How to prepare for the CISSP

The CISSP is a valuable certification, but it takes a lot more than just your many years of experience to prepare for it. You will likely have to learn about a lot of technology and processes that you’ve never worked with, some of it not especially current and all of it a lot less vendor-specific than you’ve ever imagined.

If you’ve decided to pit your information security knowledge against the CISSP exam, it’s a good idea to first step back and assess your preparedness. Even if you’re an ace security manager, you might discover that there are huge gaps in what you know about this increasingly important field. Having just taken a prep course, I understand that my experiences as a programmer, Unix systems administrator and information security manager – several decades of it – isn’t enough to make me a shoe-in for this highly prized certification. Instead, I have to learn about a lot of technology that has never fallen within my range of responsibilities. This includes such things as fire extinguishers, old encryption algorithms and legal code that applies to both security and privacy. Normally, if ever I need to remember something like which RAID level is which, I simply look it up. For the exam, I will have to remember which is which – even RAID levels like 3 and 4. And I have to quickly able to decipher which security controls are preventative, which are detective and which are corrective. Fortunately, I was able to take a superb “boot camp”, offered through the University of Texas at San Antonio, which went through all ten of the “domains” that the exam covers. These include (from the isc2.org site):

  • Access Control – a collection of mechanisms that work together to create security architecture to protect the assets of the information system.
  • Telecommunications and Network Security – discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
  • Information Security Governance and Risk Management – the identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
  • Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
  • Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
  • Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
  • Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
  • Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
  • Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.
  • Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information.

To get the certification, applicants are required to have at least five years of experience in at least two or more of these domains, but even that isn’t enough to make the test easy. Far from it! So you very likely need to spend some study time in the areas that you haven’t had work experience in – and likely in some that you have. The prep class was well worth the time and money spent because it not only helped to familiarize me with a lot of technology that I haven’t ever used, but it gave me an idea what to expect – something of a CISSP exam taking philosophy – and boosted my confidence that I will be able to understand the questions and (mostly) pick the right answers if I spend enough time getting ready. My “boot camp” was taught by two instructirs from the University of Texas at San Antonio – Tomm Larson and Kevin Kjosa (pronounced “Cho-sa”). They did an excellent job of explaining the material and provided guidance and encouragement during our intense five day class. We spent the whole of five days (8 AM to 5 PM, Monday-Friday) with only short breaks and a Q&A session each day during the latter part of lunch hour to get ourselves spun up both technically and emotionally. Having a room full of fellow students with many different perspectives and work experiences helped quite a bit. I learned some interesting and relevant things from other students and expect to keep in touch with several of them. One group of students from the class plan to keep meeting and studying together – a great idea for anyone who lives or works close enough to other students to pull that off. I feel that I still need to read through the text – Shon Harris’ CISSP All-in-One Exam Guide, 6th Edition – provided with the class slowly and thoughtfully and take a lot of practice tests before I’m going to feel ready, but I’m on a roll now and it’s just a matter of time. Had I not been out of energy by the time I got home every night, I might have tried to read at least some of the material every night when I got home. But we’re talking something like 1,400 pages! Plus, my commute and online teaching eat a chunk out of my days. I think I’ll be spending some of my free time over the next few months filling in gaps and finding ways to keep some things – like all the RAID levels – straight in my head. One of the things that surprised me is how vendor neutral the test is. It doesn’t ask questions that are specific to Cisco equipment or Solaris OS. You won’t have to unravel complicated commands or provide commands that work on some specific system. But you will have to walk into the exam with a fairly extensive amount of knowledge and some good test taking skills. If you’re thinking of going after your CISSP, I think you should consider taking a prep course with someone who can not only help you digest the material but can give you a lot of perspective on the test. My class was offered by UTSA (http://www.utsa.edu) but was offered in Delaware, not Texas. The CISSP changes slowly and covers a lot of technology that you may never encounter, but it also provides a lot of perspective on how security is managed and provided -- and from a number of perspectives. The exam will cost you something like $600, includes 250 questions that you have to answer in six hours and you have to earn 700 points out of 1,000 possible points. The questions don’t all count the same. In fact, some don’t count at all and you won’t know which they are. But preparing will give you a lot of background on what security is all about and passing might just open up some very promising career doors. The world needs more CISSPs running around and making things better. Maybe you’ll be one of them!

Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest IT news at ITworld, Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies