CISSP For Dummies®, 6th Edition
Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com
Copyright © 2018 by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. CISSP is a registered certification mark of (ISC)2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2018941678
ISBN 978-1-119-50581-5 (pbk); ISBN 978-1-119-50610-2 (ebk); ISBN 978-1-119-50609-6 (ebk)
Since 1994, security practitioners around the world have been pursuing a well-known and highly regarded professional credential: the Certified Information Systems Security Professional (CISSP) certification. And since 2001, CISSP For Dummies has been helping security practitioners enhance their security knowledge and earn the coveted CISSP certification.
Today, there are more than 120,000 CISSPs worldwide. Ironically, some certification skeptics might argue that the CISSP certification is becoming less relevant because so many people have earned the certification. However, the CISSP certification isn’t less relevant because more people are attaining it — more people are attaining it because it’s now more relevant than ever. Information security is far more important than at any time in the past, with extremely large-scale data security breaches and highly sophisticated cyberattacks becoming all too frequent occurrences in our modern era.
There are many excellent and reputable information security training and education programs available. In addition to technical and industry certifications, there are also many fully accredited postsecondary degree, certificate and apprenticeship programs available for information security practitioners. And there are certainly plenty of self-taught, highly skilled individuals working in the information security field who have a strong understanding of core security concepts, techniques and technologies.
But inevitably, there are also far too many charlatans who are all too willing to overstate their security qualifications and prey on the obliviousness of business and other leaders — who think “wiping” a server, for example, means “like, with a cloth or something” — in order to pursue a fulfilling career in the information security field, or perhaps for other more dubious purposes.
The CISSP certification is widely held as the professional standard for information security professionals. It enables security professionals to distinguish themselves from others in the information security field by validating both their knowledge and experience. Likewise, it enables businesses and other organizations to identify qualified information security professionals and verify the knowledge and experience of candidates for critical information security roles in their respective organizations. Thus, the CISSP certification is more relevant and important than ever before.
Some say that the Certified Information Systems Security Professional (CISSP) candidate requires a breadth of knowledge many miles across but only a few inches deep. To embellish on this statement, we believe that the CISSP candidate is more like the Great Wall of China, with a knowledge base extending over 3,500 miles — maybe a few holes here and there, stronger in some areas than others, but nonetheless one of the Seven Wonders of the Modern World.
The problem with lots of currently available CISSP preparation materials is in defining how high (or deep) the Great Wall actually is: Some material overwhelms and intimidates CISSP candidates, leading them to believe that the wall is as high as it is long. Other study materials are perilously brief and shallow, giving the unsuspecting candidate a false sense of confidence while he or she merely attempts to step over the Great Wall, careful not to stub a toe. To help you avoid either misstep, CISSP For Dummies answers the question, “What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?”
Our goal in this book is simple: To help you prepare for and pass the CISSP examination so that you can join the ranks of respected certified security professionals who dutifully serve and protect organizations and industries around the world. Although we’ve stuffed it chock-full of good information, we don’t expect that this book will be a weighty desktop reference on the shelf of every security professional — although we certainly wouldn’t object.
And we don’t intend for this book to be an all-purpose, be-all-and-end-all, one-stop shop that has all the answers to life’s great mysteries. Given the broad base of knowledge required for the CISSP certification, we strongly recommend that you use multiple resources to prepare for the exam and study as much relevant information as your time and resources allow. CISSP For Dummies, 6th Edition, provides the framework and the blueprint for your study effort and sufficient information to help you pass the exam, but by itself, it won’t make you an information security expert. That takes knowledge, skills, and experience!
Finally, as a security professional, earning your CISSP certification is only the beginning. Business and technology, which have associated risks and vulnerabilities, require that each of us — as security professionals — constantly press forward, consuming vast volumes of knowledge and information in a constant tug-of-war against the bad guys.
It’s been said that most assumptions have outlived their uselessness, but we assume a few things nonetheless! Mainly, we assume the following:
If these assumptions describe you, then this book is for you! If none of these assumptions describes you, keep reading anyway. It’s a great book and when you finish reading it, you’ll know quite a bit about information security and the CISSP certification!
