Professional Certification - tabpi

Professional Certification 

Certifi 

INSIDE… 

76 Candidate Comments 

82 Frustrating Questions 

85 Briney’s Stack O’ Reading

able 

A newly minted CISSP gives you the 

inside scoop on infosecurity’s most 

coveted—and controversial—certification. 

by ANDREW BRINEY 

Ijust took the CISSP exam, and I’m here to testify: Everything 

you’ve heard about it is true. It’s both disarmingly easy and bewilderingly 

difficult. It’s both legitimately challenging and totally 

unfair. It’s both incredibly rewarding and pull-out-your-hair-andscream-to-the-heavens 

aggravating. It’s a mystery wrapped in riddle 

inside an enigma. 

And here’s the punch line: The exam is a metaphor for the CISSP 

credential itself. The CISSP is the undisputed heavyweight champion 

of infosec certifications, the gold standard, the pièce de résistance. Yet 

it’s routinely ridiculed as a “paper certification,” lacking depth or practical 

application. Even those who proudly use it like a third name— 

“Hi, I’d like to order a pizza; name’s John Doe, CISSP”—privately 

acknowledge that the cert isn’t all that it’s cracked up to be. 

Did I pass? Yeah, I passed. And oh, what a relief. After I finished, I 

had absolutely no idea how I did. OK, everybody says that, but for some 

reason I thought I’d be different. I walked out with this feeling like I’d 

simultaneously way overprepared and yet…somehow…failed anyway. 

I still haven’t decided if that’s a good thing. It’s all part of the general 

weirdness surrounding this exam and certification. 

photographs by DANA SMITH/BLACK STAR 

www.infosecuritymag.com 73


10 FAQs RE:CISSP 

1. What is the CISSP?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 

2. What are the requirements for obtaining a CISSP? . . . . . . . 74 

3. Why get a CISSP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 

4. What’s the exam like? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 

5. What subjects does the exam cover?. . . . . . . . . . . . . . . . . . . 76 

6. How hard is the exam? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 

7. What should I study? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 

8. Do I need to take one of the CISSP exam-cram classes?. . . 84 

9. What other security certifications are available? 

And which one is “best” for me? . . . . . . . . . . . . . . . . . . . . . . 86 

10. Does the CISSP deserve its reputation? . . . . . . . . . . . . . . . . 88 

74 Information Security June 2003 

This article is an attempt to explore, expose 

and possibly resolve some of these issues. Over 

the past eight months, I took the “full immersion” 

route to preparing for the CISSP exam. I 

read a half-dozen CISSP prep books, including 

two 1,000-page tomes. I attended two week-long 

exam cram classes, including one offered by the 

(ISC) 2 Institute. I completed thousands of sample 

test questions from a variety of print and online 

sources. And I interviewed dozens of current and 

would-be CISSPs about the exam and credential. 

For comparative purposes, I also studied for and 

obtained another IT security certification—the 

TICSA. 

What I learned along the way should help the 

thousands of would-be test-takers gear up for this 

exam. Perhaps more importantly, the process has 

taught me a little about what’s right and wrong 

about the CISSP—both the exam and the certification 

itself. 

1. What is the CISSP? 

CISSP stands for Certified Information Systems 

Security Professional. The credential was created 

in 1991 by the International Information Systems 

Security Certification Consortium (ISC) 2 (www.isc2. 

org), a nonprofit organization that is the sole caretaker 

and credentialing body for the CISSP. 

(ISC) 2 is very specific about the purpose and 

scope of the CISSP. It’s not intended to certify 

hands-on expertise in any infosecurity technology. 

Nor does it certify practical expertise in any 

one of the 10 domains covered under its Common 

Body of Knowledge (or CBK—more on this later). 

In fact, it doesn’t certify expertise in anything, 

other than, perhaps, mastering the material in 

the CBK. 

(ISC) 2 officials are quite vocal about this focus— 

in part, one assumes, to deflect criticism of the 

CISSP. “Its ultimate purpose is to be able to provide 

an independent benchmark of your knowledge 

of the fundamentals of information security,” 

says (ISC) 2 president Jim Duffy. “It proves minimal 

competency. CISSPs do not walk on water, 

but they certainly do understand the information 

security profession.” 

One of the things that gives the certification 

weight in the industry is the sheer size of the 

CISSP community. We’re definitely not talking 

Augusta National here. By the time you read this, 

nearly 20,000 people will hold a CISSP. By the 

end of 2003, that number will climb to 25,000. 

That’s up from just 6,900 in 2001. 

The jury’s out on whether this growth enhances 

or detracts from the credibility of the certification 

and those who hold it. Some say it reinforces 

the CISSP’s image as infosec’s de facto credential. 

Others say it only proves that the exam and certification 

process aren’t stringent enough. 

Either way, the CISSP has become its own selfpromoting 

marketing vehicle. Perception is reality. 

The more people who obtain it, the wider 

exposure it gets. The wider the exposure, the 

stronger the perception that you’ve gotta have 

it. Run through this cycle a few times, and it’s 

not surprising that even those who ridicule the 

CISSP are now lining up to get one. 

2. What are the requirements 

for obtaining a CISSP? 

There are basically three steps. I won’t dwell 

on these, since they’re explained in detail on the 

(ISC) 2 Web site and elsewhere. 

First, you have to apply for certification. To 

qualify, you have to have at least four years of professional 

experience across the 10 CBK domains. 

Alternatively, you must have three years experience 

plus a college degree. You also have to agree 

to the (ISC) 2 Code of Ethics and provide background 

information on things like felony convictions 

and involvement with “hackers.” 

The second step is to pass the exam, which 

costs $450 a sitting. If you fail the first time, you 

can retake it as soon (and often) as you want, 

though you have to pay $450 each time. 

Third, if you pass, you’re required to obtain 

written endorsement from someone who is “familiar 

with your professional experience,” preferably 

another CISSP. 

The certification is valid for three years, during 

which time you have to accumulate 120 continuing 

professional education (CPE) units through 

activities such as serving on industry boards, delivering 

presentations or publishing security articles 

or books.

3. Why get a CISSP? 

Most current and would-be CISSPs say the primary 

reason they want a CISSP is to increase their 

marketability. “The reason I put the effort into 

getting the certification in the first place was to 

advance my career,” says Brian Taylor, a network 

analyst with New England Research Institutes 

(NERI). “The job postings out there frequently require 

or mention the certification as an advantage.” 

Other motivations include filling in knowledge 

gaps, earning peer recognition, expanding one’s 

professional network and contributing to the development 

and maturation of the profession. 

“It’s worth the effort if it keeps one marketable 

in a down-turned economy,” says George Johnson, 

a software engineer at EMC. “As for my current 

job, I’m not sure that it matters a great deal or 

means anything to my immediate line of management 

in the short term, but there is another 

process at work that is raising the security awareness 

of management.” 

One benefit of CISSP certification—for me, the 

largest benefit—is that in preparing for the exam, 

you’re going to learn a lot about subjects you 

didn’t know about before, and probably 

wouldn’t have an excuse or occasion to 

learn about otherwise. I’ve always wanted 

to learn about how Kerberos works under 

the hood, but it wasn’t until I started studying 

for the CISSP that I was compelled to 

do so. The same thing applies to hundreds 

of subjects covered in the CBK. 

Sure, some of this material is boring and 

impractical. But if you’re genuinely interested 

in information security, studying for 

the CISSP exam will give you a very strong 

knowledgebase. The exam covers maybe 

1 percent of what you study. But no matter 

what you think about the exam or the credential 

itself, the important thing is that 

you’ve learned the material anyway—provided 

you’ve done your homework, of 

course. And that, I think, is what sets the 

CISSP apart from other security certifications. 

You’re simply not going to get as 

broad an overview of all-things security 

from other certifications. 

4. What’s the exam like? 

The exam is 250 multiple-choice questions. 

Only 225 of these questions are used 

in computing your score; the other 25 are 

“experimental” questions that (ISC) 2 might 

use as actual questions on future tests. 

However, you won’t know which 25 are 

experimental, so give your best effort on 

all 250. Also, don’t leave any questions 

blank; there’s no penalty for guessing. 

The questions are weighted differently, adding 

up to 1,000 points. To pass, you have to get 700 

out of 1,000. Approximately 70 percent of candidates 

pass on their first try. 

(ISC) 2 reveals your numerical score only if you 

fail the exam. Candidates who pass the exam 

aren’t told their scores for two reasons, says Lee 

Schroeder, president of Schroeder Measurement 

Technologies, the CISSP exam contractor. 

“The primary reason is that we don’t intend 

this exam to be used to differentiate between 

passing candidates for things such as hiring or 

promotion,” he says. “We don’t want to facilitate 

a setting where an employer is looking at two 

CISSPs, and uses their scores to differentiate 

between them.” 

The other reason, Schroeder says, has to do 

with the exam’s scoring system, a complex mathematical 

model called “item response theory.” 

Questions are constantly cycled in and out of the 

CISSP exam, creating different exam forms. The 

objective with each form is to create a consistent 

range of difficulty. But since no two forms have 

exactly the same difficulty level, the number of 



questions constituting a passing score varies from 

test to test. 

It’s a valid scoring system, but one in which two 

candidates with the exact same scaled score (say, 

750 points) may have answered a different number 

of questions correctly. Rather than try to explain 

all this to successful candidates, (ISC) 2 opts 

to simply reveal that they “passed.” 

5. What subjects does the exam cover? 

Before I tell you about the exam, I’ll tell you what 

I can’t tell you. Before you sit for the exam, you 

have to agree not to discuss the exam’s content or 

questions with anyone during or after the test. By 

breaking the seal on the exam booklet, you agree 

to abide by these rules. 

So, while I can’t tell you about the exam content 

“I attended [the Intense School boot 

camp] class and studied for two hours 

before the test. I didn’t study outside 

of class or take any of the practice tests. 

I did take almost six hours to complete 

the test, as I considered each question 

in the context of my own career of 15 

years in computer security.” 

–RANDY CROLLEY, Senior Computer 

Security Engineer, Department of 

Energy’s Savannah River Site 

“ ” 

CANDIDATE COMMENTS 

“I came out of the exam feeling 

like I had underprepared. I was 

fairly confident that I had 

passed, but not confident 

enough to tell people I 

passed. I knew that if I failed 

it would be very close. 

“I felt and continue to feel 

that the worst enemy you 

can have in that exam is to over-think the questions. The 

(ISC) 2 [boot camp] class was very good at making you get 

in the mind-set of thinking in a manner that would allow 

you know what (ISC) 2 was looking for.” 

–DAVE DRAPER, Director of Engineering Services, GeoTrust 

Here’s what other recent CISSP 

candidates had to say about the exam, 

their study plan and the certification itself. 

“Here are some tips when taking the 

exam. First, don’t jump ahead. The test 

seems to have a lot of double negatives, 

so it’s critical to read the whole question 

before answering. I brought a magnifying 

ruler to the exam. I used it to force 

myself to read line by line. It helped immensely. 

Second, if I knew the answer 

with 90 percent certainty, I chose the 

answer and never looked back. Third, if 

I didn’t with 90 percent certainty know 

the answer, I circled the test question 

in the booklet and moved on. Fourth, 

I went back through the circled test 

questions and eliminated 

answers I knew with 90 

percent certainty were 

wrong. Fifth, I worked the 

unanswered questions one 

at a time and then erased 

the circle around the 

question once I had answered. Sixth—when all else failed— 

I guessed! One last thing: Save enough time to transfer 

the answers from the work booklets to the answer sheet. 

It takes about 30 minutes.” 

–TOM MADDEN, CISO, Centers for Disease Control 

“The CISSP certification is widely recognized as being the 

security certification to have. [The exam is] more difficult 

than the Microsoft certifications.” 

–DAVID BURNS, British Petroleum 

“It reminded me of taking a Navy promotion exam—the 

same format, but an additional 100 questions. Because I 

don’t use most of the information in daily [activities], the 

depth of the exam questions took me by surprise. I was 

confused by some of the questions.” 

–LT. GEORGE KONEN, Naval War College 

“A lot of the questions were kind of misleading. And a 

lot were just plain common sense. I felt you either knew 

the answer or you didn’t. The exam should only take 

three hours at the max.” 

–JOHN MILLS 


“Looking back, [the exam] seemed easy. I only did CCCure 

tests for a few days after [the (ISC) 2 exam-cram] course. 

Got a passing grade on most of them (“hard” level, not 

“pro” level). So that gave me confidence as well. I never 

opened the two books I bought. I thought the (ISC) 2 class 

should have put more emphasis on crypto and access 

control.” 

–VENKAT PERUMAL, CFO, AGCS Inc. 

“I could have studied until I was blue in the face. However, 

nothing could have prepared me for this examination. I 

would say that [number omitted] of the questions don’t 

require too much guesswork, [number omitted] are good 

for interpretation, and the last [number omitted], you 

should bring a coin and flip it.” 

—VINCENT JETTE, 

Senior Network Engineer, BIC International 

photograph by CREATAS/PICTUREQUEST


itself, I can tell you about the scope and 

type of content, at least in general terms. 

This may not seem like much, but the 

CISSP test is like no other I’ve ever 

taken, at any level. Simply knowing what 

types of questions to expect when you 

walk in that room will definitely give you 

a leg up. 

The company line is that the CISSP 

exam tests the candidate’s knowledge of 

subjects covered in the 10 CBK domains. 

Dozens of books and online resources 

dive into these domains in great detail, 

so I’ll merely list them here: 

• Access Control Systems and 

Methodology 

• Application and Systems 

Development Security 

• Business Continuity and 

Disaster Recovery Planning 

• Cryptography 

• Law, Investigations and Ethics 

• Operations Security 

• Physical Security 

• Security Architecture and Models 

• Security Management Practices 

• Telecommunications and 

Networking Security 

Some of these domains cover a lot 

more material (and in greater depth) 

than others. For instance, Telecommunications/Network 

Security and Cryptography 

are both huge domains, while 

Physical Security and Law, Investigations 

and Ethics are comparatively small. 

The quantity of topics and depth of 

detail can be deceiving. Many candidates 

score poorly on the Physical Security and 

Law sections because they overprepare 

on the big domains and underprepare 

on the small ones. It’s unlikely that the 

exam will present you with an equal distribution 

of questions across all 10 domains. 

But even if I could tell you which 

domains were hit hardest on my exam, 

it wouldn’t matter, because the exam 

constantly changes. The only safe bet is 

to study each domain thoroughly, and 

don’t be surprised when the exam seems 

weighted toward a handful of domains or 

subjects. 

Another common mistake is to adopt 

a single, uniform approach to learning 

the material. The domains are very different, 

requiring different learning techniques. 

Let me explain what I mean. 

In some domains—for example, Crypto, 

Architectures/Models and Telcom/ 

Networking—the topics are fact-oriented 

and black and white. You either know 

the bit size of an MD5 message digest or 

you don’t; you either know what Bell- 

LaPadula’s star-property rule is or you 

don’t; you either know what OSI layer 

IPSec operates at or you don’t. Learning 

this material requires a lot of rote memorization. 

You may know some of this 

material from your daily work, but you 

won’t know most of it. 

While memorizing a bunch of facts 

and details is an effective strategy for 

some domains, it won’t work as well for 

others, such as Security Management, 

BC/DR, Physical Security or Law/Ethics. 

The material in these sections is more 

contextual and interpretative, focusing 

more on standards, principles or best 

practices. Here, you should focus on the 

application of the facts, not the facts 

themselves. 

For example, there are eight steps to 

perform in a business impact analysis. 

The exam is unlikely to ask you to identify 

what happens in a particular step— 

that much is intuitive. Rather, it would 

ask you to identify the appropriate order 

of the steps, or to determine the most 

or least important step within a given 

scenario. 

These are oversimplified examples, 

and, of course, each domain contains a 

mix of factual and interpretive material. 

The point is that the CISSP exam has 

a way of exposing flaws in your study 

habits. If you haven’t memorized enough 

in the “black and white” domains—or if 

you can’t apply your knowledge in others—you 

might struggle on the exam. 

6. How hard is the exam? 

This is probably the most frequently 

asked question about the CISSP exam. 

It’s also the hardest to answer. 

The exam is best characterized as an 

“inch deep and a mile wide.” Whether 

this makes it easy or difficult is a matter 

of perspective. 

On the one hand, the exam is easy 

because it’s multiple choice, with four 

possible answers per question. Out of 

the 250 questions, the slight majority are 

fact-oriented questions. (I’m prohibited 

from revealing the approximate number 

of questions, and I probably wouldn’t 

anyway, since the distribution of question 

78 Information Security June 2003


types changes constantly). These questions are 

straightforward, well-written questions with clearly 

delineated answers. If you do your homework, 

you’ll answer most of these questions without any 

problem. 

Another large chunk of questions are straightforward 

interpretive questions. They set up a scenario 

in which you have to determine the best 

course of action. Again, the answers are usually 

clear if you’ve studied. 

One of the things that makes some of the questions 

easy (or at least straightforward) is that the 

exam is almost totally devoid of platform-, deviceor 

application-specific material. For example, you 

won’t be asked to create a Group Policy Object in 

Win2K Active Directory, convert Unix file permissions 

from alpha to octal characters or create 

FireWall-1 ACLs. You might be tested on the difference 

between block and stream ciphers, or between 

asymmetric and symmetric encryption, but 

you won’t be required to analyze algorithms or 

perform mathematical computations of any sort. 

You might be asked to explain the difference between 

code assemblers, compilers and interpreters, 

but you won’t be asked to assemble, compile or 

interpret code. 

The remaining questions are difficult, but for 

different reasons. Half of these are legitimate 

questions about obscure facts, or legitimate interpretative 

questions where the answer just isn’t 

clear. These are good, tough questions. You just 

have to know the answer or be able to dope it out. 

However, there’s a chunk of questions that are 

difficult for all the wrong reasons. They’re poorly 

worded, misleading or simply evasive (see “Frustrating 

Questions,” p. 82). Evasive: that’s the word that 

first came to mind when I walked out of the exam. 

It just seems like these questions serve no purpose 

other than to confuse and frustrate you. 

It’s because of these questions that you won’t 

have an intuitive sense if you passed the exam. 

And it’s because of these questions that the CISSP 

exam often gets a bad rap. Even though these 

questions comprise a comparatively small part of 

the exam, they’re the ones that stick in your craw 

as you walk out the door. 

“I felt the questions themselves were short and 

CONTINUED ON PAGE 82 



Frustrating Questions 

Anybody who says the CISSP exam is easy isn’t telling the whole story. 

There are plenty of difficult questions—some legitimate, some goofy. 

When taking the CISSP exam, expect to 

encounter at least a couple dozen questions 

that will frustrate the hell out of you. (ISC) 2 

exam designers claim these (and all) questions 

are psychometrically valid. Annoying or not, they’re 

a useful mechanism for separating qualified candidates 

(infosecurity professionals who have mastered the CBK to 

an acceptable level) from unqualified professionals (those 

without mastery of the material who are simply good at 

taking multiple-choice exams). 

Whether you buy this line of reasoning or not, these 

questions will drive you nuts if you’re not expecting them. 

For discussion purposes, I’ve divided these questions into 

four categories, comprising both the “factual” and “interpretive” 

question types. With each of these categories, I’ll 

try to explain what makes the question difficult, and offer 

an example. These examples may be a bit exaggerated to 

illustrate a point. That said, they’re not far from the truth, 

either. 

1. Obscure facts. Several questions require you 

to recall very specific details from the CBK. These are 

absolutely legitimate, fact-oriented questions that don’t 

require a lot of interpretation. The problem is that you 

just don’t know or can’t remember the answer unless you 

happened to study it recently, have hands-on experience 

with it, or have a photographic memory. 

Here’s an example: 

1. Which of the following characterizes the Data Encryption 

Standard (DES) Electronic Code Book (ECB) mode? 

a. “Stream mode” cipher, first ciphertext block is 

XORed with next text block. 

b. “Block mode” cipher, 64-bit plaintext blocks loaded 

sequentially. 

c. “Block mode” cipher, 64-bit data blocks processed 

individually one at a time. 

d. “Stream mode” cipher, keystream is XORed with 

message stream; simulates one-time pad. 

The answer is “C,” but it’s a really hard question because 

it’s very detailed and technical. Moreover, the options 

include both legitimate DES modes that aren’t ECB (answer 

B is cipher block chaining (CBC); answer D is output feedback 

mode (OFB)) and a made-up answer (answer “A” 

also describes CBC, except CBC is a block mode cipher). 

You either know the answer here or you don’t. It’s 

impossible to dope it out if you didn’t study it. 

2. Misleading interpretive questions. A chunk of 

questions ask you to pinpoint the “best” answer or course 

of action given a scenario or context. Granted, by their very 

nature, these questions are very difficult to craft, but the 

CISSP exam seems to have more than its share of doozies. 

Selecting the best answer to these questions is problematic 

because (a) what you would consider “best” isn’t one 

of the options; or (b) you need more context to determine 

what the exam-creators would consider best. Here’s an 

example question that captures both of these problems: 

2. Which of the following is usually considered to be 

the best type of firewall: 

a. Static packet filter 

b. Application-layer proxy 

c. Circuit-level firewall 

d. PC firewall 

Many people would consider a dynamic/stateful-inspection 

firewall to be the “best” general-purpose firewall 

available today. But that’s not one of the answers. So 

you’re left to determine what’s best from the list of four 

“next-best-but-not-really-best” alternatives. 

Compounding the problem, you’re not given any context 

in which to make an educated decision. “Best” under what 

circumstances? What type of access control or traffic filtering 

are you trying to enforce? What type of network or 

hosts is the firewall intended to protect? 

Moreover, the answers are not “equal” in the sense that 


CONTINUED FROM PAGE 80 

easy to read,” says Ty Whitten, a security engineer 

at Guardent Corp. “But I felt sometimes that the 

answers didn’t represent the questions well at all. 

Either the answers were way off base, or I would be 

left with two answers in which both could have 

been correct. I also felt the material I studied was 

way more detailed than the vague questions and 

answers that were on the test.” 

