CISSP For Dummies

CISSP For Dummies

by Lawrence C. Miller, Peter H. Gregory

Paperback

$40.49 $44.99 Save 10% Current price is $40.49, Original price is $44.99. You Save 10%.
View All Available Formats & Editions
Eligible for FREE SHIPPING
  • Want it by Friday, October 19  Order now and choose Expedited Shipping during checkout.

Overview

CISSP For Dummies by Lawrence C. Miller, Peter H. Gregory

Secure your CISSP certification!

If you’re a security professional seeking your CISSP certification, this book is a perfect way to prepare for the exam. Covering in detail all eight domains, the expert advice inside gives you the key information you'll need to pass the exam. Plus, you'll get tips on setting up a 60-day study plan, tips for exam day, and access to an online test bank of questions.

CISSP For Dummies is fully updated and reorganized to reflect upcoming changes (ISC)2 has made to the Common Body of Knowledge. Complete with access to an online test bank this book is the secret weapon you need to pass the exam and gain certification.

  • Get key information for all eight exam domains
  • Find test-taking and exam-day tips and tricks
  • Benefit from access to free online practice questions and flash cards
  • Prepare for the CISSP certification in 2018 and beyond

You’ve put in the time as a security professional—and now you can reach your long-term goal of CISSP certification.

Product Details

ISBN-13: 9781119505815
Publisher: Wiley
Publication date: 06/19/2018
Pages: 560
Sales rank: 140,400
Product dimensions: 7.30(w) x 9.10(h) x 1.40(d)

About the Author

Lawrence Miller, CISSP, is a security consultant with experience in consulting, defense, legal, nonprofit, retail, and telecommunications. Peter Gregory, CISSP, is a CISO and an executive security advisor with experience in SaaS, retail, telecommunications, nonprofit, legalized gaming, manufacturing, consulting, healthcare, and local government.

Read an Excerpt

CISSP For Dummies


By Lawrence C. Miller, Peter Gregory

John Wiley & Sons

Copyright © 2012 John Wiley & Sons, Ltd
All rights reserved.
ISBN: 978-1-118-36239-6


CHAPTER 1

(ISC)2 and the CISSP Certification


In This Chapter

* Finding out about (ISC)2 and the CISSP certification

* Understanding CISSP certification requirements

* Registering for the exam

* Developing a study plan

* Taking the CISSP exam and waiting for results


Some say that the Certified Information Systems Security Professional (CISSP) candidate requires a breadth of knowledge 50 miles across and 2 inches deep. To embellish on this statement, we believe that the CISSP candidate is more like the Great Wall of China, with a knowledge base extending over 3,500 miles — maybe a few holes here and there, stronger in some areas than others, but nonetheless one of the Seven Wonders of the Modern World.

The problem with many currently available CISSP preparation materials is in defining how high the Great Wall actually is: Some material overwhelms and intimidates CISSP candidates, leading them to believe that the wall is as high as it is long. Other study materials are perilously brief and shallow, giving the unsuspecting candidate a false sense of confidence while he or she merely attempts to step over the Great Wall, careful not to stub a toe. To help you avoid either misstep, CISSP For Dummies answers the question, "What level of knowledge must a CISSP candidate possess to succeed on the CISSP exam?"


About (ISC)2 and the CISSP Certification

The International Information Systems Security Certification Consortium (ISC)2 (www.isc2.org) was established in 1989 as a nonprofit, tax-exempt corporation chartered for the explicit purpose of developing a standardized security curriculum and administering an information security certification process for security professionals worldwide. In 1994, the Certified Information Systems Security Professional (CISSP) credential was launched.

The CISSP was the first information security credential to be accredited by the American National Standards Institute (ANSI) to the ISO/IEC 17024:2003 standard. This international standard helps to ensure that personnel certification processes define specific competencies and identify required knowledge, skills, and personal attributes. It also requires examinations to be independently administered and designed to properly test a candidate's competence for the certification. This process helps a certification gain industry acceptance and credibility as more than just a marketing tool for certain vendor-specific certifications (a widespread criticism that has caused many vendor certifications to lose relevance over the years).


TECHNICAL STUFF

The ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) are two organizations that work together to prepare and publish international standards for businesses, governments, and societies worldwide.

The CISSP certification is based on a Common Body of Knowledge (CBK) identified by the (ISC)2 and defined through ten distinct domains:

[check] Access Control

[check] Telecommunications and Network Security

[check] Information Security Governance and Risk Management

[check] Software Development Security

[check] Cryptography

[check] Security Architecture and Design

[check] Security Operations

[check] Business Continuity and Disaster Recovery Planning

[check] Legal, Regulations, Investigations and Compliance

[check] Physical (Environmental) Security


You Must Be This Tall to Ride (and Other Requirements)

The CISSP candidate must have a minimum of five cumulative years of professional, full-time, direct work experience in two or more of the domains listed in the preceding section. The work experience requirement is a hands-on one — you can't satisfy the requirement by just having "information security" listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly.

However, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:

[check] A four-year college degree

[check] An advanced degree in information security from a U.S. National Center of Academic Excellence in Information Assurance Education (CAEIAE) or a regional equivalent

[check] A credential that appears on the (ISC)2 approved list, which includes more than 30 technical and professional certifications, such as various SANS GIAC certifications, Microsoft certifications, and CompTIA Security+ (For the complete list, go to www.isc2.org/credential_waiver/default.aspx.)


TIP

In the U.S., CAEIAE programs are jointly sponsored by the National Security Agency and the Department of Homeland Security. For more information, go to www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml.


Registering for the Exam

As of June 1, 2012, the CISSP exam is now being administered via computer-based testing (CBT) at local Pearson VUE testing centers worldwide. To register for the exam, go to the (ISC)2 website (www.isc2.org), click the Certifications tab, click Computer Based Testing (CBT), and then click the Register Now – Pearson VUE button; alternatively, go directly to the Pearson VUE website (http://pearsonvue.com/isc2/).

On the Pearson VUE website, you have to create a web account first; then you can register for the CISSP exam, schedule your test, and pay your testing fee. You can also locate a nearby test center, take a Pearson VUE testing tutorial, practice taking the exam (which definitely you should do if you've never taken a CBT), and then download the (ISC)2 non-disclosure agreement (NDA).


TIP

Download and read the (ISC)2 NDA when you register for the exam. You're given five minutes to read and accept the agreement at the start of your exam. If you don't accept the NDA in the allotted five minutes, your exam will end and you forfeit your exam fees!

When you register, you're required to quantify your work experience in information security, answer a few questions regarding criminal history and related background, and agree to abide by the (ISC)2 Code of Ethics.

The current exam fee in the U.S. is $599. You can cancel or re-schedule your exam by contacting VUE by telephone at least 24 hours in advance of your scheduled exam or online at least 48 hours in advance. The fee to re-schedule is $20.


WARNING!

If you fail to show up for your exam, you'll forfeit your entire exam fee!


TIP

Great news! If you're a U.S. military veteran and are eligible for Montgomery GI Bill benefits, the Veteran's Administration (VA) will reimburse you for the full cost of the exam, regardless of whether you pass or fail.


Preparing for the Exam

Many resources are available to help the CISSP candidate prepare for the exam. Self-study is a major part of any study plan. Work experience is also critical to success, and you can incorporate it into your study plan. For those who learn best in a classroom or training environment, (ISC)2 offers CISSP review seminars.

We recommend that you commit to an intense 60-day study plan leading up to the CISSP exam. How intense? That depends on your own personal experience and learning ability, but plan on a minimum of two hours a day for 60 days. If you're a slow learner or reader, or perhaps find yourself weak in many areas, plan on four to six hours a day — and more on the weekends. But stick to the 60-day plan. If you feel you need 360 hours of study, you may be tempted to spread this study out over a six-month period for 2 hours a day. Consider, however, that committing to six months of intense study is much harder (on you, as well as your family and friends) than two months. In the end, you'll find yourself studying only as much as you would have in a 60-day period anyway.


Studying on your own

Self-study can include books and study references, a study group, and practice exams.

Begin by downloading the free official CISSP Candidate Information Bulletin (CIB) from the (ISC)2 website. This booklet provides a good outline of the subjects on which you'll be tested.

Next, read this book, take the practice exam, and review the materials on the Dummies website (www.dummies.com). CISSP For Dummies is written to provide the CISSP candidate an excellent overview of all the broad topics covered on the CISSP exam.

You can also find several study guides at www.cissp.com, www.cccure.org, and www.cramsession.com.

Joining or creating your own study group can help you stay focused and also provide a wealth of information from the broad perspectives and experiences of other security professionals.


REMEMBER

No practice exams exactly duplicate the CISSP exam (and forget about brain dumps — using or contributing to brain dumps is unethical and is a violation of your NDA which could result in losing your CISSP certification permanently). However, many resources are available for practice questions. Some practice questions are too hard, others are too easy, and some are just plain irrelevant. Don't despair! The repetition of practice questions helps reinforce important information that you need to know in order to successfully answer questions on the CISSP exam. For this reason, we recommend taking as many practice exams as possible. Use the Practice Exam on the Dummies website (www.dummies.com), and try the practice questions at Clement Dupuis and Nathalie Lambert's CCCure website (www.cccure.org).


Getting hands-on experience

Getting hands-on experience may be easier said than done, but keep your eyes and ears open for learning opportunities while you prepare for the CISSP exam.

For example, if you're weak in networking or applications development, talk to the networking group or programmers in your company. They may be able to show you a few things that can help make sense of the volumes of information that you're trying to digest.


TIP

Your company or organization should have a security policy that's readily available to its employees. Get a copy and review its contents. Are critical elements missing? Do any supporting guidelines, standards, and procedures exist? If your company doesn't have a security policy, perhaps now is a good time for you to educate management about issues of due care, due diligence, and other concepts from the Legal, Regulations, Investigations, and Compliance security domain.

Review your company's plans for business continuity and disaster recovery. They don't exist? Perhaps you can lead this initiative to help both you and your company.


Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar

The (ISC)2 also administers five-day CISSP CBK Review Seminars and Live OnLine seminars to help the CISSP candidate prepare. You can find schedules and registration forms for the CBK Review Seminar and Live OnLine on the (ISC)2 website at www.isc2.org.

The early rate for the CISSP CBK Review or Live OnLine seminar in the U.S. is $2,495 if you register 16 days or more in advance (the standard rate is $2,695).

If you generally learn better in a classroom environment or find that you have knowledge or actual experience in only two or three of the domains, you might seriously consider attending a review seminar.

If it's not convenient or practical for you to travel to a seminar, Live Online provides the benefit of learning from an (ISC)2 Authorized Instructor on your computer. Live OnLine provides all the features of classroom based seminars, real-time delivery, access to archived modules, and all official courseware.


Attending other training courses or study groups

Other reputable organizations, such as SANS (www.sans.org), offer high-quality training in both classroom and self-study formats. Before signing up and spending your money, we suggest that you talk to someone who has completed the course and can tell you about its quality. Usually, the quality of a classroom course depends on the instructor; for this reason, try to find out from others whether the proposed instructor is as helpful as he or she is reported to be.

Many cities have self-study groups, usually run by CISSP volunteers. You may find a study group where you live; or, if you know some CISSPs in your area, you might ask them to help you organize a self-study group.


TIP

Always confirm the quality of a study course or training seminar before committing your money and time.


CROSS-REFERENCE

See Chapter 3 for more information on starting a CISSP study group.


Take the testing tutorial and practice exam

If you are not familiar with the operations of computer-based testing, you may want to take a practice exam. Go to the Pearson VUE website and look for the Pearson VUE Tutorial and Practice Exam (at www.pearsonvue.com/ athena).

The tutorial and practice exam are available for Windows computers only. To use them, you must have at least 512 MB of RAM, 60 MB of available disk space, Windows 2000 or newer (XP, Vista, 7, or 8), and Microsoft Internet Explorer 5 or a newer browser.


Are you ready for the exam?

Are you ready for the big day? We can't answer this question for you. You must decide, on the basis of your individual learning factors, study habits, and professional experience, when you're ready for the exam. We don't know of any magic formula for determining your chances of success or failure on the CISSP examination. If you find one, please write to us so we can include it in the next edition of this book!

In general, we recommend a minimum of two months of focused study. Read this book and continue taking the practice exams — in this book and on the Dummies website — until you can consistently score 80 percent or better in all areas. CISSP For Dummies covers all the information you need to know if you want to pass the CISSP examination. Read this book (and reread it) until you're comfortable with the information presented and can successfully recall and apply it in each of the ten domains.

Continue by reviewing other materials (particularly in your weak areas) and actively participating in an online or local study group. Take as many practice exams from as many different sources as possible. You can't find any brain dumps for the CISSP examination, and no practice test can exactly duplicate the actual exam (some practice tests are simply too easy, and others are too difficult), but repetition can help you retain the important knowledge required to succeed on the CISSP exam.


About the CISSP Examination

The CISSP examination itself is a grueling six-hour, 250-question marathon. To put that into perspective, in six hours, you could walk about 20 miles, watch a Kevin Costner movie 1½ times, or sing "My Way" 540 times on a karaoke machine. Each of these feats, respectively, closely approximates the physical, mental (not intellectual), and emotional toll of the CISSP examination.

As described by the (ISC)2, you need a scaled score of 700 or better to pass the examination. Not all the questions are weighted equally, so we can't absolutely state the number of correct questions required for a passing score.

You won't find any multiple-answer, fill-in-the-blank, scenario-based, or simulation questions on the CISSP exam. However, all 250 multiple-choice questions require you to select the best answer from four possible choices. So the correct answer isn't always a straightforward, clear choice. In fact, you can count on many questions to appear initially as if they have more than one correct answer. (ISC)2 goes to great pains to ensure that you really, really know the material. For instance, a sample question might resemble the following:

Which of the following is the FTP control channel?

A TCP port 21

B UDP port 21

C TCP port 25

D IP port 21


Many readers almost instinctively know that FTP's control channel is port 21, but is it TCP, UDP, or IP?

Increasingly, CISSP exam questions are based more on situations than on simple knowledge of facts. For instance, here's a question you might get:

A system administrator has found that a former employee has successfully logged in to the system. The system administrator should:

A Shut down the system.

B Confirm the breach in the security logs.

C Lock or remove the user account.

D Contact law enforcement.


(Continues...)

Excerpted from CISSP For Dummies by Lawrence C. Miller, Peter Gregory. Copyright © 2012 John Wiley & Sons, Ltd. Excerpted by permission of John Wiley & Sons.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Table of Contents


Introduction     1
About This Book     1
How This Book Is Organized     2
Certification Basics     2
Domains     2
The Part of Tens     2
Appendixes and Bonus Chapters     2
How the Chapters Are Organized     3
Chapter introductions     3
Study subjects     3
Tables and illustrations     3
Prep Tests     4
Icons Used in This Book     4
Let's Get Started!     5
Certification Basics     7
(ISC)[subscript 2] and the CISSP Certification     9
About (ISC)[superscript 2] and the CISSP Certification     9
You Must Be This Tall to Ride (And Other Minimum Requirements)     10
Registering for the Exam     11
Developing a Study Plan     12
Self-study     13
Getting hands-on experience     14
Attending an (ISC)[superscript 2] CISSP review seminar     14
Attending other training courses or study groups     15
Are you ready for the exam?     15
About the CISSP Examination     16
Waiting for Your Results     17
The Common Body of Knowledge (CBK)     19
Access Control     19
Telecommunications and Network Security     20
Information Security and Risk Management     21
Application Security     21
Cryptography     22
Security Architecture and Design     22
Operations Security     23
Business Continuity and Disaster Recovery Planning     23
Legal, Regulations, Compliance, and Investigations     24
Physical (Environmental) Security     24
Putting Your Certification to Good Use     25
Following the (ISC) [superscript 2] Code of Ethics     26
Keeping Your Certification Current     27
Remaining an Active (ISC)[superscript 2] Member     27
Considering (ISC)[superscript 2] Volunteer Opportunities     28
Writing certification exam questions     28
Speaking at events     29
Supervising examinations     29
Writing articles for the (ISC)[superscript 2] Journal or (ISC)[superscript 2] Newsletter     29
Participating in (ISC[superscript 2] focus groups     30
Getting involved with a study group     30
Becoming an Active Member of Your Local Security Chapter     30
Spreading the Good Word about CISSP Certification      31
Promoting other certifications     32
Wearing the colors proudly     32
Using Your CISSP Certification to Be an Agent of Change     33
Earning Other Certifications     33
Other (ISC)[superscript 2] certifications     34
Non-(ISC)[superscript 2] certifications     34
Choosing the right certifications     36
Domains     37
Access Control     39
Uncovering Concepts of Access Control     40
Control types     40
Access control services     42
Categories of Access Control     43
System access controls     43
Data access controls     63
Evaluating and Testing Access Controls     67
Why test?     67
When and how to test     68
Additional References     69
Telecommunications and Network Security     73
Data Network Types     73
Local area network (LAN)     74
Wide area network (WAN)     74
The OSI Reference Model     75
Physical Layer (Layer 1)     76
Data Link Layer (Layer 2)     81
Network Layer (Layer 3)     92
Transport Layer (Layer 4)      94
Session Layer (Layer 5)     97
Presentation Layer (Layer 6)     98
Application Layer (Layer 7)     98
The TCP/IP Model     100
Network Security     100
Firewalls     101
Virtual Private Networks (VPNs)     105
Intrusion detection and prevention systems (IDS and IPS)     108
Remote access     109
E-mail, Web, Facsimile, and Telephone Security     112
E-mail security     112
Web security     115
Facsimile security     115
PBX fraud and abuse     116
Caller ID fraud and abuse     116
Network Attacks and Countermeasures     117
SYN flood     117
ICMP flood     117
UDP flood     118
Smurf     118
Fraggle     118
Teardrop     118
Session hijacking (Spoofing)     118
Additional References     119
Information Security and Risk Management     123
Information Security Management Concepts and Principles     123
Confidentiality     124
Integrity     125
Availability      125
Defense-in-depth     125
Avoiding single points of failure     126
Data Classification     127
Commercial data classification     127
Government data classification     128
Mission Statements, Goals, and Objectives     129
Mission (not so impossible)     129
Goals and objectives     129
Policies, Standards, Guidelines, and Procedures     130
Policies     131
Standards (and baselines)     131
Guidelines     131
Procedures     132
Information Security Management Practices     132
Outsourcing     132
Internal Service Level Agreements (SLAs)     132
Identity management     132
Certification and accreditation     133
Personnel Security Policies and Practices     133
Background checks and security clearances     133
Employment agreements     134
Hiring and termination practices     134
Job descriptions     135
Security roles and responsibilities     135
Separation of duties and responsibilities     138
Job rotations     138
Risk Management Concepts      138
Risk identification     139
Risk analysis     141
Risk control     144
Security Education, Training, and Awareness Programs     146
Awareness     146
Training     147
Education     147
Additional References     148
Application Security     153
Distributed Applications     154
Security in distributed systems     154
Agents     155
Applets     155
Object-Oriented Environments     157
Databases     158
Database security     159
Data dictionaries     160
Data warehouses     160
Knowledge-Based Systems     161
Expert systems     161
Neural networks     162
Systems Development Life Cycle     162
Conceptual definition     164
Functional requirements     164
Functional specifications     164
Design     165
Coding     165
Code review     166
Unit test     166
System test     166
Certification     167
Accreditation      167
Maintenance     167
Notes about the life cycle     168
Change Management     168
Configuration Management     169
Application Security Controls     169
Process isolation     169
Hardware segmentation     169
Separation of privilege     170
Accountability     170
Defense in depth     170
Abstraction     171
Data hiding     171
System high mode     171
Security kernel     171
Reference monitor     171
Supervisor and user modes     172
Service Level Agreements     172
System Attack Methods     173
Malicious code     173
Denial of Service     177
Dictionary attacks     177
Spoofing     178
Social engineering     178
Pseudo flaw     178
Remote maintenance     179
Maintenance hooks     179
Sniffing and eavesdropping     179
Traffic analysis and inference     180
Brute force     180
Antivirus software     180
Perpetrators     182
Hackers      182
Script kiddies     182
Virus writers     182
Bot herders     183
Phreakers     183
Black hats and white hats     183
Additional References     184
Cryptography     189
The Role of Cryptography in Information Security     190
Cryptography Basics     191
Classes of ciphers     191
Types of ciphers     191
Key clustering     193
Putting it all together: The cryptosystem     194
Encryption and decryption     195
He said, she said: The concept of non-repudiation     196
A disposable cipher: The one-time pad     196
Plaintext and ciphertext     196
Work factor: Force x effort = work!     197
Cryptography Alternatives     197
Steganography: A picture is worth a thousand (hidden) words     197
Digital watermarking: The (ouch) low watermark     198
Not Quite the Metric System: Symmetric and Asymmetric Key Systems     198
Symmetric key cryptography     198
Asymmetric key cryptography     203
Message Authentication     207