Throughout this book, you occasionally see icons in the left margin that call attention to important information that’s particularly worth noting. No smiley faces winking at you or any other cute little emoticons, but you’ll definitely want to take note! Here’s what to look for and what to expect:
This icon identifies general information and core concepts that are well worth committing to your non-volatile memory, your gray matter, or your noggin — along with anniversaries, birthdays, and other important stuff! You should certainly understand and review this information before taking your CISSP exam.
Tips are never expected but always appreciated, and we sure hope you’ll appreciate these tips! This icon includes helpful suggestions and tidbits of useful information that may save you some time and headaches.
This is the stuff your mother warned you about … well, okay — probably not, but you should take heed nonetheless. These helpful alerts point out easily confused or difficult-to-understand terms and concepts.
You won’t find a map of the human genome or the secret to cold fusion in this book (or maybe you will, hmm), but if you’re an insufferable insomniac, take note. This icon explains the jargon beneath the jargon and is the stuff legends — well, at least nerds — are made of. So, if you’re seeking to attain the seventh level of NERD-vana, keep an eye out for these icons!
In addition to what you’re reading right now, this book also comes with a free access-anywhere Cheat Sheet that includes tips to help you prepare for the CISSP exam and your date with destiny — well, your exam day. To get this Cheat Sheet, simply go to www.dummies.com and type CISSP For Dummies Cheat Sheet in the Search box.
You also get access to hundreds of practice CISSP exam questions, as well as dozens of flash cards. Use the exam questions to help you identify specific topics and domains in which you may need to spend a little more time studying, and to get familiar with the types of questions you’ll encounter on the CISSP exam (including multiple choice, drag and drop, and hotspot). To gain access to the online practice, all you have to do is register. Just follow these simple steps:
www.dummies.com/go/getaccess.If you do not receive this email within two hours, please check your spam folder before contacting us through our Technical Support website at http://support.wiley.com or by phone at 877-762-2974.
Now you’re ready to go! You can come back to the practice material as often as you want — simply log on with the username and password you created during your initial login. No need to enter the access code a second time.
Your registration is good for one year from the day you activate your PIN.
If you don’t know where you’re going, any chapter will get you there — but Chapter 1 may be a good place to start! However, if you see a particular topic that piques your interest, feel free to jump ahead to that chapter. Each chapter is individually wrapped (but not packaged for individual sale) and written to stand on its own, so feel free to start reading anywhere and skip around! Read this book in any order that suits you (though we don’t recommend upside down or backwards).
Part 1
IN THIS PART …
Get acquainted with (ISC)2 and the CISSP certification.
Advance your security career as a CISSP.
Chapter 1
IN THIS CHAPTER
Learning about (ISC)2 and the CISSP certification
Understanding CISSP certification requirements
Developing a study plan
Registering for the exam
Taking the CISSP exam
Getting your exam results
In this chapter, you get to know the (ISC)2 and learn about the CISSP certification including professional requirements, how to study for the exam, how to get registered, what to expect during the exam, and of course, what to expect after you pass the CISSP exam!
The International Information System Security Certification Consortium (ISC)2 (www.isc2.org) was established in 1989 as a not-for-profit, tax-exempt corporation chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.
The CISSP was the first information security credential to be accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024 standard. This international standard helps to ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate’s competence for the certification. This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread criticism that has diminished the popularity of many vendor certifications over the years).
The ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) are two organizations that work together to prepare and publish international standards for businesses, governments, and societies worldwide.
The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)2 and defined through eight distinct domains:
The CISSP candidate must have a minimum of five cumulative years of professional (paid), full-time, direct work experience in two or more of the domains listed in the preceding section. The work experience requirement is a hands-on one — you can’t satisfy the requirement by just having “information security” listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly. Some examples of full-time information security roles that might satisfy the work experience requirement include (but aren’t limited to)
Examples of information technology roles for which you can gain partial credit for security work experience include (but aren’t limited to)
For any of these preceding job titles, your particular work experience might result in you spending some of your time (say, 25 percent) doing security-related tasks. This is perfectly legitimate for security work experience. For example, five years as a systems administrator, spending a quarter of your time doing security-related tasks, earns you 1.25 years of security experience.
