC)2 boot camp was team-taughtby Sandy Sherizen and John Glover, both of whomreally knew their stuff. They traded off on do-mains, Sherizen focusing on the “soft” domainsand Glover on the technical ones. This was mostly effective, though their different teaching stylessometimes clashed. The time devoted to each do-main, the subjects covered and the depth of discus-sion was very similar to Intense School’s approach.However, there wasn’t 100 percent overlap. For instance, Intense devoted more time to remote authentication than (ISC)2, while (ISC)2 devotedmore time to wireless security than Intense.

Intense School’s course materials were margin-ally superior to (ISC)2’s. (ISC)2’s consisted primar-ily of a two spiral-bound notebooks with printedreproductions of the PowerPoint slides covered inclass. While Intense also took this approach, thematerial was backed up by written documentationon each page. This helped a lot when I went back toreview the materials after the course wrapped up.

After completing each domain, the (ISC)2

instructors reviewed 10 practice questions with the entire class. I preferred Intense’s approach, in which you had the questions in writing and answered them at your own pace—just like on theexam. (ISC)2 also offered a practice exam at theend of the course, but it was only 100 questionslong, compared to Intense’s full-length, 250-ques-tion exam. Then again, the (ISC)2 class had theadvantage of using retired questions from the actual exam, which to some candidates might be a real value-add.

Exam-cram courses aren’t cheap. Intense’s sell-ing price ranges between $2,600 and $2,900, while(ISC)2’s list price is $2,400. You get a few morefrills with Intense’s approach: most costs related tohotel and meals are included in the course fee.

If you’re going to sign up for a boot camp, thenatural question arises: Should I take it before Istart studying, or after I’ve already done most ofmy homework? I did it both ways, and would sug-gest these courses work better as a primer, not areview. They set out a framework of topics and expose holes in your knowledge. Better to haveplenty of time to fill in those holes before sittingfor the exam.

Both courses boast successful pass rates. Includ-ing myself, 15 out of the 16 people in IntenseSchool’s boot camp passed the exam. Of the 11students I heard from after the (ISC)2 class, ninepassed. The standard pass rate for all CISSPcandidates is 70 percent. You do the math.

If you sign up for a five- or seven-day bootcamp, be prepared for your mental buffer to run-1 The typical Intense School CISSP Training Program is

seven days, though the course I attended was five days. CONTINUED ON PAGE 86


Briney’s Stack O’ ReadingNo one resource can prepare you for the CISSP. At the same time, there are literally hundreds, perhaps thousands,

of books and Web sites covering some aspect of the CBK. The goal is to read widely, if not necessarily deeply,

in each domain. Remember, the exam is a mile-wide and an inch deep. Tailor your study plan accordingly.

B O O K S

An Amazon search reveals 15 books with“CISSP” in the title. There’s even a CISSP forDummies! I read every page of two 1,000-page“all-in-one” guides plus a smattering of otherbooks and online resources. I also dabbledaround and skimmed a half-dozen other books.

All-in-One CISSP Certification

By Shon Harris (McGraw Hill Osborne, 2002)971 pages + CD, $80

This book is extremely comprehensive, andHarris has a knack for explaining complex

technical topics in layman’s terms without talk-ing down to the reader. Harris also teaches anexam-cram class for Intense School, and has sat for (andpassed) the CISSP exam on two separate occasions—bothof which lend an air of authority to this guide.

While the text is good, the graphics in this book leavesomething to be desired. Some are too sketchy or genericto add anything to the textual discussion. Others areclearly space fillers, like the half-page photo of a fire extinguisher with the caption, “Portable extinguishers are marked indicating what type of fire they should beused on.” (Gee, tell me more).

Each chapter/domain ends with a list of quick tips,which were very helpful. Harris also gives you 20-30 practice questions at the end of each domain, along with a CD containing hundreds of additional questions(the new edition reportedly contains 1,300 total questionswith explanations). While the practice questions weregood, taken together they’re easier than many of the actual exam questions, which might give you a falsesense of security.

The CISSP Prep Guide (Gold Edition)

By Ronald Krutz and Russell Vines (Wiley, 2003)945 pages + CD, $80

The Krutz and Vines guide is also excellent. The GoldEdition is actually the combination of two other Wiley

books by the same authors: the original CISSP Prep Guide and the Advanced CISSP Prep Guide. The GoldEdition also contains updated content based on readersuggestions.

I’m glad I read this book after Harris’s book, becausethe presentation is tighter and more accelerated. There’s not as much detail as in Harris’s book, but the discussion moves along more quickly.

The Krutz and Vines book has a lot of practice ques-tions, 660 in all, in addition to a CD-ROM containing twocomplete practice exams from Boson (see below). Most of the sample and bonus questions after each domain are about the same level as Harris’s questions—in some cases, they’re a little more advanced.

Also included after each domain/chapter are several“advanced sample questions” that the authors claim

“are at a level commensurate with that of theCISSP Examination.” Well, that’s not strictlytrue. They are more difficult than the sampleand bonus questions, giving you a sense ofthe level of detail to which you need to study.However, they don’t capture the way in whichthe CISSP exam’s questions are difficult.Some of Krutz and Vines’s advanced ques-tions are extremely verbose, which is definite-ly not the style of the CISSP exam. Others askyou to do computations or visual analysis—again, not the exam’s M.O.

In any case, the authors provide long explanations to each answer, which helps.

The Total CISSP Exam Prep Book

By Thomas Peltier and Patrick Howard (Auerbach, 2002)286 pages, $60

The title is misleading, because this is basically a book of sample test questions. Each chapter covers

a domain, and each domain includes 25 practice studyquestions with explained answers. The good thing aboutthis book is that it cites the sources from which the ques-tions are drawn—down to the page number. This is a realbonus if you want to follow up. At the end of the bookthere’s a full-length practice exam, which also comes with answer explanations and citations.

O T H E R R E S O U R C E S

Boson

www.boson.com/tests/secure.htm

The Boson Web site offers three practice CISSP exams,250 questions each. (Two of these exams are included

on the Krutz and Vines CD-ROM.) Each exam costs $40.Don’t take Boson Exam #1. Exams #2 and #3 have decent questions, though many candidates feel thatCCCure’s are better.

CCCure

www.cccure.org

An indispensable site for CISSP candidates. Containstons of CBK resources and thousands of practice

questions. The CISSP quiz page lets you specify the num-ber of questions you want to take, the level of difficulty(from “novice” to “pro”), and the CBK domains you wantto cover. Best of all, it’s free—all you have to do is register.

CISSP Cramsessions

www.cccure.org, click on “Downloads” and go to “CISSP Study Guides”

One way of identifying weaknesses is to compare your study plan to that of other CISSPs. Michael

Overly’s Cramsession, in particular, is excellent—concise yet thorough, hitting on all the high points. ◗

– A N D R E W B R I N E Y

ph

oto

gra

ph

by

AM

YH

IGH

T



neth over. Both courses I took did a good job mix-ing up the material by alternating technical- andmanagement-oriented domains, but there’s noway to get around the huge volume of informationyou have to absorb.

While Intense School and (ISC)2 courses may bethe most recognized CISSP boot camps, severalother CISSP classes are available, ranging fromone to seven days in length. One of these is TheTraining Camp (www.trainingcamp.com), which(ISC)2 recently contracted as a course “reseller.”

So, to answer the initial question, if you can getyour boss to pay for a boot camp, and can affordthe time out of the office, do it! You won’t neces-sarily learn anything different from an equivalentcourse of independent study, but a boot camp willgive you a lot more confidence that you’re on theright track. The instructors can help you graspcomplex topics, and you can band together withfellow students to form study groups. All of thesethings help you get motivated to do your home-work—and pass the exam.

9. What other security certifications areavailable? Which one is “best” for me?The CISSP may be the most popular security certi-fication, but it’s far from the only one. You mightbe surprised to learn that there are at least 45 information security-related professional certifica-tions, according to Certification magazine. Thirty ofthese of these are vendor-neutral, while 15 arevendor-specific.

I won’t attempt to discuss all or even most ofthese. Instead, I’ll discuss the basic categories,and suggest which certifications are recognized asthe “leaders” in each. This ranking is obviouslysubjective, though I think it generally reflects howmost infosec professionals feel.

Benchmarks. These certifications are widelyrecognized and respected by professionals on alllevels and in all sectors in the infosecurity indus-try. What’s more, they’re increasingly a prerequi-site for many jobs, an indication that they are also recognized and respected by non-security man-agers and HR.

In addition to the CISSP, I’d put ISACA’sCertified Information Systems Auditor (CISA)and SANS’s GIAC Security Essentials Certification(GSEC) in this group. The CISA is the CISSP forthe IT audit community, plain and simple. TheGSEC is kind of the “anti-CISSP.” It’s more tech-nical in nature and, like most of the 11 GIAC certifications, it has gained the respect of thetechy community that the CISSP lacks.

“Foundation” certifications. There are at leasta half-dozen introductory certifications for profes-sionals with one to three years of experience. Lead-ing certifications in this category include (ISC)2’s

own Systems Security Certified Professional (SSCP)and the CIW Security Professional (CIW-SP).

Vendor certifications. Many of the leadingproviders in the security space—Cisco, Symantec,Check Point, Tivoli and others—offer multiplecertification levels, from baseline “administrator”to more advanced “expert” (some even offer “expert plus”).

On a slightly more generic level is SANS’s ven-dor-agnostic GIAC Certified Firewall Analyst (GCFA) and GIAC Certified Intrusion Analyst (GCIA),both of which have an excellent reputation.

Certifications for non-security professionals.

