CISSP® For Dummies®, 5th Edition
Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com
Copyright © 2016 by John Wiley & Sons, Inc., Hoboken, New Jersey
Media and software compilation copyright © 2016 by John Wiley & Sons, Inc. All rights reserved.
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. All trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit www.wiley.com/techsupport.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2016931711
ISBN 978-1-119-21023-8 (pbk); 978-1-119-21025-2 (epub); 978-1-119-21024-5 (epdf)
Let’s face it, those of us who have prepared for the (ISC)2® Certified Information Systems Security Professional (CISSP®) exam know it can be a daunting task. Some candidates spread their preparation out over the course of a year; others take months, and others prepare in a matter of weeks. Then there are those who schedule and take the exam with little to no preparation. There’s really no wrong way to prepare, if your approach leads to the achievement of your professional goals. That said, I am frequently asked "What is the best book to use to prepare for the CISSP exam?" There’s a plethora of choices: the thick official guide book, the CISSP study guide, or independent books written by those in the industry. Suffice it to say, there is no shortage of books available to prepare for the CISSP exam. Which leads me to CISSP For Dummies.
The Wiley For Dummies series has become a wildly successful approach to learning about a broad range of popular topics. With so many topics covered by the popular series, most of us have a For Dummies book on at least one topic. The series presents popular topics in a lighter, more digestible way that hopefully facilitates learning. At (ISC)2, we are proud that our CISSP has become such a popular topic and professional certification that it has earned its own CISSP For Dummies, which we are pleased to endorse.
As you prepare for the CISSP exam, we hope you find the tools that work best for your study methods and maintaining your skills. I wish you the best of luck as you prepare for the (ISC)2 CISSP exam and work toward achieving your professional goals.
Best regards,
David P. Shearer
CEO
(ISC)2, Inc.
For more than 20 years security practitioners around the world have been pursuing a well-known and highly regarded professional credential: the Certified Information Systems Security Professional (CISSP) certification. And since 2001, CISSP For Dummies has been helping security practitioners enhance their security knowledge and earn the coveted CISSP certification.
Today, there are more than 100,000 CISSPs worldwide. Ironically, some certification skeptics might argue that the CISSP certification is becoming less relevant because so many people have earned the certification. However, the CISSP certification isn’t less relevant because more people are attaining it — more people are attaining it because it’s now more relevant than ever. Information security is far more important than at any time in the past, with extremely large-scale data security breaches and highly sophisticated cyberattacks becoming all too frequent occurrences in our modern era.
There are many excellent and reputable information security training and education programs available. In addition to technical and industry certifications, there are also many fully accredited postsecondary degree, certificate and apprenticeship programs available for information security practitioners. And there are certainly plenty of self-taught, highly skilled individuals working in the information security field who have a strong understanding of core security concepts, techniques and technologies.
But inevitably, there are also far too many charlatans who are all too willing to overstate their security qualifications and prey on the obliviousness of business and other leaders — who think “wiping” a server, for example, means “like, with a cloth or something” — in order to pursue a fulfilling career in the information security field, or perhaps for dubious purposes.
The CISSP certification is widely held as the professional standard for information security professionals, similar to the Certified Public Accountant (CPA) license for accountants or the Professional Engineer (PE) license for engineers. It enables security professionals to distinguish themselves from others in the information security field by validating both their knowledge and experience. Likewise, it enables businesses and other organizations to identify qualified information security professionals and verify the knowledge and experience of candidates for critical information security roles in their respective organizations. Thus, the CISSP certification is more relevant and important than ever before.
Our goal in this book is simple: to help you prepare for and pass the CISSP examination so that you can join the ranks of respected certified security professionals who dutifully serve organizations and industries around the world. Although we’ve stuffed it chock-full of good information, we don’t expect that this book will be a weighty desktop reference on the shelf of every security professional — although we certainly wouldn’t object.
And we don’t intend for this book to be an all-purpose, be-all-and-end-all, one-stop shop that has all the answers to life’s great mysteries. Given the broad base of knowledge required for the CISSP certification, we strongly recommend that you use multiple resources to prepare for the exam and study as much relevant information as your time and resources allow. CISSP For Dummies, 5th Edition, provides the framework and the blueprint for your study effort and sufficient information to help you pass the exam, but it won’t make you an information security expert!
Finally, as a security professional, earning your CISSP certification is only the beginning. Business and technology, which have associated risks and vulnerabilities, require that each of us — as security professionals — constantly press forward, consuming vast volumes of knowledge and information in a constant tug-of-war against the bad guys.
This book is organized in three parts. We cover the International Information Systems Security Certifications Consortium (ISC)2 and examination basics in Part I, the eight Common Body of Knowledge (CBK) domains in Part II, the Part of Tens in Part III, and the Glossary.
The Glossary is not just any ordinary glossary: The CISSP exam requires you to select the best answer for a given question. You definitely need to know and understand very concise terms and definitions in order to recognize any obviously wrong answers on the exam.
Throughout this book, you occasionally see icons in the left margin that call attention to important information that’s particularly worth noting. No smiley faces winking at you or any other cute little emoticons, but you’ll definitely want to take note! Here’s what to look for and what to expect:
Instant Answer icons highlight important information to help you answer questions on the actual exam — just add water and stir! To help you succeed on the CISSP exam, look for these icons to highlight critical points that you’re likely to see again.
This icon identifies general information and core concepts that are well worth committing to your non-volatile memory, your gray matter, or your noggin — along with anniversaries, birthdays, and other important stuff! You should certainly understand and review this information before taking your CISSP exam.
Thank you for reading; we hope you enjoy the book; please take care of your writers! (Now, where’s that jar … ?) Seriously, this icon includes helpful suggestions and tidbits of useful information that may save you some time and headaches.
This is the stuff your mother warned you about … well, okay — probably not, but you should take heed nonetheless. These helpful alerts point out easily confused or difficult-to-understand terms and concepts.
Cross Reference icons point you toward other places in this book that have additional information on particular subjects — kind of a low-tech hyperlink!
You won’t find a map of the human genome or the secret to cold fusion in this book (or maybe you will, hmm), but if you’re an insufferable insomniac, take note. This icon explains the jargon beneath the jargon and is the stuff legends — well, at least nerds — are made of. So, if you’re seeking to attain the seventh level of NERD-vana, keep an eye out for these icons!
CISSP For Dummies, 5th Edition, is more than a book. A suite of online tools and references are part of the plan to get you ready for game day.
The online resources that come free with the book contain a comprehensive, realistic practice exam. This product also comes with an online Cheat Sheet (www.dummies.com/cheatsheet/cissp) and bonus articles (www.dummies.com/extras/cissp) that help you increase your knowledge even further. (No PIN required. You can access this info before you register.)
To gain access to the online practice test and flash cards, all you have to do is register. Just follow these simple steps:
www.dummies.com/go/getaccess. Go to this website, find your book and click it, and answer the security questions to verify your purchase. You’ll receive an email with your access code.www.dummies.com and click Activate Now.You can come back to the program as often as you want — simply log on with the username and password you created during your initial login.
For Technical Support, please visit http://wiley.custhelp.com or call Wiley at 1-800-762-2974 (U.S.), +1-317-572-3994 (international).
Chapter 1 may be a good place to start! However, if you see a particular topic that piques your interest, feel free to jump ahead to that chapter. Each chapter is individually wrapped (but not packaged for individual sale) and written to stand on its own, so feel free to start reading anywhere and skip around! Read this book in any order that suits you (though we don’t recommend upside down or backwards). We promise you won’t get lost falling down the rabbit hole!
Part I
Visit www.dummies.com for great Dummies content online.
In this part …
Preparing for the exam
Spreading the word
Maximizing your membership
Visit www.dummies.com for great Dummies content online.
Chapter 1
In This Chapter
Finding out about (ISC)2 and the CISSP certification
Understanding CISSP certification requirements
Developing a study plan
Registering for the exam
Taking the CISSP exam
Getting your exam results
CISSP For Dummies answers the question, “What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?”
The International Information System Security Certification Consortium (ISC)2 (www.isc2.org, and pronounced “I-S-C-squared”) was established in 1989 as a not-for-profit, tax-exempt corporation chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.
The CISSP was the first information security credential to be accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024 standard. This international standard helps to ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate’s competence for the certification. This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread criticism that has diminished the popularity of many vendor certifications over the years).
The ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) are two organizations that work together to prepare and publish international standards for businesses, governments, and societies worldwide.
The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)2 and defined through eight distinct domains:
The CISSP candidate must have a minimum of five cumulative years of professional (paid), full-time, direct work experience in two or more of the domains listed in the preceding section. The work experience requirement is a hands-on one — you can’t satisfy the requirement by just having “information security” listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly. Some examples of full-time information security roles that might satisfy the work experience requirement include (but aren’t limited to)
Examples of information technology roles for which you can gain partial credit for security work experience include (but aren’t limited to)
For any of these preceding job titles, your particular work experience might result in you spending some of your time (say, 25 percent) doing security-related tasks. This is perfectly legitimate for security work experience. For example, five years as a systems administrator, spending a quarter of your time doing security-related tasks, earns you 1.25 years of security experience.
Furthermore, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:
www.isc2.org/credential_waiver). See Chapter 2 to learn more about relevant certifications on the (ISC)2-approved list for an experience waiver.
In the U.S., CAE/IAE programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/ia/academic_outreach/nat_cae.
Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or training environment, (ISC)2 offers CISSP review seminars.
We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of two hours a day for 60 days. If you’re a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this study out over a six-month period for two hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you’ll likely find yourself studying only as much as you would have in a 60-day period anyway.
Self-study might include books and study references, a study group, and practice exams.
Begin by downloading the free official CISSP Candidate Information Bulletin (CIB) from the (ISC)2 website at www.isc2.org/exam-outline. This booklet provides a good basic outline of the exam and the subjects on which you’ll be tested.
Next, read this book, take the online practice exam and review the additional study materials on the Dummies website (www.dummies.com). CISSP For Dummies is written to provide a thorough and essential review of all the topics covered on the CISSP exam. Then, read any additional study resources you can to further your knowledge and reinforce your understanding of the exam topics. You can find several excellent study resources in the official CISSP Candidate Information Bulletin (CIB) and online at www.cccure.org and http://resources.infosecinstitute.com. Finally, rinse and repeat: Do another quick read of CISSP For Dummies as a final review before you take the actual CISSP exam.
Don’t rely on CISSP For Dummies (as awesome and comprehensive as it is!), or any other book — no matter how thick it is — as your single resource to prepare for the CISSP exam.
Joining a study group can help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals. It’s also an excellent networking opportunity (the talking-to-real-people type of network, not the TCP/IP type of network)! Study groups or forums can be hosted online or at a local venue. Find a group that you’re comfortable with and that is flexible enough to accommodate your schedule and study needs. Or create your own study group!
Finally, answer lots of practice exam questions. There are many resources available for CISSP practice exam questions. Some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don’t despair! The repetition of practice questions helps reinforce important information that you need to know in order to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Start with the Practice Exam on the Dummies website (www.dummies.com) and try the practice questions at Clément Dupuis and Nathalie Lambert’s CCCure website (www.cccure.org).
No practice exams exactly duplicate the CISSP exam (and forget about brain dumps — using or contributing to brain dumps is unethical and is a violation of the (ISC)2 non-disclosure agreement which could result in losing your CISSP certification permanently).
Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam.
For example, if you’re weak in networking or applications development, talk to the networking group or programmers in your company. They may be able to show you a few things that can help make sense of the volumes of information that you’re trying to digest.
Your company or organization should have a security policy that’s readily available to its employees. Get a copy and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn’t have a security policy, perhaps now is a good time for you to educate management about issues of due care and due diligence as they relate to information security. For example, review your company’s plans for business continuity and disaster recovery. They don’t exist? Perhaps you can lead this initiative to help both you and your company.
The (ISC)2 also administers five-day CISSP CBK Review Seminars and Live OnLine seminars to help the CISSP candidate prepare. You can find information, schedules and registration forms for the CBK Review Seminar and Live OnLine on the (ISC)2 website at www.isc2.org/cissp-training.
If you generally learn better in a classroom environment or find that you have knowledge or actual experience in only two or three of the domains, you might seriously consider attending a review seminar.
If it’s not convenient or practical for you to travel to a seminar, Live Online provides the benefit of learning from an (ISC)2 Authorized Instructor on your computer. Live OnLine provides all the features of classroom-based seminars, real-time delivery, access to archived modules, and all official courseware.
Other reputable organizations offer high-quality training in both classroom and self-study formats. Before signing up and spending your money, we suggest that you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends on the instructor; for this reason, try to find out from others whether the proposed instructor is as helpful as he or she is reported to be.
Many cities have self-study groups, usually run by CISSP volunteers. You may find a study group where you live; or, if you know some CISSPs in your area, you might ask them to help you organize a self-study group.
Always confirm the quality of a study course or training seminar before committing your money and time.
If you are not familiar with computer-based testing, you may want to take a practice exam. Go to the Pearson VUE website and look for the Pearson VUE Tutorial and Practice Exam (at www.pearsonvue.com/athena).
To successfully study for the CISSP exam, you need to know your most effective learning styles. “Boot camps” are best for some people, while others learn better over longer periods of time. Furthermore, some people get more value from group discussions, while reading alone works for others. Know thyself, and use what works best for you.
Are you ready for the big day? We can’t answer this question for you. You must decide, on the basis of your individual learning factors, study habits, and professional experience, when you’re ready for the exam. Unfortunately, there is no magic formula for determining your chances of success or failure on the CISSP examination.
In general, we recommend a minimum of two months of focused study. Read this book and continue taking the practice exam on the Dummies website until you can consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information you need to know if you want to pass the CISSP examination. Read this book (and reread it) until you’re comfortable with the information presented and can successfully recall and apply it in each of the eight domains. Continue by reviewing other study materials (particularly in your weak areas) and actively participating in an online or local study group and take as many practice exams from as many different sources as possible.
Then, when you feel like you’re ready for the big day, find a romantic spot, take a knee, and — wait, wrong big day! Find a secure Wi-Fi hot spot (or other Internet connection), take a seat, and register for the exam!
The CISSP exam is administered via computer-based testing (CBT) at local Pearson VUE testing centers worldwide. To register for the exam, go to the (ISC)2 website (www.isc2.org/certification-register-now) and click the “Register” link, or go directly to the Pearson VUE website (www.pearsonvue.com/isc2).
On the Pearson VUE website, you first need to create an account for yourself; then you can register for the CISSP exam, schedule your test, and pay your testing fee. You can also locate a nearby test center, take a Pearson VUE testing tutorial, practice taking the exam (which you should definitely do if you’ve never taken a CBT), and then download and read the (ISC)2 non-disclosure agreement (NDA).
Download and read the (ISC)2 NDA when you register for the exam. Sure, it’s boring legalese, but it isn’t unusual for CISSPs to be called upon to read contracts, license agreements, and other “boring legalese” as part of their information security responsibilities — so get used to it (and also get used to not signing legal documents without actually reading them)! You’re given five minutes to read and accept the agreement at the start of your exam, but why not read the NDA in advance so you can avoid the pressure and distraction on exam day, and simply accept the agreement. If you don’t accept the NDA in the allotted five minutes, your exam will end and you forfeit your exam fees!
When you register, you’re required to quantify your relevant work experience, answer a few questions regarding any criminal history and other potentially disqualifying background information, and agree to abide by the (ISC)2 Code of Ethics.
The (ISC)2 Code of Ethics is covered in Chapter 3.
The current exam fee in the U.S. is $599. You can cancel or re-schedule your exam by contacting VUE by telephone at least 24 hours in advance of your scheduled exam or online at least 48 hours in advance. The fee to re-schedule is $50. The fee to cancel your exam appointment is $100.
If you fail to show up for your exam or you’re more than 15 minutes late for your exam appointment, you’ll forfeit your entire exam fee!
Great news! If you’re a U.S. military veteran and are eligible for Montgomery GI Bill benefits, the Veteran’s Administration (VA) will reimburse you for the full cost of the exam, regardless of whether you pass or fail.
The CISSP examination itself is a grueling six-hour, 250-question marathon. To put that into perspective, in six hours, you could almost run a back-to-back marathon and mini marathon, watch a good movie 3½ times, or play “Slow Ride” 91 times on Guitar Hero. Each of these feats, respectively, closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.
There are three types of questions on the CISSP exam:
Which of the following is the FTP control channel?
A TCP port 21
B UDP port 21
C TCP port 25
D IP port 21
The FTP control channel is port 21, but is it TCP, UDP, or IP?
Drag and drop. Drag and drop the correct answer (or answers) from a list of possible answers on the left side of the screen to a box for correct answers on the right side of the screen. For example:
Which of the following are message authentication algorithms? Drag and drop the correct answers from left to right.
MD5, SHA-2, and HMAC are all correct. You must drag and drop all three answers to the box on the right for the answer to be correct.
Hotspot. Select the object in a diagram that best answers the question. For example:
Which of the following diagrams depicts a relational database model?
Click one of the four panels above to select your answer choice.
As described by (ISC)2, you need a scaled score of 700 (out of 1000) or better to pass the examination. All three question types are weighted equally, but not all questions are weighted equally, so we can’t absolutely state the number of correct questions required for a passing score.
All 250 questions on the CISSP exam require you to select the best answer (or answers) from the possible choices presented. The correct answer isn’t always a straightforward, clear choice. (ISC)2 goes to great pains to ensure that you really, really know the material.
A common and effective test-taking strategy for multiple-choice questions is to carefully read each question and then eliminate any obviously wrong choices. The CISSP examination is no exception.
Wrong choices aren’t necessarily obvious on the CISSP examination. You may find a few obviously wrong choices, but they only stand out to someone who has studied thoroughly for the exam.
Only 225 questions are actually counted toward your final score. The other 25 are trial questions for future versions of the CISSP examination. However, the exam doesn’t identify these questions for the test-taker, so you have to answer all 250 questions as if every one of them is the real thing.
The CISSP examination is currently available in English, Portuguese, Chinese (simplified), French, German, Japanese, Korean, and Spanish. You’re permitted to bring a foreign language dictionary (non-electronic and non-technical) for the exam, if needed. Testing options are also available for the visually impaired. You need to indicate your preferences when you register for the exam.
Chapter 12 has additional important information about the exam format and suggestions to help you prepare for the day of your exam.
In most cases, you’ll receive your unofficial test results at the testing center as soon as you complete your exam, followed by an official email from (ISC)2.
In some rare instances, your unofficial results may not be immediately available. (ISC)2 analyzes score data during each testing cycle; if they don’t have enough test results early in the testing cycle, your results could be delayed up to eight weeks.
If, for some reason, you don’t pass the CISSP examination — say, for example, you only read this chapter of CISSP For Dummies —, you’ll have to wait 30 days to try again. If that happens, we strongly recommend that you read the rest of this book during those 30 days! If you fail a second time, you’ll have to wait 90 days to try again. If that happens, we most strongly recommend and highly urge you to read the rest of this book — perhaps a few times — during those 90 days! Finally, if you fail on your third attempt, you’ll have to wait 180 days — no more excuses, you definitely need to read, re-read, memorize, recite, ingest, and regurgitate this book several times if that happens!
After you earn your CISSP certification, you must remain an (ISC)2 member in good standing and renew your certification every three years. You can renew the CISSP certification by accumulating 120 Continuing Professional Education (CPE) credits or by retaking the CISSP examination. You must earn a minimum of 40 CPE credits during each year of your three-year recertification cycle. You earn CPE credits for various activities, including taking educational courses or attending seminars and security conferences, belonging to association chapters and attending meetings, viewing vendor presentations, completing university or college courses, providing security training, publishing security articles or books, serving on relevant industry boards, taking part in self-study, and doing related volunteer work. You must document your annual CPE activities on the secure (ISC)2 website to receive proper credit. You also have to pay a U.S. $85 annual maintenance fee, payable to (ISC)2. Maintenance fees are billed in arrears for the preceding year, and you can pay them online, also in the secure area of the (ISC)2 website.
Be sure to be absolutely truthful on your CPE reporting. (ISC)2 audits some CPE submissions.
As soon as you receive your certification, register on the (ISC)2 website and provide your contact information. (ISC)2 reminds you of your annual maintenance fee, Board of Directors elections, annual meetings, and events, but only if you maintain your contact info — particularly your email address.