Furthermore, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:
www.isc2.org/Certifications/CISSP/Prerequisite-Pathway).See Chapter 2 to learn more about relevant certifications on the (ISC)2-approved list for an experience waiver.
In the U.S., CAE-CD programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/resources/educators/centers-academic-excellence/cyber-defense.
Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or online training environment, (ISC)2 offers CISSP training seminars.
We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of two hours a day for 60 days. If you’re a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this study out over a six-month period for two hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you’ll likely find yourself studying only as much as you would have in a 60-day period anyway.
Self-study might include books and study references, a study group, and practice exams.
Begin by downloading the free official CISSP Certification Exam Outline from the (ISC)2 website at www.isc2.org/exam-outline. This booklet provides a good basic outline of the exam and the subjects on which you’ll be tested.
Next, read this (ISC)2-approved book and review the online practice at www.dummies.com (see the Introduction for more information). CISSP For Dummies is written to provide a thorough and essential review of all the topics covered on the CISSP exam. Then, read any additional study resources you can to further your knowledge and reinforce your understanding of the exam topics. You can find several excellent study resources in the official CISSP Certification Exam Outline and online at www.cccure.org and http://resources.infosecinstitute.com. Finally, rinse and repeat: Do another quick read of CISSP For Dummies as a final review before you take the actual CISSP exam.
Don’t rely on CISSP For Dummies (as awesome and comprehensive as it is!), or any other book — no matter how thick it is — as your single resource to prepare for the CISSP exam.
Joining a study group can help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals. It’s also an excellent networking opportunity (the talking-to-real-people type of network, not the TCP/IP type of network)! Study groups or forums can be hosted online or at a local venue. Find a group that you’re comfortable with and that is flexible enough to accommodate your schedule and study needs. Or create your own study group!
Finally, answer lots of practice exam questions. There are many resources available for CISSP practice exam questions. Some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don’t despair! The repetition of practice questions helps reinforce important information that you need to know in order to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Start with the online practice at www.dummies.com (see the Introduction for more information), and try the practice questions at Clément Dupuis and Nathalie Lambert’s CCCure website (www.cccure.org).
No practice exams exactly duplicate the CISSP exam (and forget about brain dumps — using or contributing to brain dumps is unethical and is a violation of the (ISC)2 non-disclosure agreement which could result in losing your CISSP certification permanently).
Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam.
For example, if you’re weak in networking or applications development, talk to the networking group or developers in your company. They may be able to show you a few things that can help make sense of the volumes of information that you’re trying to digest.
Your company or organization should have a security policy that’s readily available to its employees. Get a copy and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn’t have a security policy, perhaps now is a good time for you to educate management about issues of due care and due diligence as they relate to information security. For example, review your company’s plans for business continuity and disaster recovery. They don’t exist? Perhaps you can lead this initiative to help both you and your company.
Classroom-based CISSP training is available as a five-day, eight-hours-a-day seminar led by (ISC)2-Authorized Instructors at (ISC)2 facilities and (ISC)2 Official Training Providers worldwide. Private on-site training is also available, led by (ISC)2-Authorized Instructors, and taught in your office space or a local venue. This is a convenient and cost-effective option if your company is sponsoring your CISSP certification and has ten or more employees taking the CISSP exam. If you generally learn better in a classroom environment or find that you have knowledge or actual experience in only two or three of the domains, you might seriously consider classroom-based training or private on-site training.
If it’s not convenient or practical for you to travel to a seminar, online training seminars provide the benefits of learning from an (ISC)2-Authorized Instructor at your computer. Online training seminars include real-time, instructor-led seminars offered on a variety of schedules with weekday, weekend, and evening options to meet your needs, and access to recorded course sessions for 60 days. Self-paced training is another convenient online option that provides virtual lessons taught by authorized instructors with modular training and interactive study materials. Self-paced online training can be accessed from any web-enabled device for 120 days and is available any time and as often as you need.
You can find information, schedules, and registration forms for official (ISC)2 training at www.isc2.org/Certifications/CISSP.