Digital signatures     208
Message digests     208
Public Key Infrastructure (PKI)     210
Key Management Functions     210
Key generation     211
Key distribution     211
Key installation     211
Key storage     211
Key change     211
Key control     211
Key disposal     212
Key Escrow and Key Recovery     212
E-Mail Security Applications     212
Secure Multipurpose Internet Mail Extensions (S/MIME)     212
MIME Object Security Services (MOSS)     213
Privacy Enhanced Mail (PEM)     213
Pretty Good Privacy (PGP)     213
Internet Security Applications     213
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)     214
Secure Hypertext Transfer Protocol (S-HTTP)     214
IPSec     215
Multi-Protocol Label Switching (MPLS)     216
Secure Shell (SSH-2)     216
Wireless Transport Layer Security (WTLS)     216
Methods of Attack     217
The Birthday Attack     217
Ciphertext Only Attack (COA)     218
Chosen Text Attack (CTA)     218
Known Plaintext Attack (KPA)      218
Man-in-the-Middle     218
Meet-in-the-Middle     219
Replay Attack     219
Additional References     219
Security Architecture and Design     223
Computer Architecture     223
Hardware     224
Firmware     228
Software     228
Security Architecture     229
Trusted Computing Base (TCB)     229
Open and closed systems     230
Protection rings     230
Security modes     230
Recovery procedures     231
Issues in security architectures     231
Access Control Models     232
Bell-LaPadula     233
Access Matrix     233
Take-Grant     234
Biba     234
Clark-Wilson     234
Information Flow     235
Non-interference     235
Evaluation Criteria     235
Trusted Computer System Evaluation Criteria (TCSEC)     235
Trusted Network Interpretation (TNI)     239
European Information Technology Security Evaluation Criteria (ITSEC)     239
Common Criteria     240
System Certification and Accreditation      241
DITSCAP     242
NIACAP     242
Additional References     243
Operations Security     247
Security Operations Concepts     247
Antivirus and malware management     248
Making backups of critical information     248
Need-to-know     249
Least privilege     249
Privileged functions     250
Privacy     250
Legal requirements     251
Illegal activities     251
Record retention     252
Handling sensitive information     252
Remote access     253
Threats and Countermeasures     253
Errors and Omissions     253
Fraud     253
Theft     254
Employee sabotage     254
Industrial espionage     254
Loss of physical and infrastructure support     254
Hackers and crackers     255
Malicious code     255
Inappropriate employee activities     255
Security Operations Management     256
Security Controls     259
Resource protection     260
Privileged entity controls      260
Change controls     260
Media controls     261
Administrative controls     261
Trusted recovery     261
Security Auditing and Due Care     262
Audit Trails     262
Anatomy of an audit record     263
Types of audit trails     263
Finding trouble in them thar logs     264
Problem management and audit trails     265
Retaining audit logs     265
Protection of audit logs     266
Monitoring     267
Penetration testing     267
Intrusion detection and prevention     269
Violation analysis     270
Keystroke monitoring     270
Traffic and trend analysis     271
Facilities monitoring     271
Responding to events     271
Additional References     273
Business Continuity and Disaster Recovery Planning     277
Defining Disastrous Events     278
Natural disasters     278
Man-made disasters     279
The Differences between BCP and DRP     279
Understanding BCP Project Elements     280
Determining BCP Scope     281
Defining the Business Impact Assessment     282
Vulnerability Assessment     282
Criticality Assessment     283
Identifying key players     283
Establishing Maximum Tolerable Downtime     284
Defining Resource Requirements     284
BCP Recovery Plan Development     285
Emergency response     285
Damage assessment     285
Personnel safety     285
Personnel notification     286
Backups and off-site storage     286
Software escrow agreements     287
External communications     287
Utilities     288
Logistics and supplies     288
Fire and water protection     289
Documentation     289
Data processing continuity planning     290
Developing the BCP Plan     291
Identifying success factors     292
Simplifying large or complex critical functions     293
Documenting the strategy     293
Implementing the Business Continuity Plan     294
Securing senior management approval     294
Promoting organizational awareness     295
Maintaining the plan     295
Disaster Recovery Planning      295
Developing a Disaster Recovery Plan     296
Preparing for emergency response     296
Notifying personnel     297
Facilitating external communications     297
Maintaining physical security     298
Personnel safety     298
Testing the Disaster Recovery Plan     298
Additional References     299
Legal, Regulations, Compliance, and Investigations     303
Major Categories and Types of Laws     303
U.S. common law     304
International law     307
Major Categories of Computer Crime     307
Terrorist attacks     309
Military and intelligence attacks     310
Financial attacks     310
Business attacks     310
Grudge attacks     310
"Fun" attacks     311
Types of Laws Relevant to Computer Crimes     312
Intellectual property     312
Privacy laws     314
Computer crime and information security laws     316
Investigations     323
Evidence     324
Conducting investigations     330
Incident handling (Or response)     331
Ethics      333
(ISC)[superscript 2] Code of Ethics     333
Internet Architecture Board (IAB) - "Ethics and the Internet" (RFC 1087)     334
Additional References     334
Physical (Environmental) Security     339
Physical Security Threats     340
Site and Facility Design Considerations     343
Choosing a secure location     343
Designing a secure facility     344
Physical (Environmental) Security Controls     345
Physical access controls     345
Technical controls     349
Environmental and life safety controls     351
Administrative controls     356
Bringing It All Together     357
Additional References     358
The Part of Tens     363
Ten Test Preparation Tips     365
Get a Networking Certification First     365
Register Now!     365
Make a 60-Day Study Plan     366
Get Organized and Read!     366
Join a Study Group     367
Take Practice Exams     367
Take a CISSP Review Seminar     368
Develop a Test-Taking Strategy     368
Practice Drawing Circles!     369
Plan Your Travel      369
Ten Test Day Tips     371
Get a Good Night's Rest     371
Dress Comfortably (And Appropriately)     371
Eat a Good Breakfast     372
Arrive Early     372
Bring Your Registration Letter and ID     372
Bring Snacks and Drinks     372
Bring Prescription or Over-the-Counter Medications     373
Bring Extra Pencils and a Big Eraser     373
Leave Your Cell Phone, Pager, PDA, and Digital Watch Behind     373
Take Frequent Breaks     374
Ten More Sources for Security Certifications     375
ASIS International     375
Check Point     376
Cisco     376
CompTIA     377
DRI International     378
EC-Council     379
ISACA     379
(ISC)[superscript 2]     380
Microsoft     381
SANS/GIAC     381
Appendix and Bonus Chapters     383
About the CD-ROM     385
System Requirements     385
Contents     385
If You Have Problems (Of the CD Kind)     386
Index     387

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews

CISSP For Dummies 4 out of 5 based on 0 ratings. 6 reviews.
iSamNC More than 1 year ago
Although the guide I received from taking the seminar from ISC2 was the definitive source for exam prep, this book was somewhat helpful. It's a much easier read than some of the other CISSP books I've experienced. Because the authors attempt to make this extremely dry subject a little more interesting and succeed somewhat. If you're not taking the seminar you should definitely read this book. Also note that there is a handy companion App for iDevices that allows you to electronically go over the sample questions from the book. If you're going to the seminar I'd give this a 3 star rating. If not, I add another star because it's value definitely goes up in the absence of the ISC2 classroom guide.
Guest More than 1 year ago
I looked into the CISSP classroom training, but the class was cancelled at the last minute. I purchased the CISSP for Dummies book with low expectations of real results. Also, this book has alot less pages than the other CISSP books that I saw. At any rate, I read the book and found it a FANTASTIC resource. It was very well written and easy to follow. Many compliments go out to the author. I did purchase other books to include the popular Shon Harris 'CISSP All-in-One'. I mostly used those books as reference books in addition to their practice questions. I was able to take the test and pass it very confidently on the first try. You have to know that I'm not a great test taker - much more hands on abilities. ;-) Again, if you are studying for the CISSP exam, I highly recommend that you pick up this book! This is my true and honest opinion of this book as I am not biased in any way. Good luck with your exam. Zhacary Smith CISSP, MCSE/MCSA, CCNA, MCT, Security+, Network+, A+.
Anonymous More than 1 year ago
Anonymous More than 1 year ago
Guest More than 1 year ago
Everyone knows that the CISSP exam is not for dummies, but don't let the title of this book put you off. It was great as a review/final cram before I took the exam. I think it would make an excellent first read, too. I studied using The CISSP Prep Guide and an online study group and then bought this book on the recommendation of someone in my study group. There is a chapter for each of the ten domains. There are no frills here, but the coverage is accurate, balanced, and matched pretty closely what I found on the exam. I particularly appreciated the study tools on the CD-ROM. The flash cards were pure genius. I was able to download them to my Palm, and I quizzed myself in the car all the way to the testing location. I definitely got my money's worth out of this book and highly recommend it to others sitting or considering sitting for the CISSP exam.
Anonymous More than 1 year ago
I read the sample ebook on my Android, and will buy this ebook, unfortunately B&N's price is much higher than Amazons and since B&N did not respond to my price match request I will be purchasing from Amazon as I think this book will be a good purchase for my studies for CISSP.