Chapter 2
In This Chapter
Staying active as an (ISC)2 member
Discovering the joy of giving back
Working with others in your local security community
Getting the word out about CISSP certification
Bringing about change in your organization
Advancing your career with other certifications
Achieving security excellence
Although this book is devoted to helping you earn your CISSP certification, we thought it would be a good idea to include a few things you might consider doing after you’ve earned your CISSP.
So what do you do after you earn your CISSP? There are plenty of things you can do to enhance your professional career and the global community. Here are just a few ideas!
Being an active (ISC)2 member is easy! Besides volunteering (see the following section), you can participate in several other activities including:
www.isc2.org/chapters. There are many great opportunities to get involved in local chapters, including chapter leadership, participation in chapter activities, and participation in community outreach projects.(ISC)2 is much more than a certifying organization: It’s a cause. It’s security professionals’ raison d’être, the reason we exist — professionally, anyway. As one of us, consider throwing your weight into the cause.
Volunteers have made (ISC)2 what it is today and contribute toward your certification. You can’t stand on the sidelines and watch others do the work. Use your talents to help those who’ll come after you. You can help in many ways. For information about volunteering, see the (ISC)2 website (www.isc2.org).
Most sanctioned (ISC)2 volunteer activities are eligible for CPE credits. Check with (ISC)2 for details.
The state of technology, laws, and practices within the (ISC)2 Common Body of Knowledge (CBK) is continually changing and advancing. In order to be effective and relevant, CISSP exams need to have exam questions that reflect how security is done today. Therefore, people working in the industry — such as you — need to write new questions. If you’re interested in being a question writer, visit the (ISC)2 website and apply.
(ISC)2 now holds more security-related events around the world than it has at any other time in its history. More often than not, (ISC)2 speakers are local volunteers — experts in their professions who want to share with others what they know and have learned. If you have an area of expertise or a unique perspective on CISSP-related issues, consider educating others with a speaking engagement. For more information, visit the (ISC)2 website.
The InfoSecurity Professional digital magazine benefits from articles submitted by (ISC)2 members. The entire security community benefits by reading about what others have discovered. Find the magazine at www.isc2.org/infosecurity_professional.
(ISC)2 publishes a quarterly online magazine called INSIGHTS that is associated with InfoSecurity Professional. You can find out more at https://www.isc2.org/infosecurity-professional-insights.aspx?terms=INSIGHTS.
The (ISC)2 Blog is a free online publication for all (ISC)2 members. Find the blog, as well as information about writing articles, at http://blog.isc2.org/isc2_blog.
The (ISC)2 Journal is a fee-based publication that’s published bimonthly. Find information about subscribing and writing articles on the journal’s home page (www.isc2.org/isc2-journal.aspx). The annual subscription is currently U.S. $45.
The (ISC)2 Foundation, now known as the Center for Cyber Safety and Education, is a non-profit charity formed by (ISC)2 in 2011. The Center is a conduit through which security professionals can reach society and empower students, teachers, and the general public to secure their online life with cybersecurity education and awareness programs in the community. The Center for Cyber Safety and Education was formed to meet those needs, and to expand altruistic programs, such as Safe and Secure Online, the Information Security Scholarship Program, and industry research — the Center’s three core programs.
(ISC)2 has developed focus groups and quality assurance (QA) testing opportunities. (ISC)2 is developing new services, and it needs to receive early feedback during the requirements and design phases of its projects. By participating in these groups and tests, you can influence future (ISC)2 services that will aid current and future certification holders.
Many communities have CISSP study groups that consist of volunteer mentors and instructors who help those who want to earn the certification.
If your community doesn’t have a CISSP study group, consider starting one. Many communities have them already, and the organizers there can give you advice on how to start your own.
In no way are we being vain or arrogant when we say that we (the writers of this book, and you the readers) know more about data security and safe Internet usage than perhaps 99 percent of the general population. There are two main reasons for this:
A legion of volunteer opportunities is available out there to help others keep their computers (and mobile computing devices) secure and to use the Internet safely. Here is a very short list of places where you can help:
Using a little imagination, you can certainly come up with additional opportunities. The world is hungry for the information you possess!