CISSP - Certified Security Professional

7/30/2019 CISSP - Certified Security Professional

1/42

1

2012 Inte rna tiona l Inform a tion System s Security Certifica tion Consortium , Inc. All Rights Reserved. Dup lica tion fo r co mm erc ial

purposes is prohib ited . Rev # 09.05

Certified Information Systems Sec urity Professiona l CISSP

Ca ndida te Informa tion Bulletin

Effec tive Da te 1 Janua ry 2

Effec tive Da te January 1, 2012 (Rev4)


2/42

2






1) ACCESS CONTROL ................................................................................................................................5

Overview ...................................................................................................................................................5

Key Areas of Kno wledge ........................................................................................................................5

2) TELECOMMUNICATIONS AND NETWORK SECURITY ..........................................................................7

Overview ...................................................................................................................................................7


3) INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT ...................................................9

Overview ...................................................................................................................................................9


4) SOFTWARE DEVELOPMENT SECURITY ............................................................................................... 12

Overview ................................................................................................................................................ 12

Key Areas of Kno wledge ..................................................................................................................... 12

5) CRYPTOGRAPHY ................................................................................................................................ 13

Overview ................................................................................................................................................ 13


6) SECURITY ARCHITECTURE & DESIGN ................................................................................................ 15

Overview ................................................................................................................................................ 15


7) OPERATIONS SECURITY ...................................................................................................................... 17

Overview ................................................................................................................................................ 17


8) BUSINESS CONTINUITY & DISASTER RECOVERYPLANNING ............................................................ 19

Overview ................................................................................................................................................ 19


9) LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE ....................................................... 21

Overview ................................................................................................................................................ 21


10) PHYSICAL (ENVIRONMENTAL) SECURITY ...................................................................................... 23


3/42

3






Overview ................................................................................................................................................ 23


REFERENCES ............................................................................................................................................... 25

SAMPLE EXAM QUESTIONS ....................................................................................................................... 30

GENERAL EXAMINATION INFORMATION ................................................................................................ 31

Paper Based Test (PBT) ........................................................................................................................ 31

Any questions? .......................................................................................................................................... 34

RAL EAM INATION INFORMATION ............................................................................................................ 35

GENERAL EXAMINATION INFORMATION ................................................................................................ 35

Computer Based Testing (CBT) ............................................................................................................... 35

Registe ring fo r the Exam .......................................................................................................................... 35

..................................................................................................................................................................... 36

Sc he duling a Test Ap pointment ............................................................................................................. 36

Non Disc losure ........................................................................................................................................... 39

..................................................................................................................................................................... 39

Da y of the Exam ....................................................................................................................................... 39

Any questions? .......................................................................................................................................... 42


4/42

4






The Certified Informa tion System s Sec urity Professional (CISSP) is an information assuranc e

professional who has dem onstrated a globally rec ognized level of comp etence provided b y a

common body of knowledge that defines the architecture, design, ma nagement, risk and

controls that assure the security of business environments.

This Ca ndida te Information Bulletin p rovides the fo llow ing:

Exam b lueprint to a limited level of de ta il tha t outlines ma jor top ics and sub- top icswithin the domains,

Suggested referenc e list,

Desc rip tion o f the format of the items on the exam, and

Basic reg istration/ administra tion polic ies

App lic ants must ha ve a minimum of five ye ars of d irec t full-time sec urity professional work

experienc e in two o r mo re o f the ten dom ains of the (ISC) CISSPCBKor four yea rs of d irec t

full-time sec urity p rofe ssiona l work experienc e in two o r mo re of the ten doma ins of the C ISSP

CBKwith a four-year c olleg e d eg ree . Only one yea r experienc e e xem ption is granted for

education.

CISSP professiona l experienc e includes but is not limited to :

Work req uiring spec ial educa tion o r intellec tua l atta inment, usua lly inc lud ing a liberaled uca tion or c olleg e de gree.

Work req uiring hab itua l me mo ry of a b od y of know ledge shared by others doing similarwork.

Ma nag eme nt/ supe rvision of p rojec ts and / or emp loyees. Work req uiring the exercise o f judgme nt, mana gement d ec ision-ma king, and d isc retion. Work req uiring the exercise o f ethica l judgment (as op posed to e thica l beha vior). Professional writing and oral c om munication (e.g., presenta tion). Tea ching, instruc ting, tra ining and the me ntoring of o thers. Resea rc h and d evelopment. The spec ifica tion and selec tion o f controls and me c hanisms (i.e. identifica tion and

authentica tion tec hnology- does not include the m ere op eration o f these c ontrols). App lic ab le job title e xamp les are: CISO, Direc tor, Ma na ger, Sup ervisor, Analyst,

Cryptograp her, Cyb er Architec t, Information Assuranc e Eng ineer, Instructor, Professor,Lec turer, Investiga tor, Com puter Sc ientist, Prog ram Ma nager, Lea d, etc .


5/42

5






1)ACCESS CONTROL

Overview

Acc ess Control doma in c ove rs me c hanisms by whic h a system grants or revo kes the right to

acc ess da ta or pe rform a n a c tion o n a n information system.

Ac c ess Co ntrol systems includ e:

File pe rmissions, suc h as c rea te, rea d , ed it, or delete on a file server.

Prog ram p ermissions, suc h a s the right to exec ute a prog ram on a n a pp lica tion server.

Data rights, suc h as the right to retrieve or upd ate information in a d atabase.

CISSP cand ida tes should fully understand ac cess c ontrol conc ep ts, method olog ies and their

implementa tion within centralized and d ec entralized environm ents ac ross an organiza tion s

computing environment.

Key Areas of Knowledge

A. Control ac cess by applying the following concepts/ methodo logies/techniques

A.1 Policies

A.2 Type s of c ontrols (prevent ive, detec tive, c orrec tive, etc .)

A.3 Tec hniques (e.g., non-d isc retiona ry, d isc retiona ry and ma ndatory)

A.4 Ide ntific a tion and Authentic a tion

A.5 Dec entralized / d istributed acc ess c ontrol tec hniques

A.6 Authoriza tion me c hanisms

A.7 Log ging and mo nitoring

B. Understand ac cess control attac ksB.1 Threa t modeling

B.2 Asset va luation

B.3 Vulnerab ility ana lysis

B.4 Acc ess agg reg a tion


6/42

6






C. Assess effectiveness of access controlsC.1 User entitlem ent

C.2 Acc ess review & aud it

D. Identity a nd ac cess provisioning lifec yc le (e.g., provisioning, review,revocation)


7/42

7






2)TELECOMMUNICATIONS AND NETWORK SECURITYOverview

The Telec om munica tions and Netw ork Sec urity do ma in enc om passes the structures,

tec hniques, transport p roto c ols, and sec urity mea sures used to p rovide integrity, ava ilab ility,

c onfide ntiality and a uthent ic a tion for transmissions ove r p riva te and p ub lic c om munica tion

networks.

The c andida te is expec ted to d emonstra te an understand ing o f communic a tions and ne twork

sec urity as it relate s to d a ta c om munica tions in loca l a rea and w ide a rea netw orks, rem ote

acc ess, internet/ intrane t/ extrane t c onfigurations. Ca ndida tes should be know led ge able with

netw ork equipme nt suc h a s switches, bridges and route rs, as well as netw orking p roto c ols (e.g.,

TCP/ IP, IPSec ), a nd VPNs.


A.Unde rstand sec ure network architec ture and d esign (e .g., IP & non-IPprotoc ols, segmentation)

A.1 OSI and TCP/IP models

A.2 IP networking

A.3 Imp lic a tions of multi-layer p rotoc ols

B. Sec uring network comp onentsB.1 Hardware (e.g ., modems, switches, routers, wireless acc ess points)

B.2 Transmission med ia (e.g., wired , wireless, fiber)

B.3 Netw ork access c ontrol dev ices (e.g ., firew alls, p roxies)

B.4 End -point sec urity

C. Establish secure c om munic ation channe ls (e .g., VPN, TLS/ SSL, VLAN)C.1 Voice (e.g., POTS, PBX, VoIP)

C.2 Multimed ia c ollabo ra tion (e.g., remote meeting tec hnology, instant

messaging)

C.3 Rem ote ac cess (e.g., sc ree n sc raper, virtua l app lic a tion/ desktop,

telecommuting)


8/42

8






C.4 Data c omm unica tions

D. Unde rstand network a ttac ks (e.g., DDoS, spoofing)


9/42

9






3)INFORMATION SECURITY GOVERNANCE &RISK MANAGEMENT

Overview

The Informa tion Sec urity Governanc e a nd Risk Mana gem ent d oma in enta ils the ide ntifica tion o f

an orga nizations informa tion assets and the d evelop ment, d oc umenta tion, imp lem enta tion

and upda ting of polic ies, standards, p roc ed ures and g uidelines tha t ensure c onfidentiality,

integ rity, and ava ilability. Ma na gem ent tools suc h a s da ta c lassific ation, risk assessme nt, and risk

ana lysis a re used to identify threa ts, c lassify assets, and to rate the ir vulnerab ilities so tha t

effec tive sec urity me asures and c ontrols can be imp lemented .

The c and ida te is expec ted to und erstand the p lanning, orga niza tion, roles and responsibilities of

individua ls in identifying a nd sec uring orga niza tions information assets; the d eve lopment a nd

use o f po lic ies sta ting ma nage me nt s views and position o n partic ular top ic s and the use o f

guidelines, standards, and p roc ed ures to support the polic ies; sec urity training to ma ke

em ployees awa re o f the importanc e o f information sec urity, its significance, and the spe c ific

sec urity-relate d req uirem ents relative to their position; the importanc e o f c onfidentiality,

p rop rieta ry and priva te information; third party ma nag ement a nd service level ag reements

related to informa tion sec urity; emp loyment a greements, employee hiring and termination

prac tices, and risk ma nagement p rac tic es and too ls to ide ntify, ra te, and red uc e the risk tospec ific resource s


A. Understand and align security function to goals, mission and objectives of theorganization

B. Understand and app ly sec urity governanc eB.1

Organizationa l proc esses (e.g ., ac quisitions, divestitures, governa nc e

committees)

B.2 Security roles and responsibilities

B.3 Leg islative and reg ulatory c om pliance

B.4 Priva c y requirem ents c om plianc e

B.5 Co ntrol frame wo rks

B.6 Due c are


10/42

10






B.7 Due d iligenc e

C. Understand and app ly conc ep ts of confidentiality, integ rity and availab ilityD. Develop and implement sec urity polic y

D.1 Sec urity policies

D.2 Sta nd ards/baselines

D.3 Procedures

D.4 Guidelines

D.5 Documentation

E. Manage the informa tion life cyc le (e.g., classifica tion, categ orization, andownership)

F. Manage third-pa rty governanc e (e.g., on-site assessment, documentexc hange a nd review, process/ policy review)

G.Understand and app ly risk manag ement conceptsG.1 Identify threa ts and vulnerab ilities

G.2 Risk assessme nt/ ana lysis (qua lita tive, quantita tive, hyb rid)

G.3 Risk assignme nt/ ac c ep tance

G.4 Co untermeasure selec tion

G.5 Tang ib le and inta ngib le asset va lua tion

H. Manage personnel sec urityH.1

Emp loyme nt candida te sc reening (e.g., reference c hec ks, educ a tion

verification)

H.2 Emp loyment agree ments and polic ies

H.3 Emp loyee termina tion p rocesses

H.4 Vendo r, c onsultant and c ontrac tor c ontrols

I. Develop and manage sec urity educ ation, training and awa renessJ. Manage the Security Function

J.1 Budget

J.2 Metrics


11/42

11






J.3 Resources

J.4 Develop and implement informa tion sec urity stra teg ies

J.5 Assess the c om pleteness and effec tivene ss of the sec urity program


12/42

12






4)SOFTWARE DEVELOPMENT SECURITYOverview

Software Develop ment Sec urity doma in refers to the c ontrols tha t a re included within systems

and app lic a tions software and the step s used in the ir de velop me nt (e.g., SDLC).

Software refers to system software (op erating system s) a nd app lic a tion prog rams suc h a s

age nts, ap p lets, softw are, d a tabases, da ta wa reho uses, and knowled ge -ba sed system s. These

app lica tions ma y be used in distributed or centralized environm ents.