(ISC) 2 officials contend that the CISSP exam 

doesn’t receive an unusual number of complaints 

relative to other certification exams. They point 

to the fact that candidates are encouraged to 

comment on questions when taking the exam— 

comments that are carefully evaluated when examining 

test incongruities and deciding which 

questions should be retired. 

Moreover, (ISC) 2 and its test developers say 

that the degree to which a question is annoying is

they’re not all of the same type or quality. Is this on 

purpose or by accident? Again, you can only guess. 

OK, you probably wouldn’t select “D,” because a 

PC firewall is a specific example of a host application 

filter. The other three options are core technologies, 

not form-factor examples of those technologies. 

Option A, static packet filter, is a “first-generation” 

network-layer firewall that does basic IP address and port 

filtering. It’s probably the widest deployed firewall today, 

so if “best” means “most accepted,” option A would be 

your answer. 

However, if by “best” they mean “most able to filter 

traffic at a granular application header or payload level,” 

then “application-layer proxy” is your answer. But wait: 

Circuit-level firewalls are “better” than static packet filters 

because they filter on Transport layer headers as well as 

IP headers; and they’re “better” than application proxies 

because they can filter on a wider variety of protocols and 

are easier to maintain. But do two “betters” add up to one 

“best”? 

You get the point. You have to determine what “best” 

means before you can select the “best” (er, “next-best”) 

answer. This question is aggravating because it doesn’t test 

your knowledge of firewalls—how they work, how they 

compare, which one’s most applicable to a given scenario—but 

rather your ability to guess how the exam creators 

would define “best.” 

3. Questions where more than one answer is 

correct. In some questions, more than one answer seems 

correct. And, indeed, more than one is correct, depending 

on your perspective. 

3. Which OSI layer(s) does SSL operate at? 

a. Layer 4 

b. Layer 5 

c. Layers 4 and 5 

d. Layers 5 and 7 

Each of these is correct under different scenarios. In preparing 

for the exam, I came across different sources that actually 

gave these answers. Which one is correct? More to the point: 

Which answer would (ISC) 2 consider correct? Guess! 

With questions like these, it’s clearly a matter of interpretation 

and context, and one would hope the CISSP exam 

would steer away from them. Unfortunately, it doesn’t. 

4. Confusing wording in the question itself. 

Perhaps the most frustrating questions on the CISSP exam 

are ones that force you to guess at exactly what the question 

is trying to ask. A sloppily written phrase forces you to 

interpret the meaning of the question—do they mean this, 

or do they mean that?—which in turn affects your interpretation 

of the answers. 

4. Which of the following best describes a “protective 

profile”? 

a. Implementation-dependent statement of security 

needs for a set of general IT products. 

b. Management-level description of resources necessary 

to protect a security domain. 

c. General framework of physical security requirements 

for a data center. 

d. Includes the “Target of Evaluation” description of 

an IT product and its purpose, but not necessarily 

from a security perspective. 

If you studied the Common Criteria security evaluation 

standard, you know that the “protection profile” is an 

implementation-independent statement of security requirements 

within the CC. Ah, but the question says protective 

profile—and what’s worse, it puts the phrase in quotes. 

Is this a simple spelling or usage mistake? Or are the exam 

developers specifically trying to bait you into answering 

the question as though it specifies “protection profile,” 

when in fact they mean something more generic and 

completely unrelated to the Common Criteria? 

It may seem like I’m picking on (ISC) 2 and the exam creators 

by going into this level of detail. But to be forewarned 

is to be forearmed, and no book, study guide or boot camp 

prepared me for these types of questions, and no sample 

test I came across quite captured the essence of these 

questions. Everybody talks about how some CISSP exam 

questions are frustrating. Hopefully, I’ve illustrated why 

they can be frustrating. ◗ 

–ANDREW BRINEY 

of little significance in determining its statistical 

validity. The goal with the exam and exam questions 

is to show an acceptable level of discrimination 

between high-scoring candidates and lowscoring 

candidates. If the cluster of high-scoring 

candidates—those who have adequately mastered 

the CBK—consistently answer a question correctly 

while the low-scoring candidates answer it incorrectly, 

then the degree to which the question is 

subjectively “vague” or “evasive” to either group 

is inconsequential. 

“We want questions such that high-scoring candidates 

tend to get them right, and low-scoring candidates 

tend to get them wrong,” says Lee Schroeder. 

One other thing: the CISSP exam is long—gruelingly 

long, in my opinion. You’re allotted six 

hours to complete it, and most people take at 

least three. It took me about five hours. 




7. What should I study? 

No one book covers everything you need to know 

to prepare for the CISSP exam. There are at least 

three 1,000-page “all-in-one” prep guides out 

there. I’ve read two of these, and as comprehensive 

as they are, neither is sufficient in and of itself. 

On the other hand, you shouldn’t feel compelled 

to dive into everything in (ISC) 2 ’s study 

guide. Accept the fact that you’ll never have 

enough time to study the CBK in depth, nor 

should you attempt to. There’s just too much 

information. 

The first thing you should do is review the 

main topics in each domain. This will reveal your 

strengths and weaknesses. Then, take the plunge 

and buy at least one of the “all-in-one” books (see 

“Briney’s Stack O’ Reading,” opposite). As you read 

each chapter/domain, take the practice exams in 

the book and online. Among other sites, www. 

cccure.org allows you to develop practice quizzes 

targeting specified domains. 

Plan to take at least two full-length practice tests 

before sitting for the exam. However, keep in 

mind that these practice exams are intended to 

test your knowledge and understanding of the 

CBK. None of the practice tests I came across 

adequately prepared me for the “difficult-for-thewrong-reasons” 

questions. 

8. Do I need to take one of 

the CISSP exam-cram classes? 

It’s hard for me to say whether you need to sign up 

for one of these courses. What I can tell you is that 

I took two of them, and they were both very useful. 

The first one I took was Intense School’s sevenday 

1 CISSP Boot Camp (www.intenseschool.com). 

The instructor was Shon Harris, who wrote one of 

the popular all-in-one prep books and developed 

all the materials for the course, including more 

than 1,200 pages of PowerPoint slides, 30-40 practice 

questions per domain and a full-length practice 

exam. 

The Intense School course also provides you 

with a variety of supplemental materials, including 

RFC 2196: The Site Security Handbook, NIST’s 

Guidelines for Network Security Testing, an 

Internet Firewalls FAQ and a half-dozen other 

documents. Having all this stuff in one place saves 

a lot of time. 

The second boot camp was offered by the (ISC) 2 

Institute, the for-profit arm of the nonprofit (ISC) 2 

certification body. If you think that (ISC) 2 ’s ties to 

this course will give you an inside track on the 

exam, think again. By design, the instructors have 

no input into the exam itself, and they’re bound 

by the same restrictions that all CISSPs are: they 

can’t discuss exam content. 

The five-day (ISC) 2 boot camp was team-taught 

by Sandy Sherizen and John Glover, both of whom 

really knew their stuff. They traded off on domains, 

Sherizen focusing on the “soft” domains 

and Glover on the technical ones. This was mostly 

effective, though their different teaching styles 

sometimes clashed. The time devoted to each domain, 

the subjects covered and the depth of discussion 

was very similar to Intense School’s approach. 

However, there wasn’t 100 percent overlap. For 

instance, Intense devoted more time to remote 

authentication than (ISC) 2 , while (ISC) 2 devoted 

more time to wireless security than Intense. 

Intense School’s course materials were marginally 

superior to (ISC) 2 ’s. (ISC) 2 ’s consisted primarily 

of a two spiral-bound notebooks with printed 

reproductions of the PowerPoint slides covered in 

class. While Intense also took this approach, the 

material was backed up by written documentation 

on each page. This helped a lot when I went back to 

review the materials after the course wrapped up. 

After completing each domain, the (ISC) 2 

instructors reviewed 10 practice questions with 

the entire class. I preferred Intense’s approach, 

in which you had the questions in writing and 

answered them at your own pace—just like on the 

exam. (ISC) 2 also offered a practice exam at the 

end of the course, but it was only 100 questions 

long, compared to Intense’s full-length, 250-question 

exam. Then again, the (ISC) 2 class had the 

advantage of using retired questions from the 

actual exam, which to some candidates might be 

a real value-add. 

Exam-cram courses aren’t cheap. Intense’s selling 

price ranges between $2,600 and $2,900, while 

(ISC) 2 ’s list price is $2,400. You get a few more 

frills with Intense’s approach: most costs related to 

hotel and meals are included in the course fee. 

If you’re going to sign up for a boot camp, the 

natural question arises: Should I take it before I 

start studying, or after I’ve already done most of 

my homework? I did it both ways, and would suggest 

these courses work better as a primer, not a 

review. They set out a framework of topics and 

expose holes in your knowledge. Better to have 

plenty of time to fill in those holes before sitting 

for the exam. 

Both courses boast successful pass rates. Including 

myself, 15 out of the 16 people in Intense 

School’s boot camp passed the exam. Of the 11 

students I heard from after the (ISC) 2 class, nine 

passed. The standard pass rate for all CISSP 

candidates is 70 percent. You do the math. 

If you sign up for a five- or seven-day boot 

camp, be prepared for your mental buffer to run- 

1 

The typical Intense School CISSP Training Program is 

seven days, though the course I attended was five days. CONTINUED ON PAGE 86

Briney’s Stack O’ Reading 

No one resource can prepare you for the CISSP. At the same time, there are literally hundreds, perhaps thousands, 

of books and Web sites covering some aspect of the CBK. The goal is to read widely, if not necessarily deeply, 

in each domain. Remember, the exam is a mile-wide and an inch deep. Tailor your study plan accordingly. 

photograph by AMY HIGHT 

BOOKS 

An Amazon search reveals 15 books with 

“CISSP” in the title. There’s even a CISSP for 

Dummies! I read every page of two 1,000-page 

“all-in-one” guides plus a smattering of other 

books and online resources. I also dabbled 

around and skimmed a half-dozen other books. 

All-in-One CISSP Certification 

By Shon Harris (McGraw Hill Osborne, 2002) 

971 pages + CD, $80 

This book is extremely comprehensive, and 

Harris has a knack for explaining complex 

technical topics in layman’s terms without talking 

down to the reader. Harris also teaches an 

exam-cram class for Intense School, and has sat for (and 

passed) the CISSP exam on two separate occasions—both 

of which lend an air of authority to this guide. 

While the text is good, the graphics in this book leave 

something to be desired. Some are too sketchy or generic 

to add anything to the textual discussion. Others are 

clearly space fillers, like the half-page photo of a fire 

extinguisher with the caption, “Portable extinguishers 

are marked indicating what type of fire they should be 

used on.” (Gee, tell me more). 

Each chapter/domain ends with a list of quick tips, 

which were very helpful. Harris also gives you 20-30 

practice questions at the end of each domain, along 

with a CD containing hundreds of additional questions 

(the new edition reportedly contains 1,300 total questions 

with explanations). While the practice questions were 

good, taken together they’re easier than many of the 

actual exam questions, which might give you a false 

sense of security. 