As the visibility of IT security grows in the enter-prise, so does the number of non-security profes-sionals who have security-related responsibilities.Several certification programs have cropped up tofulfill this need, including SECURITY+, offeredby CompTIA; and the TruSecure ICSA CertifiedSecurity Associate (TICSA).2

As I mentioned earlier, I sat for the TICSA examto see how it compared to the CISSP. In a nutshell,if the CISSP is “an inch deep and a mile wide,” theTICSA is “two feet deep and 100 yards wide.”Obviously, the scope and breadth of topics coveredpale by comparison to the CISSP. Then again, inplaces the TICSA content is actually deeper—moretechnical, more hands-on, more practical.

(ISC)2 could take a page from TruSecure’s bookon question creation and exam delivery. To myrecollection, few, if any, of the 75 questions on theTICSA exam were evasive or vague in the way thatsome CISSP questions are. Also, TruSecure part-ners with Thompson Prometric to deliver theexam. You can sit for the exam at any Thompsonfacility (there are 3,500 centers worldwide) when-ever you want. And the TICSA exam is completelycomputer-based. As soon as I completed the exam,I was informed of my score and given a printoutof how I did in each of 14 TICSA sections. Seewww.trusecure.com/solutions/certifications/ticsa.

Advanced certifications. Several industry groupsare jockeying to gain CISSP-like acceptance fortheir “advanced” certifications, which is one of thethings the industry is sorely missing. In addition to the expert-level vendor certifications, advancedcerts include SANS’s GIAC Security Engineer(GSE) and ASIS’s Certified Protection Professional(CPP), a CISO-level certification covering human,physical and information security. Neither of thesehas achieved anywhere near the level of acceptanceas the CISSP.

To its credit, (ISC)2 has recognized the need formore advanced (or targeted) certifications. As ofMay, it offers three certification “concentrations”that build upon the CISSP: the Information Sys-

2TruSecure publishes Information Security.

CONTINUED FROM PAGE 84



tems Security Engineering Professional (ISSEP), acertification developed in partnership with theNational Security Agency; the Information Sys-tems Security Management Professional (ISSMP),which validates advanced security managementexpertise; and the Information Systems SecurityArchitecture Professional (ISSAP), which validatesadvanced technical knowledge and expertise.

10. Does the CISSP

deserve its reputation?There are really two questions here: Does theCISSP deserve to be the industry’s gold standard?And does the CISSP—and (ISC)2—deserve all thecriticism it gets?

The CISSP is frequently criticized because itdoesn’t contain a lot of advanced material. Peoplenaturally assume that the “gold standard” shouldbe the “best” in every way—not only the most pop-ular or broadest in scope, but the most advancedand selective, too.

“It’s not a certification that says, ‘I’m a damngood information security professional,” says NanSmith, a newly minted CISSP and cyber security

program manager for the Oak Ridge Institute for Science and Education. “To me, a certificationshould guarantee to the employer that you’vemade the effort to become good at what you’redoing, at what you know. To me, the CISSP doesn’tsay that. It says, ‘Hey, I figured out what (ISC)2

wanted me to answer on the exam.’”In some ways, this is a legitimate critique. The

CISSP is not and never will be equivalent to the “gold standard” in other fields—for example,the CPA for accountants. To obtain that level of respect, the CISSP would have to be sanctionedby regulatory and legal bodies, and recognized by communities outside of the infosecurity pro-fession.

But we’re really talking apples and orangeshere. (ISC)2 never intended the CISSP to be the CPA of infosecurity. Yes, the credential has acquired the reputation of pretending to be some-thing it’s not. But that’s hardly (ISC)2’s fault; it’scertainly not an image that was ever promoted by(ISC)2.

Moreover, it’s unrealistic to expect (ISC)2 tochange the fundamental makeup of the exam to

make it more “technical” or “advanced”—qualities that, in the minds of its critics,would make it truly representative of agold standard. It is what it is. While you canalter the requirements and qualificationsfor sitting for the exam (which (ISC)2 re-cently did), you can’t arbitrarily decide tochange the basic charter or mission of thecredential or character of the exam.

With all this said, however, I think it’sfair to criticize the CISSP on two scores.First, the exam does have some problems.Whether or not the “evasive” questions arestatistically and psychometrically valid,they are evasive. Yes, in the final analysisthat’s my opinion, but it’s not as thoughI’m alone in feeling this way.

The second problem is related to thefirst. Thanks in part to the exam, the firstimpression one gets of the CISSP is oftennegative. Whether you pass or not, nobodywalks out of the test center feeling enthusi-astic about the experience. It seems thatthe ramifications of this bad image are almost totally ignored by (ISC)2.

Can either of these problems be fixedwithout making the test too accessible to“test-savvy” candidates who have no busi-ness holding the CISSP credential? Goodquestion. ◗

ANDREW BRINEY , CISSP, TICSA([email protected]), is Information Security’s editor-in-chief.

Documents

Professional Certification tifi - TABPI Professional Certification INSIDE… 76 Candidate Comments 82 Frustrating Questions 85 Briney’s Stack O’ Reading I just took the CISSP exam,