United States [
Five Tips to Help You Prepare for the Updated 2012 CISSP Exam
Abstract
The CISSP exam is scheduled for an update in January 2012. This is the first major update in several years, and it will offer new challenges for those preparing for the exam. This white paper discusses five tips that can help you successfully prepare for the updated exam, including: the 2012 CISSP domain name changes and an in-depth look at each domain; CISSP exam question structure and types; and tips for excelling on the day of the CISSP exam.
Sample
Tip One - Know the New 2012 CISSP Domain Names
One of the things many exam candidates are curious about is how the 2012 version of the CISSP exam will be different from the previous version. While changes can sometimes cause some anxiety, they are needed as technology continues to advance. As an example, consider all the changes in technology over the last several years, from advances in cloud computing to the growth of convergence.
The 2012 domains include:
Access Control
Telecommunications and Network Security
Information Security and Governance and Risk Management
Software Development Security
Cryptography
Security Architecture and Design
Security Operations
Business Continuity and Disaster Recovery Planning
Legal Regulations Investigations and Compliance
Physical (environmental) Security
Three of these domains have updated names that better reflect their current focus. These include: Information Security and Governance and Risk Management, Software Development Security, and Security Operations. Now that you know what the new domain names are, let's examine each domain in greater detail.
Tip 2 - Understand Required Knowledge of Each Domain
I will go through each domain and discuss changes to the Common Body of Knowledge (CBK) and important knowledge areas.
Access Control
This domain will continue to focus on authentication, authorization, and accountability; however, there are also some topics that will most likely see additional coverage.
One expanded area is the effectiveness of access control. Access controls are not all created equally. Access control mechanisms, such as passwords, swipe cards, smart cards, USB devices, and biometrics, differ greatly in their ability to provide strong authentication. You should understand the differences. As for threats to access control, candidates should understand how to address them.
Access aggregation is another topic you may be tested on. In some organizations, it's possible that employees may continue to gain access as they move from department to department. This can cause real security problems over time.
Another item to understand is threat modeling, which can be described as a method to assess a set of possible attack vectors to consider when assessing computer security.
Telecommunications and Network Security
Even before any update, this is already a huge domain. This is the domain that addresses networking protocols, equipment, LAN, WAN, and routing.
It's very possible that new questions will focus on items such as Multiprotocol Label Switching (MPLS). MPLS can encapsulate packets of various WAN protocols that direct data from one network node to the next based on short path labels rather than long network addresses.
Do you allow your users to connect personal devices to the corporate network? As networks continue to change, there is an increasing consumerization of IT. This requires an increased focus on endpoint security. Whois.com defines endpoint security as "an approach to network protection that requires each computing device on a corporate network to comply with certain standards before network access is granted."
One final item to watch for in this domain is secure communications. Today's computing environment is filled with threats from screen scrapers and keyloggers, to spyware. A CISSP candidate must understand the ways to provide secure end-to-end communication.
Information Security and Governance and Risk Management
This domain was formerly titled Information Security and Risk Management. The three core elements of security are discussed in this domain. These three elements are summarized by the acronym, "CIA." CIA, simply put, refers to confidentiality, integrity, and availability. These three elements are something that a security professional will seek to protect by administrative, technical, and physical controls.
This domain will also continue to focus on qualitative and quantitative risk. Knowing the steps to both, the appropriate formulas, and hybrid risk techniques will continue to be important.
You can also look for increased coverage of third-party governance. Just take a moment to consider how cloud computing adds additional concerns for compliance. As an example, CISSP candidates should understand what compliance issues they are responsible for versus those of the cloud service provider. Such issues are of vital importance as hackers will continue to try to clobber the cloud with attacks.
Software Development Security
This domain has not only had a name change from Application Security, but also has updated topics. The CISSP candidate should understand the environment in which the software will be developed, the security controls built into the software, and that good coding practices are used.
Depending on the programming language used, these concerns can vary. As an example, in C, some C standard library functions can be used inappropriately or in ways that may cause security problems. Some C functions can be exploited as they do not check for proper buffer size including strcat(), sprintf(), vsprintf(), bcopy(), scanf(), and gets().
