CISSP All-in-One Exam Guide, Sixth Edition

This excerpt provides references for government employees and contractors subject to new requirements, and also new CISSP exam practice questions.

CISSP All-in-One Exam Guide

The following is an excerpt from the book CISSP All-in-One Exam Guide, Sixth Edition by Shon Harris. These two sections from chapter 1 give a brief history of the CISSP exam, and offer advice for those preparing to take the test. 

CISSP: A Brief History

Historically, the field of computer and information security has not been a structured and disciplined profession; rather, the field has lacked many well-defined professional objectives and thus has often been misperceived.

In the mid-1980s, members of the computer security profession recognized that they needed a certification program that would give their profession structure and provide ways for security professionals to demonstrate competence and to present evidence of their qualifications. Establishing such a program would help the credibility of the security profession as a whole and the individuals who comprise it.

In November 1988, the Special Interest Group for Computer Security (SIG-CS) of the Data Processing Management Association (DPMA) brought together several organizations interested in forming a security certification program. They included the Information Systems Security Association (ISSA), the Canadian Information Processing Society (CIPS), the Computer Security Institute (CSI), Idaho State University, and several U.S. and Canadian government agencies. As a voluntary joint effort, these organizations developed the necessary components to offer a full-fledged security certification for interested professionals. (ISC)2 was formed in mid-1989 as a nonprofit corporation to develop a security certification program for information systems security practitioners. The certification was designed to measure professional competence and to help companies in their selection of security professionals and personnel. (ISC)2 was established in North America, but quickly gained international acceptance and now offers testing capabilities all over the world.

Because security is such a broad and diversified field in the technology and business world, the original consortium decided on an information systems security CBK composed of ten domains that pertain to every part of computer, network, business, and information security. In addition, because technology continues to rapidly evolve, stay ing up-to-date on security trends, technology, and business developments is required to maintain the CISSP certification. The group also developed a Code of Ethics, test specifications, a draft study guide, and the exam itself.

Tips for Taking the CISSP Exam

The exams are monitored by CISSP proctors, if you are taking the Scantron test. They will require that any food or beverage you bring with you be kept on a back table and not at your desk. Proctors may inspect the contents of any and all articles entering the test room. Restroom breaks are usually limited to allowing only one person to leave at a time, so drinking 15 cups of coffee right before the exam might not be the best idea.

You will not be allowed you to keep your smartphones and mobile devices with you during the testing process. You may have to leave them at the front of the room and retrieve them when you are finished with the exam. In the past too many people have used these items to cheat on the exam, so precautions are now in place. Many people feel as though the exam questions are tricky. Make sure to read the question and its answers thoroughly instead of reading a few words and immediately assuming you know what the question is asking. Some of the answer choices may have only subtle differences, so be patient and devote time to reading through the question more than once.

More on CISSP testing

Analyzing the value of CISSP vs. the security industry growth rate

Video: CISSP test question transparency

As with most tests, it is best to go through the questions and answer those you know immediately; then go back to the ones causing you difficulty. The CISSP exam is not computerized (although (ISC)2 is moving to a computerized model), so you will receive a piece of paper with bubbles to fill in and one of several colored exam booklets containing the questions. If you scribble outside the lines on the answer sheet, the machine that reads your answers may count a correct answer as wrong. I suggest you go through each question and mark the right answer in the booklet with the questions. Repeat this process until you have completed your selections. Then go through the questions again and fill in the bubbles. This approach leads to less erasing and fewer potential problems with the scoring machine. You are allowed to write and scribble on your question exam booklet any way you choose. You will turn it in at the end of your exam with your answer sheet, but only answers on the answer sheet will be counted, so make sure you transfer all your answers to the answer sheet.

Other certification exams may be taking place simultaneously in the same room, such as exams for certification as an SSCP (Systems Security Certified Professional), ISSAP or ISSMP (Architecture and Management concentrations, respectively), or ISSEP (Engineering concentration), which are some of (ISC)2’s other certification exams. These other exams vary in length and duration, so don’t feel rushed if you see others leaving the room early; they may be taking a shorter exam.

When finished, don’t immediately turn in your exam. You have six hours, so don’t squander it just because you might be tired or anxious. Use the time wisely. Take an extra couple of minutes to make sure you answered every question, and that you did not accidentally fill in two bubbles for the same question.

Unfortunately, exam results take some time to be returned. (ISC)2 states it can take up to six weeks to get your results to you, but on average it takes around two weeks to receive your results through e-mail and/or the mail.

If you passed the exam, the results sent to you will not contain your score—you will only know that you passed. Candidates who do not pass the test are always provided with a score, however. Thus, they know exactly which areas to focus more attention on for the next exam. The domains are listed on this notification with a ranking of weakest to strongest. If you do not pass the exam, remember that many smart and talented security professionals didn’t pass on their first try either, chiefly because the test covers such a broad range of topics.

Read more from the book

Download the PDF to read more from chapter 1 of CISSP All-in-One Guide and get access to several brand-new CISSP exam practice questions.

One of the most commonly heard complaints is about the exam itself. The questions are not long-winded, like many Microsoft tests, but at times it is difficult to distinguish between two answers that seem to say the same thing. Although (ISC)2 has been removing the use of negatives, such as “not,” “except for,” and so on, they do still appear on the exam. The scenario based questions may expect you to understand concepts in more than one domain to properly answer the question.

Another complaint heard about the test is that some questions seem a bit subjective. For example, whereas it might be easy to answer a technical question that asks for the exact mechanism used in Secure Sockets Layer (SSL) that protects against man-in-the-middle attacks, it’s not quite as easy to answer a question that asks whether an eight-foot perimeter fence provides low, medium, or high security. Many questions ask the test taker to choose the “best” approach, which some people find confusing and subjective. These complaints are mentioned here not to criticize (ISC)2 and the test writers, but to help you better prepare for the test. This book covers all the necessary material for the test and contains many questions and self-practice tests. Most of the questions are formatted in such a way as to better prepare you for what you will encounter on the actual test. So, make sure to read all the material in the book, and pay close attention to the questions and their formats. Even if you know the subject well, you may still get some answers wrong—it is just part of learning how to take tests.

Familiarize yourself with industry standards and expand your technical knowledge and methodologies outside the boundaries of what you use today. I cannot stress enough that just because you are the top dog in your particular field, it doesn’t mean you are properly prepared for every domain the exam covers. Take the assessment test in this chapter to gauge where you stand, and be ready to read a lot of material new to you.

About the author:
Shon Harris, CISSP, MCSE, is the president of Logical Security, a security consultant, a former engineer in the Air Force's Information Warfare unit, an instructor and an author. She has authored two best selling CISSP books, was a contributing author to the book,
Hacker's Challenge , and a co-author to the book Gray Hat Hacking. Shon was recognized as one of the top 25 women in the Information Security field by Information Security magazine. 

This was last published in November 2012

Dig Deeper on CISSP certification