The CISSP Prep Guide (Gold Edition) 

By Ronald Krutz and Russell Vines (Wiley, 2003) 

945 pages + CD, $80 

The Krutz and Vines guide is also excellent. The Gold 

Edition is actually the combination of two other Wiley 

books by the same authors: the original CISSP Prep 

Guide and the Advanced CISSP Prep Guide. The Gold 

Edition also contains updated content based on reader 

suggestions. 

I’m glad I read this book after Harris’s book, because 

the presentation is tighter and more accelerated. 

There’s not as much detail as in Harris’s book, but 

the discussion moves along more quickly. 

The Krutz and Vines book has a lot of practice questions, 

660 in all, in addition to a CD-ROM containing two 

complete practice exams from Boson (see below). 

Most of the sample and bonus questions after each 

domain are about the same level as Harris’s questions— 

in some cases, they’re a little more advanced. 

Also included after each domain/chapter are several 

“advanced sample questions” that the authors claim 

“are at a level commensurate with that of the 

CISSP Examination.” Well, that’s not strictly 

true. They are more difficult than the sample 

and bonus questions, giving you a sense of 

the level of detail to which you need to study. 

However, they don’t capture the way in which 

the CISSP exam’s questions are difficult. 

Some of Krutz and Vines’s advanced questions 

are extremely verbose, which is definitely 

not the style of the CISSP exam. Others ask 

you to do computations or visual analysis— 

again, not the exam’s M.O. 

In any case, the authors provide long 

explanations to each answer, which helps. 

The Total CISSP Exam Prep Book 

By Thomas Peltier and Patrick Howard (Auerbach, 2002) 

286 pages, $60 

The title is misleading, because this is basically a 

book of sample test questions. Each chapter covers 

a domain, and each domain includes 25 practice study 

questions with explained answers. The good thing about 

this book is that it cites the sources from which the questions 

are drawn—down to the page number. This is a real 

bonus if you want to follow up. At the end of the book 

there’s a full-length practice exam, which also comes 

with answer explanations and citations. 

OTHER RESOURCES 

Boson 

www.boson.com/tests/secure.htm 

The Boson Web site offers three practice CISSP exams, 

250 questions each. (Two of these exams are included 

on the Krutz and Vines CD-ROM.) Each exam costs $40. 

Don’t take Boson Exam #1. Exams #2 and #3 have 

decent questions, though many candidates feel that 

CCCure’s are better. 

CCCure 

www.cccure.org 

An indispensable site for CISSP candidates. Contains 

tons of CBK resources and thousands of practice 

questions. The CISSP quiz page lets you specify the number 

of questions you want to take, the level of difficulty 

(from “novice” to “pro”), and the CBK domains you want 

to cover. Best of all, it’s free—all you have to do is register. 

CISSP Cramsessions 

www.cccure.org, click on “Downloads” and go to “ 

CISSP Study Guides” 

One way of identifying weaknesses is to compare 

your study plan to that of other CISSPs. Michael 

Overly’s Cramsession, in particular, is excellent— 

concise yet thorough, hitting on all the high points. ◗ 

–ANDREW BRINEY 



CONTINUED FROM PAGE 84 

neth over. Both courses I took did a good job mixing 

up the material by alternating technical- and 

management-oriented domains, but there’s no 

way to get around the huge volume of information 

you have to absorb. 

While Intense School and (ISC) 2 courses may be 

the most recognized CISSP boot camps, several 

other CISSP classes are available, ranging from 

one to seven days in length. One of these is The 

Training Camp (www.trainingcamp.com), which 

(ISC) 2 recently contracted as a course “reseller.” 

So, to answer the initial question, if you can get 

your boss to pay for a boot camp, and can afford 

the time out of the office, do it! You won’t necessarily 

learn anything different from an equivalent 

course of independent study, but a boot camp will 

give you a lot more confidence that you’re on the 

right track. The instructors can help you grasp 

complex topics, and you can band together with 

fellow students to form study groups. All of these 

things help you get motivated to do your homework—and 

pass the exam. 

9. What other security certifications are 

available? Which one is “best” for me? 

The CISSP may be the most popular security certification, 

but it’s far from the only one. You might 

be surprised to learn that there are at least 45 

information security-related professional certifications, 

according to Certification magazine. Thirty of 

these of these are vendor-neutral, while 15 are 

vendor-specific. 

I won’t attempt to discuss all or even most of 

these. Instead, I’ll discuss the basic categories, 

and suggest which certifications are recognized as 

the “leaders” in each. This ranking is obviously 

subjective, though I think it generally reflects how 

most infosec professionals feel. 

Benchmarks. These certifications are widely 

recognized and respected by professionals on all 

levels and in all sectors in the infosecurity industry. 

What’s more, they’re increasingly a prerequisite 

for many jobs, an indication that they are also 

recognized and respected by non-security managers 

and HR. 

In addition to the CISSP, I’d put ISACA’s 

Certified Information Systems Auditor (CISA) 

and SANS’s GIAC Security Essentials Certification 

(GSEC) in this group. The CISA is the CISSP for 

the IT audit community, plain and simple. The 

GSEC is kind of the “anti-CISSP.” It’s more technical 

in nature and, like most of the 11 GIAC 

certifications, it has gained the respect of the 

techy community that the CISSP lacks. 

“Foundation” certifications. There are at least 

a half-dozen introductory certifications for professionals 

with one to three years of experience. Leading 

certifications in this category include (ISC) 2 ’s 

own Systems Security Certified Professional (SSCP) 

and the CIW Security Professional (CIW-SP). 

Vendor certifications. Many of the leading 

providers in the security space—Cisco, Symantec, 

Check Point, Tivoli and others—offer multiple 

certification levels, from baseline “administrator” 

to more advanced “expert” (some even offer 

“expert plus”). 

On a slightly more generic level is SANS’s vendor-agnostic 

GIAC Certified Firewall Analyst (GC 

FA) and GIAC Certified Intrusion Analyst (GCIA), 

both of which have an excellent reputation. 

Certifications for non-security professionals. 

As the visibility of IT security grows in the enterprise, 

so does the number of non-security professionals 

who have security-related responsibilities. 

Several certification programs have cropped up to 

fulfill this need, including SECURITY+, offered 

by CompTIA; and the TruSecure ICSA Certified 

Security Associate (TICSA). 2 

As I mentioned earlier, I sat for the TICSA exam 

to see how it compared to the CISSP. In a nutshell, 

if the CISSP is “an inch deep and a mile wide,” the 

TICSA is “two feet deep and 100 yards wide.” 

Obviously, the scope and breadth of topics covered 

pale by comparison to the CISSP. Then again, in 

places the TICSA content is actually deeper—more 

technical, more hands-on, more practical. 

(ISC) 2 could take a page from TruSecure’s book 

on question creation and exam delivery. To my 

recollection, few, if any, of the 75 questions on the 

TICSA exam were evasive or vague in the way that 

some CISSP questions are. Also, TruSecure partners 

with Thompson Prometric to deliver the 

exam. You can sit for the exam at any Thompson 

facility (there are 3,500 centers worldwide) whenever 

you want. And the TICSA exam is completely 

computer-based. As soon as I completed the exam, 

I was informed of my score and given a printout 

of how I did in each of 14 TICSA sections. See 

www.trusecure.com/solutions/certifications/ticsa. 

Advanced certifications. Several industry groups 

are jockeying to gain CISSP-like acceptance for 

their “advanced” certifications, which is one of the 

things the industry is sorely missing. In addition 

to the expert-level vendor certifications, advanced 

certs include SANS’s GIAC Security Engineer 

(GSE) and ASIS’s Certified Protection Professional 

(CPP), a CISO-level certification covering human, 

physical and information security. Neither of these 

has achieved anywhere near the level of acceptance 

as the CISSP. 

To its credit, (ISC) 2 has recognized the need for 

more advanced (or targeted) certifications. As of 

May, it offers three certification “concentrations” 

that build upon the CISSP: the Information Sys- 

2 

TruSecure publishes Information Security. 



tems Security Engineering Professional (ISSEP), a 

certification developed in partnership with the 

National Security Agency; the Information Systems 

Security Management Professional (ISSMP), 

which validates advanced security management 

expertise; and the Information Systems Security 

Architecture Professional (ISSAP), which validates 

advanced technical knowledge and expertise. 

10. Does the CISSP 

deserve its reputation? 

There are really two questions here: Does the 

CISSP deserve to be the industry’s gold standard? 

And does the CISSP—and (ISC) 2 —deserve all the 

criticism it gets? 

The CISSP is frequently criticized because it 

doesn’t contain a lot of advanced material. People 

naturally assume that the “gold standard” should 

be the “best” in every way—not only the most popular 

or broadest in scope, but the most advanced 

and selective, too. 

“It’s not a certification that says, ‘I’m a damn 

good information security professional,” says Nan 

Smith, a newly minted CISSP and cyber security 

program manager for the Oak Ridge Institute 

for Science and Education. “To me, a certification 

should guarantee to the employer that you’ve 

made the effort to become good at what you’re 

doing, at what you know. To me, the CISSP doesn’t 

say that. It says, ‘Hey, I figured out what (ISC) 2 

wanted me to answer on the exam.’” 

In some ways, this is a legitimate critique. The 

CISSP is not and never will be equivalent to 

the “gold standard” in other fields—for example, 

the CPA for accountants. To obtain that level of 

respect, the CISSP would have to be sanctioned 

by regulatory and legal bodies, and recognized 

by communities outside of the infosecurity profession. 

But we’re really talking apples and oranges 

here. (ISC) 2 never intended the CISSP to be 

the CPA of infosecurity. Yes, the credential has 

acquired the reputation of pretending to be something 

it’s not. But that’s hardly (ISC) 2 ’s fault; it’s 

certainly not an image that was ever promoted by 

(ISC) 2 . 

Moreover, it’s unrealistic to expect (ISC) 2 to 

change the fundamental makeup of the exam to 

make it more “technical” or “advanced”— 

qualities that, in the minds of its critics, 

would make it truly representative of a 

gold standard. It is what it is. While you can 

alter the requirements and qualifications 

for sitting for the exam (which (ISC) 2 recently 

did), you can’t arbitrarily decide to 

change the basic charter or mission of the 

credential or character of the exam. 

With all this said, however, I think it’s 

fair to criticize the CISSP on two scores. 

First, the exam does have some problems. 

Whether or not the “evasive” questions are 

statistically and psychometrically valid, 

they are evasive. Yes, in the final analysis 

that’s my opinion, but it’s not as though 

I’m alone in feeling this way. 

The second problem is related to the 

first. Thanks in part to the exam, the first 

impression one gets of the CISSP is often 

negative. Whether you pass or not, nobody 

walks out of the test center feeling enthusiastic 

about the experience. It seems that 

the ramifications of this bad image are 

almost totally ignored by (ISC) 2 . 

Can either of these problems be fixed 

without making the test too accessible to 

“test-savvy” candidates who have no business 

holding the CISSP credential? Good 

question. ◗ 

ANDREW BRINEY, CISSP, TICSA 

(abriney@infosecuritymag.com), is 

Information Security’s editor-in-chief.

Professional Certification - tabpi

Create successful ePaper yourself

Delete template?

Save as template?