Certified Information Systems Security Professional

The Certified Information Systems Security Professional ( CISSP ) is a certification issued by the International Information Systems Security Certification Consortium, Inc. (also: ( ISC) ²) is offered. This is the certificate is an internationally recognized training standard in the field of information security. According to ( ISC) ², there were 5 August 2012 worldwide 88'042, 1'096 in Germany, Switzerland and Austria 608 137 CISSP certified people.

To obtain the certificate extensive knowledge of the safety issues from 10 domains of the Common Body of so-called Knowledges ( CBK ) is proved. The domains tension while an arc of physical security, software architectures, network and telecommunications, cryptography to legal issues ( full list of domain names see below). While the legal issues focus heavily on the U.S., the remaining nine domains contain internationally accepted security standards, which explains the global relevance of the certificate.

For Germany and Europe, there are specialized certifications, such as the e from TeleTrusT V. developed TeleTrusT Information Security Professional ( TISP ) certificate.

Benefits of a CISSP certificate

The examination for the Certified Information Systems Security Professional is a knowledge test in the field of information security. The test was accredited as the first certification by ANSI as an ISO standard 17024:2003 for information security and security professionals to provide an objective assessment of their competence. For quality assurance of the certification include a compulsion to evidence of relevant professional experience as well as the obligation to continuous training to maintain certification status. The exam is in addition to professionals in the information security of particular interest to those working in the IT field or in the IT security environment.

Obtaining the CISSP certificate

The certification process consists of several parts. First, an examination must be about ten prescribed areas of knowledge that can be prepared by a training or self-study. Then the actual certification process is initiated. For this, the professional expertise of the candidates must be confirmed by a third party. All candidates can be randomly selected for an audit, and more detail can be checked on their professional knowledge to go. This is to ensure that the candidate has actually purchased and used the knowledge tested in practice.

Structure of the CISSP exam

Basis of the examination is composed of ten subject areas (domains) existing Common Body of Knowledge ( CBK ).

It is a multiple choice exam. For six hours 250 questions from the ten CBK domains are to be answered. It's about the fast answer questions whose answer should be learned through appropriate learning technique. Logical deriving and free-text answers are not in demand. The test will cover the broadest possible cross-section of the security spectrum and test through targeted questions, the wide-band knowledge of the candidates.

The questions are structured according to a certain scheme. The basic idea of the test is to provide only the so-called closed questions. Thus, each question must be formulated precisely so that one is the right place for four given answers. There are basically only three types of questions: choice ( recognition), ranking ( ranking) and approximation ( best / worst). This return again and again and can be read easily on keywords.

Since 2005, the examination can be taken also in German. Since the exam questions very often aim to definitions and descriptions with a very specific vocabulary and specific keywords, a purely German testing is not recommended. Nevertheless, you should specify as currently testing language German. One then gets a bilingual questionnaire and can use as the advantages of both languages.

While the official questionnaires are not public and therefore can not be used for exam preparation, there are sources on the Internet for free CISSP quiz. The questions to be answered here give a good first impression of the depth and quality of the questions that are similar to those of the official questions. It should be noted that it is not in the questions to official, but voluntary contributions of the Internet community. This leads occasionally in this quiz to wrong model answers. Here caution. However, for a first impression of the upcoming test, the page is good.

Recertification

In order to retain its certification, the CISSP must further training activities (CPE = continuous professional education ) do to collect 120 CPE points in a three-year period. These are a number of different options to choose from. Most CPE points bring teaching activities in the safety (4 points per hour, maximum 80), publications of articles or books (maximum 40 points) and self-study, with a maximum of 40 points, or reading security-related books, with a maximum of 30 points. Other training activities are a visit manufacturer training (1 point per hour), the visit of security conferences (1 point per hour) courses at universities in the field of security ( 11.5 points per ticket). Also, involvement in professional politics or in honorary positions are rewarded. The board membership of a professional association in safety with a maximum of 20 points and volunteer work for the ( ISC) ² at their discretion.

Code of Ethics

Each CISSP must agree to comply with certain ethical principles. If a CISSP is not according to these principles, he may at any time be reported by another CISSP in the ( ISC) ². This can have a formal audit result, which can lead to the revocation of the certificate and to the exclusion from the ( ISC) ².

The code has the following provisions:

Protect society, the commonwealth, and the infrastructure.
Handle honorable, honest, fair, responsible and in accordance with the laws.
Work conscientiously and competently.
Encourage and protect the profession.

Development: Concentrations

As a further development opportunity are certified CISSPs three Concentrations to choose from, which are a specialization and an in-depth knowledge in a particular direction.

Information Systems Security Architecture Professional ( ISSAP ), changes to security architectures
Information Systems Security Engineering Professional ( ISSEP ), development in the area of secure software development
Information Systems Security Management Professional ( ISSMP ), changes in the information security management

CBK domains for CISSP exam

The CBK domains provide a collection of topics from the field of information security; they are divided into 10 subject areas.

Access Control - Domain 1

In this subject area ( domain ) before all the basic mechanisms of access control are discussed.

Security Models

Rules and structures that make a decision on an access called security models. They regulate the relationship between subjects, objects and operations. Especially the models shown below, and their function can be retrieved for testing.

First, we distinguish some basic models whose concepts have found their way into the secondary models to some extent. The aim of the oriented state machine is a safe system state at any time. For this, the model works in clearly defined conditions. The information flow model stands out mainly due to the taking place between the planes of the multilayer models information flows. Another basic model has the Goguen - Meseguer model or model of non-interference prevention of inferences between the planes to the destination.

The Clark -Wilson model has the aim to ensure the integrity and pursuing all three integrity goals. Unauthorized modifications by unauthorized users, unauthorized modification by authorized users as well as internal and external consistency are equally prevented.

When multi-layered, condition-based Bell - LaPadula model, the confidentiality is assured. The two rules do not read up and do not write down for subjects between the levels. The multilayered also Biba model followed the first integrity goal, unauthorized modifications by unauthorized users. The two rules do not write up and not read down for the subjects between the levels.

The Brewer -Nash model or model of the Great Wall adapts the access rights of a user's dynamic and activity- oriented in order to avoid possible conflicts of interest.

The relational Graham - Denning model provides a basic set of commands for operations between subjects and objects available and thus pursued as the specialized mode change, creation and deletion of subjects and objects Harrison - Ruzzo - Ullman model a hands-on approach.

Access control models

Access control models are closely related to the security models. Here is the access of subjects to objects in the center of attention. They serve the implementation of rules and aims of a general security policy.

The three main access control models for the CISSP exam are the open, closed, and the role-based models.

The open access control models or Discretionary Access Control models (DAC ) allow the owner of objects type and extent of access control. This is usually done using Access Control Lists (ACLs ) in which the rights under the need-to- know basis will be awarded.

Closed access control models or Mandatory Access Control models (MACs ), however, take the subject from the access control decisions. Each object carries a security identifier, with the help of which access is controlled. If a subject is not the necessary approval can not be accessed.

The role-based models or Role Based Access Control Models ( RBACs ) make the access decision with reference to specific roles or group memberships. The subjects are classified in the RBACs in this system and obtain their rights. The assigned object inherits the rights of their role or group.

DAC, MAC and RBAC models can be used together and combined into an overall system. They are implemented by physical, administrative, logical and data- based access controls.

Practical Access Control

One important category represent the biometric access controls dar. Relevant in the CISSP exam variants are already more proven methods with fingerprints, retina and iris scanners, but also more specific techniques such as face recognition, hand geometry, keystroke on keyboards or the individual speaker recognition play a role.

When authenticating via token memory cards and smart cards are considered in more detail.

Furthermore, the operation, advantages and disadvantages of ticket- based access controls such as one-time passwords or single sign-on solutions such as Kerberos or Secure European System for Applications in a Multi -vendor Environment ( SESAME ) to be queried.

In the techniques of centralized access control management are primarily the three technologies RADIUS, TACACS , and Diameter of interest. RADIUS is an authentication protocol for access control with dial-up connections, which is used mainly by Internet Service Provider. TACACS provides similar functionality as RADIUS, but provides more extensive due to a higher encryption level of security. RADIUS and TACACS , however, can not be used to authenticate any device, since the usable protocols are limited. This added flexibility provides the Diameter protocol.

Information Security and Risk Management - Domain 5

For the CISSP exam Basics with the CIA triad can be queried. Under this slogan, the terms confidentiality, integrity, and ( German: confidentiality, integrity, availability) availability summarized. Under integrity is meant to protect against loss and protection against deliberate change. Another requirement is that according to traceability of system operations and for privacy.

A large part of the exam deals with questions about the management view of information systems. This includes the topics of risk management, safety analysis and safety management. In contrast to other approaches, the CISSP exam this depends on the security of in information systems. This is - depending on the definition of terms - beyond pure security of information out. In the management part, the CISSP exam is concerned with techniques of change and configuration management.

Are queried (including military ) and the private sector models for the classification of information in the public administration. Furthermore, personnel measures important. Job rotation is introduced as part of the CISSP related to corruption prevention. Security measures include job descriptions as well as the design of confidentiality agreements for the audit scope. To increase the acceptance of security measures possibilities of security awareness programs are highlighted.

The CISSP CBK requires extensive knowledge of industry standards in the areas of information security and IT security. Most important are the standards of ISO / IEC 27000 series, ITSEC, Common Criteria, Cobit and TCSEC that illuminate the issue of security from different angles. A certified CISSP must be for specific situations will be able to select the correct standard, respectively.

Telecommunications and Network Security - Domain 10

ISO / OSI model

Physical characteristics

Fiber optic cable
Twisted -pair cable

Network layouts

Star topology
Bus topology
Token Ring
Ethernet
Wireless LAN
Wide Area Network
Local Area Network
Metropolitan Area Network

Routers and Firewalls

Bridge (Network)
Gateway ( computer )
Hub (network)
Switch ( computer technology )
Firewall
Proxy

Protocols

TCP / IP
IPsec IP Security
Secure Communication Interoperability Protocol ( SCIP )
Transport Layer Security (TLS)
Secure Sockets Layer ( SSL)
S / MIME
Privacy Enhanced Mail (PEM )
Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP )
Address Resolution Protocol (ARP)
Simple Network Management Protocol (SNMP)
Domain Name System (DNS)
Internet Control Message Protocol (ICMP)

Services

High - Level Data Link Control (HDLC )
Frame Relay
SDLC
Integrated Services Digital Network (ISDN)
X.25
CSMA / CD

Safety-related techniques

Virtual Private Network ( VPN)
Network Address Translation (NAT)
Remote Authentication Dial- In User Service ( RADIUS)
TACACS
S -RPC
Packet Sniffer
Cyclic Redundancy Check (CRC)
Frame Check Sequence

More domains

In this domain software-based security measures, software development, and especially the software life cycle are summarized.

Starting a Business Impact Analysis (BIA ) 3 strategies to response and recovery measures are queried domain. This includes in particular measures to Business Continuity Management ( BCM) and Disaster Recovery Plan (DRP).

Cryptology is divided into two main areas of cryptography and cryptanalysis ( a literal translation of Cryptography would be an impermissible restriction thematic ). It will be treated in this domain important concepts, such as Public Key Infrastructure (PKI) and common algorithms and their weaknesses.

Particularly in domain 6 are the legal differences to Europe to bear. The German law plays no role whatsoever in the exam. Particularly in the area of the Federal Data Protection Act ( BDSG), the differences are considerable. Form the basis of U.S. law. In other countries will be discussed only in passing. They are queried only in the context of cross-border data transfer, but not in detail.

In this section come mainly topics from the field of IT management to bear. Media management, backup strategies and change management are checked in domain 7.

Physical security is often not recognized as a field of information security. For the CISSP exam fire protection, site security and security are important issues.

Domain 9 deals with Trusted Systems and Trusted Computing. Other topics include system and enterprise architecture.

174366