The c and ida te should fully und erstand the sec urity and c ontrols of the system s deve lopm ent

p roc ess, system life c ycle, ap p lica tion controls, cha nge c ontrols, da ta wa reho using, da tamining, knowled ge -ba sed systems, p rog ram interfac es, and c onc ep ts used to ensure d ata a nd

app lica tion integrity, sec urity, and ava ilab ility.


A. Understand a nd app ly sec urity in the software development life c yc leA.1 Deve lop me nt Life Cyc le

A.2 Ma turity mo dels

A.3 Op eration and ma intenance

A.4 Change mana gement

B. Understand the environment and sec urity c ontrolsB.1 Sec urity of the softwa re environme nt

B.2 Sec urity issues of p rogramm ing lang ua ges

B.3 Sec urity issues in source c od e (e.g ., buffer overflow , esca lation of privilege,

backdoor)

B.4 Configuration ma nage ment

C. Assess the e ffec tiveness of software sec urityC.1 Certifica tion and ac c red itation (i.e., system authoriza tion)

C.2 Auditing and log ging

C.3 Risk ana lysis and mitiga tion


13/42

13






5)CRYPTOGRAPHYOverview

The Cryptog raphy do ma in addresses the p rinc ip les, me ans, and me thod s of a pp lying

ma them atica l algorithms and da ta transformations to information to ensure its integrity,

c onfidentiality and authentic ity.

The c andida te is expec ted to know b asic c onc ep ts within cryptog rap hy; public and p rivate key

a lgorithms in terms of the ir app lic a tions and uses; a lgorithm c onstruct ion, key d istribution a nd

ma nag ement, and m ethod s of a ttac k; the applic ations, c onstruc tion a nd use o f digital

signa tures to p rovide a uthenticity of elec tronic transac tions, and no n-rep ud iation of the parties

involved ; and the orga niza tion and ma nagement of the Pub lic Key Infrastruc tures (PKIs) and

d igital c ertific a tes distribution and ma nage ment.


A. Understand the app lic ation and use of c ryp tographyA.1 Data a t rest (e.g., Hard Drive)

A.2 Data in transit (e.g., On the wire)

B. Understand the c ryptograp hic life c yc le (e.g., c ryptograp hic limitations,algorithm/protocol governance)

C. Understand encryption conceptsC.1 Found a tiona l c onc ep ts

C.2 Symmetric c rypto graphy

C.3 Asymmetric c rypto grap hy

C.4 Hybrid c ryptog raphy

C.5 Me ssage d igests

C.6 Hashing

D. Understand key management processesD.1 Creation/distribution

D.2 Storag e/ destruction

D.3 Recovery


14/42

14






D.4 Key esc row

E. Unde rstand dig ital signa turesF. Understand non-repud iationG.Understand methods of cryptanalytic attacks

G.1 Chosen p lain-text

G.2 Soc ial engineering for key d isc overy

G.3 Brute Force (e.g., ra inbow tab les, spec ialized / sc a lab le arc hitec ture)

G.4 Cipher-text only

G.5 Know n p laintext

G.6 Frequenc y ana lysis

G.7 Cho sen c ipher-text

G.8 Imp lementa tion atta cks

H. Use c ryptograp hy to m aintain network sec urityI. Use c ryptograp hy to ma intain application sec urityJ. Understand Pub lic Key Infrastructure (PKI)K.

Unde rstand certificate related issues

L. Understand information hiding alternatives (e.g., steganography,watermarking)


15/42

15






6)SECURITY ARCHITECTURE & DESIGNOverview

The Sec urity Arc hitec ture & Design d om a in c onta ins the c onc ep ts, p rincip les, structures, and

standards used to d esign, imp lem ent, monitor, and sec ure, op erating system s, equipme nt,

netw orks, ap p lic a tions, and those c ontrols used to enfo rc e va rious leve ls of c onfidentiality,

integrity, and ava ilab ility.

Informa tion sec urity a rc hitec ture and design c overs the p rac tic e of a pplying a c omp rehensive

and rigo rous method for desc ribing a c urrent a nd/ or future structure a nd be havior for an

organiza tion's sec urity p roc esses, informa tion sec urity systems, personnel a nd organiza tiona l

sub-units, so that these practices and processes align with the organization's core goals and

strategic direction.

The c and ida te is expec ted to und erstand sec urity mo dels in terms of c onfide ntia lity, integ rity,

data flow d iag rams; Co mm on Criteria (CC) p rote c tion p rofiles; tec hnica l p la tforms in terms of

ha rdwa re, firmw are, and software; and system sec urity techniques in te rms of p reve nta tive,

detec tive, and c orrec tive c ontrols.


A. Understand the fundam ental c onc ep ts of sec urity mode ls (e.g.,Confidentiality, Integ rity, and Multi-leve l Models)

B. Understand the components of information systems security evaluationmodels

B.1 Prod uc t eva lua tion mo dels (e.g., c om mo n c riteria )

B.2Ind ustry and internationa l sec urity imp leme nta tion guide lines (e.g., PCI-DSS,

ISO)

C. Understand sec urity c apa bilities of information systems (e.g ., mem oryprotection, virtualization, trusted platform module)

D. Understand the vulnerab ilities of sec urity architec turesD.1 System (e.g ., c overt c ha nne ls, sta te a tta c ks, em ana tions)

D.2Tec hno logy and p rocess integ ra tion (e.g ., single p oint of fa ilure, servic e

oriented architec ture)


16/42

16






E. Understand software and system vulnerab ilities and threa tsE.1 Web-based (e.g., XML, SAML, OWASP)

E.2 Client-based (e.g., ap p lets)

E.3 Server-ba sed (e.g ., da ta flow c ontrol)

E.4 Data base sec urity (e.g., inferenc e, agg reg a tion, da ta mining, wa reho using)

E.5 Distributed system s (e.g., c loud comp uting , grid c om puting, peer to pee r)

F. Understand c ountermeasure principles (e.g., defense in depth)


17/42

17






7)OPERATIONS SECURITYOverview

Sec urity Op erations dom ain is used to identify critic a l information a nd the e xec ution of selec ted

me asures tha t eliminate or red uc e a dversary exploitation o f c ritic a l informa tion. It include s the

definition o f the c ontrols ove r ha rdwa re, med ia , and the operato rs with ac c ess privileg es to a ny

of these resource s. Auditing and mo nitoring a re the mec hanisms, too ls and fac ilities tha t p ermit

the identific a tion o f sec urity events and subseq uent a c tions to identify the key eleme nts and

rep ort the pertinent informa tion to the a pprop ria te individua l, g roup , or proc ess.

The c andida te is expec ted to know the resources that must b e p rotec ted , the p rivileg es that

must b e restric ted , the control mec ha nisms ava ilab le, the p ote ntia l for ab use o f ac cess, the

app rop ria te c ontrols, and the p rinc ip les of go od p rac tic e.


A. Understand sec urity operations c onc ep tsA.1 Need -to-know / least p rivileg e

A.2 Sep aration of duties and responsibilities

A.3 Monitor spec ial p rivileges (e.g., op era tors, administrato rs)

A.4 Job rota tion

A.5 Ma rking, ha nd ling , storing and destroying of sensitive informa tion

A.6 Rec ord rete ntion

B. Emp loy resource protec tionB.1 Med ia ma nage ment

B.2 Asset ma nagem ent (e.g., eq uipme nt life c ycle, softw are lic ensing)

C. Manage inc ident responseC.1 Detection

C.2 Response

C.3 Reporting

C.4 Recovery


18/42

18






C.5 Rem ed iation and review (e.g., roo t c ause ana lysis)

D. Implem ent preventative mea sures ag ainst attac ks (e.g., ma licious code,zero-day exp loit, denial of servic e)

E. Imp lement and suppo rt patc h and vulnerab ility manag ementF. Understand c hange and c onfiguration ma nagement (e.g., versioning, ba se

lining)

G.Understand system resilience and fault tolerance requirements


19/42

19






8)BUSINESS CONTINUITY & DISASTER RECOVERYPLANNING

Overview

The Business Co ntinuity and Disaster Rec overy Planning dom ain addresses the preserva tion of

the business in the face of ma jor disrup tions to norma l business op erations. BCP and DRP involve

the p rep ara tion, testing and upda ting of spec ific ac tions to p rotec t c ritic a l business p roc esses

from the effec t o f ma jor system and netw ork failures.

