M-209 cipher machine.

CISSP Study Notes

Study Guides for (ISC)2 Certified Information Systems Security Professional

In 2003, a training company I do work for got a contract to run classes for the NSA. The NSA said that all instructors had to have the CISSP certification, even if they were teaching a course on networking protocols or Linux servers.

The training company wouldn't pay for me to get the certification. I would have to study on my own, and pay for the exam. But, the first day of my first one-week course would more than cover that cost.

In 2003, the exam was done with pencil and paper, and happened in places like rented hotel meeting rooms. Now, of course, it's electronic, run in Pearson testing centers.

That NSA contract lasted another three or four years. But I have maintained my certification ever since, you don't want a certification to expire!

In 2018, it became clear that the training company's primary market, the U.S. Government and its major contractors, had largely lost interest in courses teaching people how to do something. Design a network, set up servers, and so on. Certification was where the training opportunities were.

So, I started teaching the CISSP course.

How to Understand and Pass the Exam

The exam is not about whether you know how to use any cybersecurity technology. It's not as bad as the CompTIA Security+ certification, where the bizarrely misworded questions makes the exam harder if you know the technology. But, knowledge and skill in the technology don't help, either.

The (ISC)2 CISSP exam is largely about whether you are qualified to advise managers about security issues.

Practical Matters

An entry-level exam like CompTIA Security+ is available most every day at all Pearson-Vue testing centers. That's not the case for CISSP or CCSP.

Instead of the community college, about 5 miles across town, the nearest locations for me were Indianapolis and Chicago, a little over an hour and about two hours driving time away, respectively. And, the CCSP exam was only available in those locations for two days out of every two weeks. Indianapolis offered it only at 8 AM on those days. I traveled to Chicago and stayed overnight in a hostel, then took it at noon.

Then, be patient. I was told "You have provisionally passed" right after finishing the CCSP exam. But ISC2 took almost 10 weeks to send me an email telling me that I had officially passed. And then it took even longer before a certificate arrived in the mail. My certificate, updated membership card, and lapel pin arrived 20.5 weeks after my exam.

Computerized Adaptive Testing (CAT)

Your exam will have between 100 and 150 questions, and you will have 3 hours to finish the exam. 25 of the questions do not count either for or against you, but you do not know which ones there are.

The unscored questions will come as a surprise, and you probably will have little to no idea what the right answers are. (ISC)2 hopes that these will make you uneasy, so you do worse on the exam.

If you are doing well, you will be given more challenging questions that count more toward your final score. On the positive side, you are doing well and you will finish with a passing score sooner. But on the negative side, this makes you feel like you are doing worse. Again, (ISC)2 hopes that this will hurt your performance on the exam.

You have to answer each question in turn. You cannot leave a question unanswered for now, planning to come back and answer it later. Also, once you select an answer, you cannot go back and change it.

(ISC)2 describes the grading as 700 points out of a possible 1000. The way this works is that they first toss out the 25 questions that were planned to not count. Then, for those questions that might count, they do what they call "psychometric analysis".

In plain English, they look at the scores for that one question on the exams of everyone who drew it on their randomly generated exam. If too high or too low a percentage get it right — that is, if it's too easy or too hard — then that question doesn't count, either. I assume that this contributes some to the several-week delay between being told you just "provisionally passed" the exam and getting official word.

It's possible that a provisional pass could turn to actual failure if you were just barely over 70% with some too-easy questions correct. Could a failure turn into a surprise pass if you were just barely under 70% because you miss some too-hard questions? I doubt it, as that would be an act of kindness by (ISC)2.

Material I Used

I sat in on courses for both CISSP and CCSP that used the official (ISC)2 course material. Some companies used to run their own test-prep courses, but (ISC)2 forced them to stop (and, soon after, so did CompTIA). Other companies can teach (ISC)2 courses, but they have to use material they buy from (ISC)2. Each (ISC)2 course included a text that's about 750 pages long.

For CCSP I also purchased three (ISC)2 books from Amazon. As for CISSP, I passed that exam several years before, but I have looked at the corresponding (ISC)2 books.

As usual with these types of books, they're not great. More like the least bad. Technical books don't get the quality editing associated with major fiction and history publishers.

They're from (ISC)2 so they don't contradict what the test has as the correct answer. However, any certification organization wants to keep their tests difficult. There will be topics in the question pool that are unmentioned and unexplained in the books. And, the books will contain topics that aren't in the question pool, because that further overloads your memory. (ISC)2 are better than CompTIA as far as irrelevant clutter, but their books still contain irrelevancies.

The course textbooks were OK. They cover all the exam topics, the "Common Body of Knowledge" for each exam. Their irrelevant material is largely in the form of suggestions and encouragement to management. Both the CISSP and CCSP courses include a lot of material that can distract managers into going off on tangents about how to organize manage projects. On both exams it's important to select answers about the importance of management:

  1. Senior management make the strategic decisions.
  2. Those management decisions are based on business concerns, such as comparing the expected benefit to the cost of a new security measure.
  3. Management must set and enforce policies for security preparations and operations — change management, configuration management, vulnerability scanning, threat analysis, plans for business continuity and disaster recovery, and so on.
  4. As the security professional, you must communicate security information to management in terms they will understand and appreciate.

