7-Step Guide to Pass the CISSP Exam

Phoenix IEEE Computer Society February 11, 2003

Debbie Christofferson, CISSP, CISM Sapphire-Security Services DebbieChristofferson@earthliink.net 480-988-4194

31 percent of the certificants in a 2002 study received a job promotion within the first year after receiving their primary technical certification.
- CertMag.com

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 2

Key Points
      

Defining the value of a CISSP certification Meeting the criteria to become a CISSP Learning exactly what the CISSP exam includes Saving time and stress when preparing to pass the exam Finding out what works and what doesnt Applying methods that work best for you Finding out what to expect after passing the exam

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 3

Certified Information Systems Security Professional

 Recognized

industry credential for security professionals Information Systems Security Certification Consortium, or ISC(2) administers it

 International

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 4

Certification Value
 Professions

often require it  Sets national standards in proficiency  Provides career recognition  Creates a perception of worth and quality for the profession  Confirms a working knowledge of information security

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 5

Certification Value


For the individual Highlights value to a potential employer, recognizes career achievements and provides credentials based on requirements and evaluations. Enhances career Opens doors

To the employer Provides effective, meaningful and objective measure to determine qualifications of job candidates. Guarantees specific skills & knowledge of the field Raises employee morale for companies paying for certification

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 6

Beachfront Quizzer CISSP Benefits

 

Wide-spread acceptance of certification credentials. Simplified recruiting and hiring - assures a minimum knowledge level in applicants, higher quality candidates, & minimizes applicant screening. Validated technical knowledge without being tied to a particular vendor's products. Gives substantial advantage in the fastchanging technology marketplace. Competitive advantage in highly competitive technology markets, for certificate holder and hiring organization.

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 7

Security Demand
 Specialized

certifications could cinch IT applicant job deal  Pay raises and bonuses based on certifications dropped with economy  Demand for some coveted certifications has been rising, and the value of those certifications is predicted to increase.
Specialty Certifications Carry Clout in 2003, By Ellen O'Brien, News Editor, 20 Dec 2002, SearchDatabase.com

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 8

Security Demand


"People are scanning resumes for certifications and tossing aside ones that don't have any. "Employers have to start somewhere."
David Foote, president of Foote Partners, a New Canaan, Conn., research firm that specializes in tracking certification.

Security topped the list of certifications that increased in value in 2002, according to several surveys. By most accounts, the prestigious Certified Information Security Systems Professional (CISSP) should retain its celebrity status in the coming year.
Specialty certifications carry clout in 2003 Ellen O'Brien, News Editor, 20 Dec 2002, SearchDatabase.com

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 9

The average certificant earns $55,577 annually. 37 percent of respondents received a promotion within a year of attaining their primary certification, and 53 percent received an average 19.3 percent salary increase in that same first year.
Reported in December 2001 CertMag

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 10

Top Certification Salaries

    

    

HP/Compaq Master ASE $81,131 (ISC)2 CISSP $80,195 Novell Master CNE $77,568 Oracle DBA $75,941 HP/Compaq Accredited Professional $72,285 HP/Compaq API $71,961 Lotus CLP $69,835 Citrix CCEA $68,578 Novell CNE $68,095 HP/Compaq APS $67,721

 

 

http://www.certmag.com/issues/dec02/feature_gabelhous.cfm

Average certification provides 3.2-to-1 ROI. For every dollar invested in a certification, the certificant realizes a $3.20 return in the form of a pay raise. Up from 2001 study (2.3-to-1 in 2001). Vendors offering lowcost certifications provide best ROIs. Top quartile with regard to vendors certification ROI also includes (ISC)2, Lotus, Citrix and Cisco.