The American Council on Education’s College Credit Recommendation Service (ACE CREDIT) has evaluated and recommended three college credit hours for completing an Official (ISC)2 CISSP Training Seminar. Check with your college or university to find out if these credits can be applied to your degree requirements.
Other reputable organizations offer high-quality training in both classroom and self-study formats. Before signing up and spending your money, we suggest that you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends on the instructor; for this reason, try to find out from others whether the proposed instructor is as helpful as he or she is reported to be.
Many cities have self-study groups, usually run by CISSP volunteers. You may find a study group where you live; or, if you know some CISSPs in your area, you might ask them to help you organize a self-study group.
Always confirm the quality of a study course or training seminar before committing your money and time.
Practice exams are a great way to get familiar with the types of questions and topics you’ll need to be familiar with for the CISSP exam. Be sure to take advantage of the online practice exam questions that are included with this book (see the Introduction for more information). Although the practice exams don’t simulate the adaptive testing experience, you can simulate a worst-case scenario by configuring the test engine to administer 150 questions (the maximum number of questions you might see on the CISSP exam) with a time limit of three hours (the maximum amount of time you’ll have to complete the CISSP exam). Learn more about computer-adaptive testing for the CISSP exam in the “About the CISSP Examination” section later in this chapter and on the (ISC)2 website at www.isc2.org/Certification/CISSP/CISSP-Cat.
To successfully study for the CISSP exam, you need to know your most effective learning styles. “Boot camps” are best for some people, while others learn better over longer periods of time. Furthermore, some people get more value from group discussions, while reading alone works for others. Know thyself, and use what works best for you.
Are you ready for the big day? We can’t answer this question for you. You must decide, on the basis of your individual learning factors, study habits, and professional experience, when you’re ready for the exam. Unfortunately, there is no magic formula for determining your chances of success or failure on the CISSP examination.
In general, we recommend a minimum of two months of focused study. Read this book and continue taking the practice exam on the Dummies website until you can consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information you need to know if you want to pass the CISSP examination. Read this book (and reread it) until you’re comfortable with the information presented and can successfully recall and apply it in each of the eight domains. Continue by reviewing other study materials (particularly in your weak areas) and actively participating in an online or local study group and take as many practice exams from as many different sources as possible.
Then, when you feel like you’re ready for the big day, find a romantic spot, take a knee, and — wait, wrong big day! Find a secure Wi-Fi hot spot (or other Internet connection), take a seat, and register for the exam!
The CISSP exam is administered via computer-adaptive testing (CAT) at local Pearson VUE testing centers worldwide. To register for the exam, go to the (ISC)2 website (www.isc2.org/Register-For-Exam) and click the “Register” link, or go directly to the Pearson VUE website (www.pearsonvue.com/isc2).
On the Pearson VUE website, you first need to create an account for yourself; then you can register for the CISSP exam, schedule your test, and pay your testing fee. You can also locate a nearby test center, take a Pearson VUE testing tutorial, practice taking the exam (which you should definitely do if you’ve never taken a CBT), and then download and read the (ISC)2 non-disclosure agreement (NDA).
Download and read the (ISC)2 NDA when you register for the exam. Sure, it’s boring legalese, but it isn’t unusual for CISSPs to be called upon to read contracts, license agreements, and other “boring legalese” as part of their information security responsibilities — so get used to it (and also get used to not signing legal documents without actually reading them)! You’re given five minutes to read and accept the agreement at the start of your exam, but why not read the NDA in advance so you can avoid the pressure and distraction on exam day, and simply accept the agreement. If you don’t accept the NDA in the allotted five minutes, your exam will end and you forfeit your exam fees!
When you register, you’re required to quantify your relevant work experience, answer a few questions regarding any criminal history and other potentially disqualifying background information, and agree to abide by the (ISC)2 Code of Ethics.
The current exam fee in the U.S. is $699. You can cancel or re-schedule your exam by contacting Pearson VUE by telephone at least 24 hours in advance of your scheduled exam or online at least 48 hours in advance. The fee to re-schedule is $50. The fee to cancel your exam appointment is $100.
If you fail to show up for your exam or you’re more than 15 minutes late for your exam appointment, you’ll forfeit your entire exam fee!
