CISSP domain 3: Security engineering CISSP – What you need to know for the exam [2022 update]
If you are looking to land a rewarding job in the cybersecurity industry or accelerate your career, the CISSP certification might be the right choice. This credential is helpful to professionals in network architect, security analyst or auditor and security systems engineer roles, and those aspiring to roles as a chief information security officer or IT director.
What is the CISSP?
The Certified Information Systems Security Professional (CISSP) is a certification for those with a proven track record of managerial and technical competence, experience, credibility and skills to engineer, design, manage and implement an entire information security program meant to shield organizations from increased sophisticated cyberattacks.
The International Information Security Certification Consortium, or (ISC)², an international, nonprofit membership association for information security leaders, created the CISSP certification. As of January 1, 2021, there are over 147,591 total CISSP certified members who’ve taken and passed the test.
Before you can be certified, you must register and schedule an exam date with Pearson VUE, the exclusive, global administrator of all (ISC)² exams. (ISC)² certification exams are computer-based, consisting of multiple-choice questions.
Computerized Adaptive Testing (CAT) is done for all English CISSP exams worldwide. This change has reduced the maximum exam administration time from six hours to three hours and the number of items necessary to accurately assess a candidate’s ability from 250 on a linear, fixed-form exam to as little as 100 items on the CISSP CAT exam.
Candidates must achieve 700 out of 1,000 points to pass. The CISSP exam costs $749 for the Americas, Asia Pacific, Middle East and Africa regions, while in the UK, it’s GBP 585, or EUR 665. It is available in eight languages at 882 locations in 114 countries.
Before sitting for the CISSP exam, all candidates must have a minimum of five years of full-time paid employment in two or more domains. See the CISSP experience requirements for details.
Continuing professional education credits (CPEs)
Recertification is accomplished by earning 120 CPE credits over a three-year certification cycle and paying an annual maintenance fee (AMF) of $125 to support ongoing development. The CPE requirement allows professionals to maintain their competencies and knowledge updated and relevant.
Who should become CISSP qualified?
As (ISC)² mentions, “the CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles.”
The CISSP certification is for professionals employed in the following careers:
- Security manager
- Security consultant
- IT director/manager
- Security architect
- Security auditor
- Network architect
- Chief information security officer
- Security analyst
- Security systems engineer
- Director of security
What are the CISSP domains?
The CISSP comprises an extensive current global common body of knowledge (CBK) that ensures security leaders have an in-depth understanding and knowledge of regulations, practices and technologies. The CISSP examination tests individuals in eight domains:
- Security and risk management
- Asset security
- Security architecture and engineering
- Communication and network security
- Identity and access management (IAM)
- Security assessment and testing
- Security operations
- Software development security
This article will focus on Domain 3: Security architecture and engineering, which covers essential security engineering topics using plans, designs and principles.
According to the recent CISSP domain refresh (May 1, 2021), this domain covers the roles and responsibilities of today’s practicing cybersecurity professionals who represent IT, configuration management, design and engineering:
- Research, implement and manage engineering processes using secure design principles
- Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
- Select controls based upon systems security requirements
- Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
- Assess and mitigate the vulnerabilities of security architectures, designs and solution elements
- Select and determine cryptographic solutions
- Understand methods of cryptanalytic attacks
- Apply security principles to site and facility design
- Design site and facility security controls
The CISSP exam outline, the official document outlining the domains, informs that the third one currently has a 13% weight in the CISSP exam.
Aspiring CISSP-certified individuals must have at least a baseline knowledge of assessing and mitigating information system vulnerabilities, fundamental concepts of security models and security architectures in critical areas like access control. They also need to understand the following: cloud systems, cryptography, system infiltrations (ransomware, fault-injection and more) and virtualized systems covered in this domain.
NIST system development lifecycle
The system development life cycle (SDLC) covers all the steps of the system life including initiation, analysis, design, implementation, maintenance and disposal.
It is important to integrate security in every step of the system development process to ensure information protection.
The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) first addressed this topic by the publication of NIST SP 800-64, Security Considerations in the System Development Life Cycle; its second revision was retired in 2019.
Currently, professionals can refer to NIST SP 800-160 Vol 1 that addresses “the engineering-driven actions necessary to develop more defensible and survivable systems” in a landscape in which the frequency, intensity and adverse consequences of sophisticated cyberattacks on the systems are on the rise.
Domain 3 represents the exam portion for those who will implement architectural information security requirements in information systems to minimize or eliminate security vulnerabilities introduced in the development lifecycle. Several security models are covered.
Enterprise security architecture framework
The high dependency of businesses on information systems pinpoints the urgency of constructing effective security architecture throughout the entire enterprise to ensure sufficient security to the organizations and prevent private information from being exposed, lost or stolen.
Domain 3 also focuses on enterprise security architecture, an extensive blueprint for balancing information technology and business. The security architecture that has been inefficiently designed has significant negative implications for a business, such as not performing daily business operations.
What does the future hold for security engineering?
Security engineering handles the integrity and security of real-world systems. There are many similarities to systems engineering, one of which is that their function is to ensure that designs meet the requirements outlined. The main difference is that security engineering is responsible for the consistent enforcement of security policies, processes, procedures or practices.
Computer technology has accelerated so rapidly that it has created much more convoluted systems with even more intricate security problems. Secure systems must be capable of withstanding a wide range of attacks, from technical to human-based, fraud and deception. This fact involves aspects of psychology, social science and economics, mathematics, physics and chemistry.
Security engineering is going to become much more complex at the technological level before it gets any easier. This is partly a result of the ever-increasing and continuous stream of technology that continues to arrive. At the same time, as there is an increase in researchers, there is also an increase in attackers looking for vulnerable systems. As security improves, so do attackers. They adapt to emerging or new technologies.
The constant need to find new ways to prevent cybersecurity breaches means organizations will need security engineers. This profession is constantly evolving and growing, requiring a continuous stream of certified CISSPs in this arena.
Learning CISSP’s Domain 3
If you have a strong technical background, then you might consider the CISSP certification. This credential truly demonstrates that you are at the top of your cybersecurity game in terms of both knowledge and experience.
With numerous workforce studies showing that the demand for CISSP-certified professionals outstrips the number of credential holders, it’s a good time to consider this highly sought-after option for a step forward both from a career point of view and, why not, from a salary standpoint.
- CISSP, (ISC)²