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 11

CISSP Price/Value High



 

Price/value of a certification is one of the most important factors candidates consider when choosing a program IBMs certifications rated as providing best price/value Overall and against all attributes of vendors certification programs, (ISC)2 was rated the highest *The more years a certificant has been in IT, the more money he or she makes
Source: Certification Magazine, December 2002, Certification, Salaries & the IT Market By Gary Gabelhouse

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 12

CISSP Application Criteria



3-4 years direct IS experience in these or other related fields

Practitioner Auditor Consultant Vendor Investigator Instructor

   

ISC)2) Code of Ethics College degree or equivalent life experience Pass the CISSP exam Renewed in 3-year increments
Annual maintenance fee Continuous education

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 13

CISSP Exam Structure

   

250 Multiple choice questions 6 hours to complete Ten domainsyou must pass them all Exam questions based on ISC(2) Common Body of Knowledge (CBK)
The foundation for an experienced security professional

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 14

10 Test Domains
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Access Control Applications & Systems Development Business Continuity Planning Cryptography Law, Investigation & Ethics Operations Security Physical Security Security Architecture Security Management Practices Telecommunications, Network & Internet Security

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 15

Exam Preparation Strategies That Work

 Practice

tests  Self-study  Study groups  Review seminar or course

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 16

Study Methods
Certification Magazine, Tim Sosbe Certification Training: Real Results, Real Value

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 17

CISSP Review Seminar

  

(ISC) CISSP CBK Register online at

https://www.isc2.org

Investment discounted for early registration and professional security group members ($2245-$2695) Offered at some industry conferences in condensed format and reduced cost Government rates available

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 18

What Doesnt Work

Reading a big stack of books  Studying in groups  Taking the test cold turkey


2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 19

After the Exam

Receive written test results  Complete and submit CISSP application


CISSP application endorsement by qualified third party before credential is awarded

Candidates employer Any licensed, certified or commissioned professional may endorse a CISSP candidate


Annual maintenance fee $85

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 20

After Passing the Exam



Receive certificate and ID with CISSP designation & #  Optional

CISSP directory listing Speakers Bureau participation Serve on committees Participate in annual ISC(2) elections

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 21

Re-Certification Every 3 Years



Earn 120 hours continuing professional education (CPE) credit over 3 year period
80-120 A-Credit hours. 80 must be earned in activities directly related to profession 40 B-Credit hours. Up to 40 CPEs may be earned in other educational activities that enhance the CISSPs overall professional skills, knowledge, and competency. Some carry-over permitted if you earn more than 120 hours in a 3-year period

 

OR retake and pass the exam every three years Random audits

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 22

Earning Certification Credit

Educate others on security Write on security Author CISSP exam questions Participate in security forums Serve on professional security group boards and committees Attend security training

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 23

SSCP System Security Certified Practitioner



  

International standard for practitioners of information security and understanding of a Common Body of Knowledge (CBK). Sponsored and administered by ISC(2) Covers seven domains Focuses on practices, roles and responsibilities as defined by experts from major IS industries. Includes 125 multiple-choice questions, on exam with up to 3 hours given for completion

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 24

SSCP


Seven domains:
1.Access Controls 2.Administration 3.Audit and Monitoring 4.Risk, Response and Recovery 5.Cryptography 6.Data Communications 7.Malicious Code/Malware

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 25

Other Security Certifications

  

ISACA CISM - Certified Information Security Manager ITAA ISA Information Security Awareness CWSP Certified Wireless Security Professional (secure your wireless LAN)
http://www.certz.com/certztop50/index.html

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 26

ISACA CISA - Certified Information System Auditor

    

ISACA lists 29,000 worldwide Geared to information assurance and business processes. Beginning of competence in auditing and IT auditing Auditing is biggest component Common in IT auditing with audit firms, banking, and finance

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 27

SANS Security Institute



Global Information Assurance Certification (GIAC)

GIAC Certified Intrusion Analyst (GCIA) GIAC Certified Firewall Analyst (GCFW) GIAC Security Essentials Certification (GSEC) Additional certifications will follow shortly, with the GIAC Certified UNIX Security Administrator (GCUX) next on the list for release

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 28

CISCO Security Certifications



CCSP - Cisco Certified Security Professional

For network professionals who design and implement secure CISCO networks.

