Preparing for the CISSP exam, Part 1

A reader and colleague recently asked me a few questions about the Certified Information Systems Security Professional exam, and I thought readers might benefit from the interchange.

N. Todd Pritsky (see http://www.pritsky.net) is one of the authors collaborating in the preparation of "The Computer Security Handbook, Fourth Edition," edited by Sy Bosworth and me. It will be published this year by Wiley.

In this first segment of a three-part series, I look at the exam.

Pritsky asked:

" How does the CISSP compare to the [Systems Security Certified Practitioner] in terms of the exam itself and the relative weight/importance of the certification? "

Both are useful stages in professional development. Visit the International Information Systems Security Certification Consortium (ISC)² Web site -- http://www.isc2.org/ -- where you will find a wealth of material about the CISSP and the SSCP.

The SSCP is more hands-on and limited to technical issues. According to the description at https://www.isc2.org/sscp_examover.html: "The International Information Systems Security Certification Consortium, or (ISC)², working with a professional testing service, has developed a certification examination based on the SSCP Common Body of Knowledge (CBK). Candidates have up to 3 hours to complete the examination… which consists of multiple-choice questions that address the seven topical test domains of the CBK. The information systems security test domains are:

* Access Control.

* Administration.

* Audit and Monitoring.

* Risk, Response, and Recovery.

* Cryptography.

* Data Communications.

* Malicious Code."

In contrast, the CISSP is deliberately designed to cover a wide range of topics that distinguish information security experts from other kinds of IT experts. As described at https://www.isc2.org/cissp_examover.html: "Candidates have up to 6 hours to complete the examination… which consists of 250 multiple-choice questions that address the [10] topical test domains of the CBK. The information systems security test domains are:

* Access Control Systems & Methodology.

* {Computer} Operations Security.

* Cryptography.

* Application & Systems Development.

* Business Continuity & Disaster Recovery Planning.

* Telecommunications & Network Security.

* Security Architecture & Models.

* Physical Security.

* Security Management Practices.

* Law, Investigations & Ethics."

Pritsky also asked:

"What can you tell me about the exam itself? A lot of questions? Evenly distributed amongst the 10 domains? Multiple choice? Hands-on? I don't really know what to expect."

CISSPs and all who take the exam are under nondisclosure agreement not to divulge the detailed content. See sample questions on the (ISC)² Web site.

In the next segment of this three-part series, I will look at useful reading for future CISSPs.

This story, "Preparing for the CISSP exam, Part 1 " was originally published by Network World.

Related:
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon