When a certification exam undergoes a modification to its coverage, it can be a headache if you’re in the planning stages for sitting it. I personally had this happen to me when I was studying for my CISSP exam in late 2011/early 2012 when the structure was changed and the plan was put in place to begin Computer-Based Testing among other things.

(ISC)2 (International Information Systems Security Certification Consortium) has just announced an enhancement to the domains and Common Body of Knowledge (CBK) that the CISSP (Certified Information Systems Security Professional) will be covering as of April 15, 2015. Anyone planning on taking the current exam will want to do so prior to April 15th. Please note this is for the baseline CISSP, not its concentrations.

The CISSP certification oftentimes referred to as a mile of information, but 2 inches deep. This certification is designed to give the person awareness of a very broad set of skills, but not a deep dive into any particular subject. Because the CISSP requires that the tester have quite an extensive amount of experience in the given topics already, it is believed that they have already run into situations that require knowledge beyond the scope of what the CISSP asks in a particular domain. This is verified through either the vetting and/or audit processes.

In order to understand what the update entails, it is necessary to first understand what the CISSP covers at this time, and then approach the new changes with that in mind. Therefore we will be using the structure of the Ramp with 5 Levels to examine these changes one at a time to be better prepared for what is to come.

Level 1: Exam Breakdown

The exam as it stands now contains 250 questions. 25 questions are not graded as these are experimental in nature. A passing score is 700 out of 1000 possible points on a weighted scale. The person taking the exam is allowed up to 6 hours to complete it; however you are permitted breaks as needed. Please note that the clock does not stop during breaks. Computer-Based Testing is available in certain areas of the world; however Paper-Based Testing may still be used in situations where it is impractical. The tester will know ahead of time which test they are taking. The exam is not open book. The CISSP certification is good for three years and Continuing Education Credits are required to maintain it: 20 per year, 120 by the end of the 3-year cycle.

Level 2: Present Domains

1. Access Control

  • File Permission Terminology and Concepts
  • Program Permissions and how to limit or expand their capabilities
  • Access Control Methodologies
  • Administer Permissions in various environments
  • Attacks such as Permission Escalation and Effective Permissions

2. Telecommunications and Network Security

  • Network Infrastructure
  • Networking Protocols and Ports
  • Networking Models such as OSI
  • How to secure Network Hardware Components
  • How to create Secure Network Connections
  • Network-Based such as DDoS (Distributed Denial of Service)

3. Information Security Governance and Risk Management

  • Align Security Practices with Business Goals
  • Legal terminology such as Due Diligence
  • The Use of Security Frameworks to simplify standardize security policies

4. Software Development Security

  • Use of the SDLC, and security throughout the process
  • Attacks such as Buffer Overflow and hard-coded Backdoors
  • Auditing development practices

5. Cryptography

  • Protecting data at rest and data in transit
  • Cryptography concepts and models such as PKI (Public Key Infrastructure)
  • Non-repudiation
  • Methods for hiding data within data such as Stenography

6. Security Architecture and Design

  • CIA Triad (Confidentiality, Integrity and Availability)
  • Use of hardware to protect against attacks
  • Understand how to find system vulnerabilities
  • Defense-in-Depth

7. Operations Security

  • Need-to-Know and the concept of Least Privilege
  • Separation of Duties
  • Incident Response
  • Pro-active defense against unknown attacks

8. Business Continuity & Disaster Recovery Planning

  • Emergency Response
  • Chain of Command Structure
  • Backup Policies and Implementations
  • Failsafe requirements

9. Legal, Regulations, Investigations and Compliance

  • Computer Crime and related regulations
  • Items prohibited from International Trade
  • Ethical Considerations
  • Chain of Custody
  • Digital Forensics

10. Physical (Environmental) Security

  • Site Design and Perimeter Security
  • Internal Security Methodologies
  • Heating and Cooling advantages and weaknesses
  • Duress Training
  • Level 3: Update Domains

CISSP Instant Pricing- Resources

Level 3: Update Domains

A. Security and Risk Management

  • CIA Triad (Confidentiality, Integrity, Availability)
  • Compliance
  • Computer Crime and related regulations
  • Ethics
  • Risk Assessments
  • Business Continuity
  • Threat Modelling

B. Asset Security

  • Data Classification
  • File Permission Terminology and Concepts
  • Protect Data at Rest and Data in Transit
  • Access Control Methodologies
  • Administer Permissions in various environments
  • Attacks such as Permission Escalation and Effective Permissions

C. Security Engineering

  • Secure Design Principles
  • Cryptography advantages, weaknesses and attacks
  • DRM (Digital Rights Management)
  • Non-Repudiation
  • Site Security and Design
  • Heating and Cooling advantages and weaknesses

D. Communications and Network Security

  • Network Infrastructure Concepts
  • OSI Model
  • Wireless Security Models
  • Securely Configuring Network Hardware
  • Secure Communications
  • Network Attacks and Mitigation

E. Identity and Access Management

  • Access Control: Physical and Logical
  • Access Control Methodologies
  • User Identification and Administration

F. Security Assessment and Testing

  • Vulnerability Assessment and Penetration Testing
  • Log Management
  • Internal and 3rd Party Auditing
  • Simulating attack scenarios
  • User Training and Awareness

G. Security Operations

  • Chain of Custody
  • Documentation
  • Requirements for Investigations
  • Intrusion Detection/Prevention
  • Exfiltration
  • Disaster Recovery
  • Incident Management
  • Business Continuity

H. Software Development Security

  • Secure Development Methodologies
  • Use of the SDLC, and security throughout the process
  • Attacks such as Buffer Overflow and hard-coded Backdoors
  • Auditing development practices
  • Assess Acquired Software

Level 4: Breakdown

The total number of domains has been reduced, and for the most part the contents have been rearranged to be more effective from a given viewpoint. In this way, it is easier to understand a particular scenario while studying a topic without having to see the big picture first. In addition, there have been enhancements to particular topics as they have become more high priority since the last update.

A- Security and Risk Management

  • 6: CIA Triad (Confidentiality, Integrity, Availability)
  • 9: Compliance
  • 9: Computer Crime and related regulations
  • 9: Ethics
  • 3: Risk Assessments
  • 8: Business Continuity
  • Enhanced: Threat Modelling

B- Asset Security

  • 1: Data Classification
  • 1: File Permission Terminology and Concepts
  • 5: Protect Data at Rest and Data in Transit
  • 1: Access Control Methodologies
  • 1: Administer Permissions in various environments
  • 1: Attacks such as Permission Escalation and Effective Permissions

C- Security Engineering

  • 4: Secure Design Principles
  • 5: Cryptography advantages, weaknesses and attacks
  • Enhanced: DRM (Digital Rights Management)
  • 5: Non-Repudiation
  • 10: Site Security and Design
  • 10: Heating and Cooling advantages and weaknesses

D- Communication and Network Security

  • 2: Network Infrastructure Concepts
  • 2: OSI Model
  • Enhanced: Wireless Security Models
  • 2: Securely Configuring Network Hardware
  • 2: Secure Communications
  • 2: Network Attacks and Mitigation

E- Identity and Access Management

  • 1: Access Control: Physical and Logical
  • 1: Access Control Methodologies
  • 1: User Identification and Administration

F- Security Assessment and Testing

  • Enhanced: Vulnerability Assessment and Penetration Testing
  • Enhanced: Log Management
  • 9: Internal and 3rd Party Auditing
  • Enhanced: Simulating attack scenarios
  • Enhanced: User Training and Awareness

G- Security Operations

  • 9: Chain of Custody
  • 7: Documentation
  • 9: Requirements for Investigations
  • Enhanced: Intrusion Detection/Prevention
  • Enhanced: Exfiltration
  • 8: Disaster Recovery
  • 8: Incident Management
  • 8: Business Continuity

H- Software Development Security

  • 4: Secure Development Methodologies
  • 4: Use of the SDLC, and security throughout the process
  • 4: Attacks such as Buffer Overflow and hard-coded Backdoors
  • 4: Auditing development practices
  • Enhanced: Assess Acquired Software

Level 5: Further Reading and Dedication

Despite the fact that the total number of domains has been reduced, there is still an enormous amount of information covered by the CISSP. Add onto that that each domain has been enhanced further with new content, and it becomes difficult to have a single resource as the end all beat all. Having said that, there are some official resources available that will help answer many additional questions you may have.

(ISC)2 Code of Ethics https://www.isc2.org/ethics/default.aspx

(ISC)2 CISSP Domains https://www.isc2.org/cissp-domains/default.aspx

(ISC)2 CISSP Update FAQ https://www.isc2.org/cissp-sscp-domains-faq/default.aspx

(ISC)2 CISSP Update Exam Outline https://www.isc2.org/exam-outline/default.aspx

Many professionals that have the CISSP today would have had a considerably harder time without the help of Shon Harris. Before her death late last year, her Study Guide was considered by many to be the best in the business. The Information Security Community will forever be indebted to her, and will be greatly missed.