    

MCNS - Managing Cisco Network Security CSPFA - Cisco Secure PIX Firewall Advanced CSIDS - Secure Intrusion Detection System CSVPN - Cisco Secure VPN CSI - Cisco SAFE Implementation

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 29

NSA ISSEP Certification



ISC2 selected by the NSA to develop new ISSEP (Information Systems Security Engineering Professional) certification Likely to become a best practice for people who want to do highly sophisticated information security work within the national security sector, and throughout government and private sector. (ISC)2 plans to offer the new certification to all federal agencies and private-sector companies that do business with the federal government

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 30

"The U.S. government has a unique set of standards for information security," said Patricia Moreno, chief of staff for NSA's Information Assurance Directorate. "We believe (ISC)2's longtime international expertise in professional certification best suits our training needs within NSA."
2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 31

ISSEP Certification Domains

 Certification

and accreditation  Government policy and regulation  Systems security engineering process  Protection needs determination
2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 32

Security Certifications
            

CISA (ISACA) CISSP (ISC) GIAC (SANS) CISM (ISACA) ISEB (ISMC) ISSAP (ISC) ISSEP (ISC) ISSMP (ISC) ITPC (UK Gov't) SSCP (ISC) Security + (CompTIA) TICSA (TruSecure) Vendor Specific Certification: i.e. MCSE
Listed by Reed Surveys Feb/04

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 33

ITAA Survey on Certifications & Hiring

Seventy-three percent said Certified Information Security Systems Professional (CISSP) certifications carry the most weight.
September 15, 2003 Press Release at www.itaa.org/news

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 34

Summary
    

Beef up your resume and career Complete practice tests by domain Study only the domains below 85% Complete a review course for best rate of passing Allocate study time based on experience and practice test results

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 35

Appendix

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 36

Terms & Definitions

     

CBK Common Body of Knowledge CISA - Certified Information Systems Auditor CISM Certified Information Security Manager CISSP - Certified Information Security System Professional SANS Institute - SysAdmin, Audit, Network, Security SSCP System Security Certified Practitioner

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 37

Resources - CISSP


www.isc2.org
Certifying body for CISSP, SSCP, and NSAs ISSEP Test & review seminar schedule, resources, jobs

 

CISSP Review Course schedule

https://www.isc2.org/cgi/course_schedule.cgi

www.cissp.com
Books, seminar & exam schedules, resources, jobs

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 38

Computer Security Institute 30th Annual Security Conference

   

Sponsored by (ISC)2 Review Seminar

November 5-6, 8:30 AM - 5:00 PM

CISSP Exam:
Friday, November 7, 8:00 AM to 3:00 PM

CISSP Networking Reception

Tuesday, November 4, 6:30 - 7:30 PM

http://www.gocsi.com/events/cissp-exam.jhtml
2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 39

Official (ISC)2 Guide to the CISSP Exam

    

Created by the exam's certifying organization (ISC)2. Based on the CISSP course Reviewed by past ISSA President and ISSA/(ISC)2 and Hal Tipton Retail Price: $69.95
Discounted at www.cissp.com to $60 USD

Rating at www.cissp.com

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 40

CISSP Exam Guide Books



The CISSP Prep Guide: Mastering the Ten Domains of Computer Security
by Ronald L. Krutz, Russell Dean Vines and Edward M. Stroz

  

CISSP Exam Cram

by Mandy Andress

CISSP All-in-One Exam Guide

by Shon Harris, for practice exams

Security Engineering: A Guide to Building Dependable Distributed Systems

by Ross J. Anderson. Covers most exam topics

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 41

CISSP Exam Guide Books



CISSP All-in-One Exam Guide

by Shon Harris. DVD training class also available.

The Total CISSP Exam Prep Book: Practice Questions, Answers, and Test Taking Tips and Techniques
by Thomas Peltier, Patrick D. Howard

 

CISSP for Dummies

by Lawrence C. Miller

Mike Meyers CISSP Certification Passport

by Shon Harris

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 42

CISSP Practice Tests

 www.cissp.com Exam Preparation Software FlashCard for the CISSP exam  www.boson.com  www.cccure.org  www.srvbooks.com  www.bfq.com

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 43

Certification Resources


Books
www.amazon.com Information Security Management Handbook, 4th Edition, Vol I and II
by Harold F. Tipton & Micki Krause

SANS Institute www.sans.org  ISACA www.isaca.org



CISA & CISM



Certification exam practice

http://www.freepractice.com/default.htm http://www.skilldrill.com/ http://www.certificationzone.com

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 44

Bio Debbie Christofferson, CISSP, CISM



Practiced leading edge Fortune 500 security management and consulting for 14 years, with 20 overall years in the technology field. Consultant, speaker, and published author www.Sapphire-Security.com www.Career-Therapy.com DebbieChristofferson@earthlink.net

   

2004 www.career-therapy.com DebbieChristofferson@earthlink.net Page 45