However, there is nothing in the exams about management theory or practice. (ISC)2 hopes that people with interest or background in management will become distracted. From what I've seen, those discussions of management can be very distracting to many attendees, who can quickly be focused on material not relevant to the exams.

All the (ISC)2 material contains some very clumsy writing. One howler from the CCSP material is:

ISO 27034-1 defines an ONF management process to manage the ONF.

ISC2 books use the words "apply" and "application" in confusing ways while discussing software packages, which are called "applications". And they use the adjective "key" to mean "important" or "crucial" within discussions of cryptography, which uses keys. And, "precompiled" to mean "organized into a list" when talking about software development, confusing us about compilers. These aren't exact quotes, but ISC2 books on CISSP and CCSP contain phrases along these lines:

... apply these measures to application development.

... applications of cryptography in application development projects ...

A key concern with key management is ...

A key issue when establishing a public-key infrastructure is ...

[while discussing software review] This analysis is guided by a set of precompiled security threats.

And then there all the simply bad writing in ISC2 material:

Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA in 1977, and as you might have surmised, RSA stands for the first letter of its inventors' surnames.

A textbook from a testing organization will add lots of clutter to distract you and waste your time, like the date of invention and the inventors' names. The textbooks are full of fluff like "as you might have surmised", and maybe the authors think it's good writing. Or maybe they want us to think that they have swallowed a thesaurus.

As a means to attenuate possibilities for corruption and theft, the organization can craft an environment where no individual person can complete an entire trusted action.

They use far too many words, saying "certainly can be considered to be" when they should say "is". Or, "can be compiled into the following list" instead of "are".

Plus lots of redundancy: "using and capitalizing on" when "using" makes the point.

Or, "much more rapidly and faster" instead of simply "faster".

On to the books you can buy from Amazon.

Practice Tests

Buy this book: The CISSP Official (ISC)2 Practice Tests book contains 1,300 practice questions. It has tests for each domain, plus realistically mixed "final exams". If I could have only one book, it would be this one.

Study Guide

The (ISC)2 CISSP Official Study Guide will be far more readable than the CBK book.

If I had to choose between the CBK book and the study guide, I would choose this one.

Official Guide to the CBK

The Official (ISC)2 Guide to the CISSP CBK will be very dry, with somewhat stilted wording. That's exactly what I would expect of their presentation of their so-called "Common Body of Knowledge". Some Amazon reviews complain about it being awkwardly written and hard to read, but I guess they don't realize that's exactly its point.

The CBK book contains some practice questions. Not a lot, just 7 to 15 per domain. They are extremely wordy, and selecting the "correct" answer requires making the same assumptions as the author. Again, that's exactly what I would expect in this book.

Of my three suggestions, I expect the CBK book to be the least helpful.

Study Guide and Practice Exams

You can buy the Study Guide and the Practice Exams as a set.

Why Are These Books So Different?

(ISC)2 is very strict about maintaining a "Chinese wall" just like the CISSP CBK describes (where it's also called the Brewer and Nash Model). People involved in any way in creating exam content are not allowed to have anything to do with writing course material or (ISC)2 books, and they are not allowed to teach the course.

So, the authors of these study books and the official (ISC)2 course look at the published Common Body of Knowledge outline, and give it their best guess as to what they think is important.

Through a "train-the-trainer" series I had to go through before teaching the CISSP course, I came to realize that the CISSP course has far more authors than the course textbook tells you. It lists four authors, but I think it was at least twice that.

The result is that the different domains in the course textbook can be presented in noticably different writing styles. This was noticeable in both course textbooks, a little more so in the CISSP course.

So Many Incomplete Scenarios and Questions

Many of the practice questions in the course material, and in these books, and also on the real exam, are incomplete. The only appropriate response in the real world would be, "Finish the explanation of what's happening or the desired result. I need more information before I can give you a good answer." The frustrating practice questions help to prepare you for frustrating exam questions.

The Books Have Problems

These are technical books, so the copy editing is weak. The practice exam book especially needs some work. About every 100 to 150 questions, the answer key in the back would be mixed up as to which answer is correct. If you get that question "wrong", it might be because it listed the wrong letter. Read the explanations in the answer key, you might find that it describes the one you selected.

The funniest error I found was in the Operations Domain section of the CBK book. It's in a section about designing and operating a data center, so the premise here is that you're running your own private cloud infrastructure.

What seems to have happened is that someone wrote a short section, a little over a page long, about keyboard-video-mouse switches you would use with rack-mounted servers. They must have used the acronym "KVM" throughout.

Then, apparently, a second person came along and replaced "KVM" with "Kernel-based Virtual Machine" in the section heading and the first time in the text.

Well, KVM in that sense is very important in a private cloud! It's the mechanism by which the Linux kernel functions as a hypervisor for full system virtualization. It seems to me that it's much more important to get the virtualization right. Interface switch design isn't as critical. I started reading the section thinking that it explained their views on how to securely configure and use kernel-based full virtualization.

Imagine my confusion when I got to the list of important features including warning stickers, flashing LEDs, and circuit boards soldered into place. I eventually figured out what was going on. The mention of "unsecure emanations" was a red flag.

ISC2 book confusing keyboard-video-mouse switches with kernel-based full virtualization.

OK, that's more than enough snark. On to some study guides for the domains.