One of the first things to do when considering the CISSP exam is to download the Candidate Information Bulletin (CIB). It provides you with a significant amount of information about the exam, including details about the domains covered by the exam. You can retrieve a candidate information bulletin for the CISSP exam after providing some registration information about yourself.
The CISSP exam includes questions from ten domains:
- Access Control
- Application Development Security
- Business Continuity and Disaster Recovery Planning
- Information Security Governance and Risk Management
- Legal, Regulations, Investigations and Compliance
- Operations Security
- Physical (Environmental) Security
- Security Architecture and Design
- Telecommunications and Network Security
This domain focuses on the concepts related to identification, authentication, authorization, and accounting. You should understand the different types (or factors) of authentication, different types of controls (such as corrective, detective, preventative, and so on), and various control techniques (such as mandatory, discretionary, and non-discretionary). You should also understand how logging and monitoring provides accounting, and be aware of common access control attacks.
You can expect questions related to the application life cycle, and the application development environment including different security controls. Several models and tools are available to assist the software life cycle such as the Systems Development Life Cycle (SDLC) and some maturity models. You should also be familiar with issues such as change management, configuration management, risk analysis, and database topics such as data warehousing and data mining.
These topics include Business Continuity Plans (BCPs), Disaster Recovery Plans (DRPs), and Business Impact Assessments (BIAs). You should be very familiar with the processes of conducting a BIA, developing a recovery strategy, disaster recovery steps, and how to test, update, assess, and maintain your plans.
Cryptography covers the various methods used to provide confidentiality and integrity for data at rest and in transit. You should be familiar with common symmetric and asymmetric encryption concepts used for confidentiality, as well as the use of message digests and hashing used for integrity, and the use of digital signatures for authentication and non-repudiation. You should have a basic understanding of cryptanalysis and common methods of cryptanalytic attacks. A solid understanding of a certificates and Public Key Infrastructure (PKI) is also needed for this domain.
This is a very broad topic that includes policies, standards, procedures, and guidelines and how they’re used to help protect the security triad of confidentiality, integrity, and availability. You’ll need to understand how organizations can apply security practices within the organization along with a basic understanding of risk, risk assessments, risk assignment, and the evaluation and use of countermeasures related to an overall risk management plan. This domain also includes objectives related to the (ISC)2 Code of Ethics that you must subscribe to before taking the CISSP exam.
In this domain, you’ll be tested on your knowledge of legal issues, investigations, forensic procedures, and compliance requirements and procedures. Some of these topics are international in nature such as computer crime and import/export issues, while other topics can delve into U.S. laws such as HIPAA.
This domain includes many common concepts such as need to know, least privilege, job rotation, and separation of duties and includes details of the five steps of incident response (detection, response, reporting, recovery, and remediation). You should also have a solid understanding of how to prevent and respond to attacks using common IT practices such as patch management, configuration management, and fault tolerance.
You should have a good understanding of the different threats and vulnerabilities related to physical security, and the methods used to protect both the IT resources, and the people within a facility. It can include physical controls such as locks, badges, guards, lights, and cameras. It also includes all the elements of facilities security such as different security zones for different IT equipment and data, HVAC, water issues, and fire prevention, detection and suppression.
In this domain, you’re expected to know many of the models used for security design such as the Common Criteria, and some specific guidelines such as the Payment Card Industry Data Security Standard (PCI DSS). You’re also expected to understand components of specific information systems such as a trusted platform module, vulnerabilities of security architectures like covert channels, and some of the vulnerabilities and threats to applications and systems such as those that exploit databases. Countermeasures mitigate risks and this domain expects you to understand some basic countermeasure principles such as defense-in-depth.
IT administrators will find a lot of familiar material in this domain such as the OSI and TCP/IP Models and basics of IP networking. This domain also includes an understanding of secure data communications, secure communication channels (such as VPNs), and secure network components such as routers, switches, firewalls, and proxy servers. You’re also expected to understand the different types of network attacks.