Great news! If you’re a U.S. military veteran and are eligible for Montgomery GI Bill or Post-9/11 GI Bill benefits, the Veteran’s Administration (VA) will reimburse you for the full cost of the exam, regardless of whether you pass or fail. In some cases, (ISC)2 Official Training Providers also accept the GI Bill for in-person certification training.
The CISSP examination itself is a grueling three-hour, 100- to 150-question marathon. To put that into perspective, in three hours, you could run an actual (mini) marathon, watch Gone with the Wind, The Godfather Part II, Titanic, or one of the Lord of the Rings movies, or play “Slow Ride” 45 times on Guitar Hero. Each of these feats, respectively, closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.
The CISSP exam is now an adaptive exam, which means the test changes based on how you’re doing on the exam. The exam starts out relatively easy, and then gets progressively harder as you answer questions correctly. That’s right; The better you do on the exam, the harder it gets — but that’s not a bad thing! Think of it like skipping a grade in school because you’re smarter than the average bear. The CISSP exam assumes that if you can answer harder questions about a given topic, then logically, you can answer easier questions about that same topic, so why waste your time?
You’ll have to answer a minimum of 100 questions. After you’ve answered the minimum number of questions, the testing engine will either conclude the exam if it determines with 95 percent confidence that you’re statistically likely to either pass or fail the exam, or it will continue asking up to a maximum of 150 total questions until it reaches a 95 percent confidence level in either result. If you answer all 150 questions, the testing engine will determine whether you passed or failed based on your answers. If you run out of time (exceed the three-hour time limit) but you’ve answered the minimum number of questions (100), the testing engine will determine whether you passed or failed based on your answers to the questions you completed.
Only 75 percent of the questions on the exam are actually calculated toward your final result. The other 25 percent are trial questions for future versions of the CISSP examination (kind of like being a test “test dummy” — for dummies). However, the exam doesn’t identify which questions are real and which are trial questions, so you’ll have to answer all questions truthfully and honestly and to the best of your ability!
There are three types of questions on the CISSP exam:
Multiple-choice. Select the best answer from four possible choices. For example:
Which of the following is the FTP control channel?
A TCP port 21
B UDP port 21
C TCP port 25
D IP port 21
The FTP control channel is port 21, but is it TCP, UDP, or IP?
Drag and drop. Drag and drop the correct answer (or answers) from a list of possible answers on the left side of the screen to a box for correct answers on the right side of the screen. For example:
Which of the following are message authentication algorithms? Drag and drop the correct answers from left to right.
MD5, SHA-2, and HMAC are all correct. You must drag and drop all three answers to the box on the right for the answer to be correct.
Hotspot. Select the object in a diagram that best answers the question. For example:
Which of the following diagrams depicts a relational database model?
Click one of the four panels above to select your answer choice.
As described by (ISC)2, you need a scaled score of 700 (out of 1000) or better to pass the examination. All three question types are weighted equally, but not all questions are weighted equally. Harder questions are weighted more heavily than easier questions, so there’s no way to know how many correct answers are required for a passing score. But wait, it gets even better! On the adaptive exam, you no longer get a score when you complete the CISSP exam — you’ll either get a pass or fail result. Think of it like watching a basketball game with no scoreboard — or a boxing match with no indication of the winner until the referee raises the victor’s arm.
All questions on the CISSP exam require you to select the best answer (or answers) from the possible choices presented. The correct answer isn’t always a straightforward, clear choice. (ISC)2 goes to great pains to ensure that you really, really know the material.
A common and effective test-taking strategy for multiple-choice questions is to carefully read each question and then eliminate any obviously wrong choices. The CISSP examination is no exception.
Wrong choices aren’t necessarily obvious on the CISSP examination. You may find a few obviously wrong choices, but they only stand out to someone who has studied thoroughly for the exam.
The Pearson VUE computer-adaptive, three-hour, 100- to 150-question version of the CISSP examination is currently only available in English. If you prefer to take the CISSP exam in Chinese (simplified, the language not the exam), French, German, Japanese, Korean, Portuguese, or Spanish, because that’s your native language (or you don’t speak the language but you really want to challenge yourself), then you’ll have to take a form-based, six-hour, 250-question version of the CISSP exam (what many of us would refer to as the “old school” exam). You’re permitted to bring a foreign language dictionary (non-electronic and non-technical) for the exam, if needed. Testing options are also available for the visually impaired. You need to indicate your preferences when you register for the exam.
In most cases, you’ll receive your unofficial test results at the testing center as soon as you complete your exam, followed by an official email from (ISC)2.
In some rare instances, your unofficial results may not be immediately available. (ISC)2 analyzes score data during each testing cycle; if they don’t have enough test results early in the testing cycle, your results could be delayed up to eight weeks.
If, for some reason, you don’t pass the CISSP examination — say, for example, you only read this chapter of CISSP For Dummies — you’ll have to wait 30 days to try again. If that happens, we strongly recommend that you read the rest of this book during those 30 days! If you fail a second time, you’ll have to wait 90 days to try again. If that happens, we most strongly recommend and highly urge you to read the rest of this book — perhaps a few times — during those 90 days! Finally, if you fail on your third attempt, you’ll have to wait 180 days — no more excuses, you definitely need to read, re-read, memorize, comprehend, recite, ingest, and regurgitate this book several times if that happens!
After you earn your CISSP certification, you must remain an (ISC)2 member in good standing and renew your certification every three years. You can renew the CISSP certification by accumulating 120 Continuing Professional Education (CPE) credits or by retaking the CISSP examination. You must earn a minimum of 40 CPE credits during each year of your three-year recertification cycle. You earn CPE credits for various activities, including taking educational courses or attending seminars and security conferences, belonging to association chapters and attending meetings, viewing vendor presentations, completing university or college courses, providing security training, publishing security articles or books, serving on relevant industry boards, taking part in self-study, and doing related volunteer work. You must document your annual CPE activities on the secure (ISC)2 website to receive proper credit. You are also required to pay a U.S. $85 annual maintenance fee, payable to (ISC)2. Maintenance fees are billed in arrears for the preceding year, and you can pay them online, also in the secure members area of the (ISC)2 website.
Be sure to be absolutely truthful on your CPE reporting and retain evidence of your training. (ISC)2 audits some CPE submissions.
As soon as you receive your certification, register on the (ISC)2 website and provide your contact information. (ISC)2 reminds you of your annual maintenance fee, Board of Directors elections, annual meetings, and events, but only if you maintain your contact info — particularly your email address.
Chapter 2
IN THIS CHAPTER
Staying active as an (ISC)2 member
Discovering the joy of giving back
Working with others in your local security community
Getting the word out about CISSP certification
Bringing about change in your organization
Advancing your career with other certifications
Finding a mentor and being a mentor
Achieving security excellence
Although this book is devoted to helping you earn your CISSP certification, we thought it would be a good idea to include a few things you might consider doing after you’ve earned your CISSP.
So what do you do after you earn your CISSP? There are plenty of things you can do to enhance your professional career and the global community. Here are just a few ideas!
Unless you work for a large organization, there probably aren’t many other information security (infosec) professionals in your organization. In fact, you may be the only one! Yes, it can feel lonely at times, so we suggest you find ways to make connect with infosec professionals in your area and beyond. Many of the activities described in this chapter provide networking opportunities. If you haven’t been much of a social butterfly before and your professional network is somewhat limited, get ready to take your career to a whole new level as you meet other likeminded security professionals and potentially build lifelong friendships. Remember: It’s not what you know, but who you know — well, what you know matters, too!
If you’re just getting started in your infosec career (regardless of your age or other career experience), you’ll likely meet other infosec professionals that have at some point in their own careers been in your shoes, who will be happy to help you find answers and solutions to some of those elusive questions and challenges that may be perplexing you. You may find that you’re initially doing more taking than giving, but make sure you’re at least showing your appreciation and gratitude for their help — and remember to give back later in your career when someone new to infosec asks to pick your brain for some helpful insight.
So, as you venture out in search of other infosec professionals, put your smile on and bring plenty of business cards (print your own if your employer doesn’t provide any). You’re sure to make new friends and experience growth in the security business that may delight you.