Business Co ntinuity Planning (BCP) he lps to identify the organiza tion's exposure to internal and

external threa ts; synthesize ha rd and soft a ssets to p rovide effec tive p revention a nd rec ove ryfor the o rganiza tion, and m a intains c om petitive a dva ntage and va lue system integ rity. BCP

c ounterac ts interrup tions to b usiness ac tivities and should be a va ilab le to p rote c t c ritica l

business processes from the effec ts of ma jor failures or disasters. It d ea ls with the na tural and

ma n-mad e eve nts and the c onseq uenc es, if not dea lt with p romp tly and effec tively.

Business Imp ac t Ana lysis (BIA) d etermines the p roportion o f imp ac t a n ind ividua l business unit

wo uld susta in subseq uent to a significa nt interruption of computing or telec om munica tion

services. These imp ac ts ma y be fina nc ial, in terms of m oneta ry loss, or op erationa l, in terms of

inab ility to deliver.

Disaster Rec ove ry Plans (DRP) c onta in p roc ed ures for em ergenc y response, e xtend ed bac kupop eration a nd p ost-disaster rec ove ry, should a c om puter insta llation experience a partial or

tota l loss of c om puter resources and physica l fac ilities. The p rimary ob jec tive of the d isaster

recovery plan is to provide the capability to process mission-essential applications, in a

de grad ed mod e, and return to normal mod e of o pe ration within a rea sonab le a mount of time.

The c andida te is expec ted to know the d ifferenc e b etween business c ontinuity planning and

disaster recovery; business continuity planning in terms of project scope and planning, business

impact analysis, recovery strategies, recovery plan development, and implementation.

Moreover, the c and ida te should understand d isaster rec overy in terms of rec overy plan

development, imp lementa tion a nd restoration.


20/42

20







A. Unde rstand business c ontinuity requirem entsA.1 Develop and do c ument projec t sc op e and plan

B. Conduc t business impac t ana lysisB.1 Identify and p rioritize c ritica l business func tions

B.2 Determine ma ximum tolerab le dow ntime and othe r c riteria

B.3 Assess exposure to outa ges (e.g., loc a l, regiona l, g loba l)

B.4 Define rec overy ob ject ives

C. Develop a rec overy strateg yC.1

Imp lem ent a bac kup storag e stra teg y (e.g ., offsite storag e, elec tronic

vaulting, tape rota tion)

C.2 Rec ove ry site strateg ies

D. Unde rstand disaster recovery proc essD.1 Response

D.2 Personnel

D.3 Communications

D.4 Assessment

D.5 Restoration

D.6 Provide training

E. Exerc ise, assess and mainta in the p lan (e.g., version c ontrol, distribution)


21/42

21






9)LEGAL, REGULATIONS, INVESTIGATIONS ANDCOMPLIANCE

Overview

The Leg a l, Reg ulations, Investiga tions and Comp lianc e doma in ad dresses ethica l behavior and

c om plianc e with reg ula tory framewo rks. It inc ludes the investiga tive me asures and te c hniques

that c an be used to d etermine if a crime has be en c ommitted , and m ethod s used to g ather

evidenc e (e.g., forensic s). A co mp uter crime is any illeg al a c tion where the d a ta on a

c om puter is ac cessed w ithout p ermission. This inc lude s una utho rized a c cess or a lteration o f

data , or unlawful use of c om puters and services. This dom ain a lso inc ludes understand ing the

c om puter incident fo rensic response c ap ab ility to identify the Advanc ed Persistent Threa t (APT)

that many orga niza tions fac e tod ay.


A. Unde rstand legal issues that pe rtain to information sec urity internationa llyA.1 Co mp uter c rime

A.2 Lic ensing and intellec tua l p rop erty (e.g., c op yright, tradem ark)

A.3 Import/Export

A.4 Trans-bo rder da ta flow

A.5 Privacy

B. Unde rstand professiona l ethic sB.1 (ISC) Code of Profe ssiona l Ethics

B.2 Support orga niza tions c od e of ethics

C. Understand and support investigationsC.1 Policy, roles and responsibilities (e.g., rules of e ngagem ent, autho riza tion,

scope)

C.2 Inc ident hand ling and response

C.3 Evidenc e c ollec tion and hand ling (e.g., c ha in of c ustod y, interviewing)

C.4 Rep orting and doc umenting


22/42

22






D. Understand forensic proceduresD.1 Me dia ana lysis

D.2 Netw ork ana lysis

D.3 Software ana lysis

D.4 Hardwa re/ embe dd ed device analysis

E. Understand compliance requirements and proceduresE.1 Reg ulato ry env ironme nt

E.2 Audits

E.3 Reporting

F. Ensure security in contractual agreements and procurement processes (e.g.,c loud c omputing, outsourc ing, vendor governanc e)


23/42

23






10) PHYSICAL (ENVIRONMENTAL) SECURITYOverview

The Physica l (Environme nta l) Sec urity d om ain a ddresses the threa ts, vulnerabilities, and

c ountermea sures tha t c an be u tilized to physic a lly protec t a n enterprise s resources and

sensitive information. These resourc es includ e p eo ple, the fac ility in which they work, and the

data , eq uipment, support system s, med ia , and supp lies they utilize.

Physica l sec urity de sc ribes me asures tha t a re designed to deny access to una uthorized

personnel (including attackers) from physically accessing a building, facility, resource, or stored

informa tion; and guidanc e on how to design struc tures to resist p ote ntially hostile ac ts.

The c and ida te is expec ted to know the e lements involved in choosing a sec ure site, its design

and c onfiguration, and the m etho ds for sec uring the fac ility against unauthorized access, theft

of eq uipment a nd informa tion, and the environmenta l and sa fety mea sures need ed to p rotec t

peo p le, the fac ility, and its resource s.


A. Understand site and facility design considerationsB. Support the imp lementation and operation of perimeter sec urity (e.g.,

physica l ac cess control and monitoring, aud it trails/ ac cess logs)

C. Support the implem entation and operation of internal sec urity (e.g., escortrequirements/ visitor control, keys and loc ks)

D. Support the implem entation and operation of fac ilities sec urity (e.g.,technology convergenc e)

D.1 Co mm unica tions and server roo ms

D.2 Restric ted and wo rk a rea sec urity

D.3 Data c ente r sec urityD.4 Utilities and Hea ting, Ventila tion and Air Co nd itioning (HVAC) c onside rations

D.5 Water issues (e.g ., lea kag e, flood ing)

D.6 Fire prevention, detec tion and suppression

E. Support the protec tion and sec uring of equipment


24/42

24






F. Unde rstand pe rsonne l privac y and safety (e.g., duress, travel, monitoring)


25/42

25






REFERENCES

This refe renc e list is NOT intend ed to b e a n a ll-inc lusive collec tion rep resenting the CISSP Core

Bod y of Knowledge (CBK). Its purpose is to p rov ide cand ida tes a sta rting point for the ir stud ies

in d omains which need supplementary lea rning in orde r to c ompleme nt their assoc ia ted level

of wo rk and ac ad emic experienc e. Candida tes ma y also c onside r othe r reference s, which a re

not on this list but a de quate ly cover dom ain co ntent.

Note: (ISC)2do es not e ndo rse a ny pa rtic ular text or author and does not imp ly tha t any or all

references be acquired or co nsulted . (ISC)2do es not imp ly nor guarantee tha t the study of

these references will result in an examination pass.

Doma in Supp lementary Referenc e

Ac c ess Control

Bertino, E., K. Takaha shi, (2010). Ide ntity Manag em ent: Conc ep ts,

Tec hno logies, a nd Systems

Chin, S-K., S.B. Older (2010). Ac c ess Co ntrol, Sec urity, and Trust: A Log ica l

Approach

Ferraiolo, D.F., D.R. Kuhn, R. Chandramouli, (2007). Role-Based Access

Control (2nd Edition)

Kayem, A.V., S.G. Akl, P. Martin, (2010). Adaptive Cryptographic Access

Control

Konic ek, J., (1997). Security, ID Systems and Locks: The Book on Elec tronicAc c ess Control

Links, C.L., (2008). IAM Suc c ess Tips (Vo lumes 1-3)

New man, R., (2009). Sec urity and Ac c ess Co ntrol Using Biom etric

Tec hnologies: App lic ation, Tec hnology, and Ma nage me nt

Rankl, W., W. Effing , (2010). Sma rt C ard Handb ook

Tipto n, H.F., M.K. Nozaki, (2011). Informat ion Sec urity Manage me nt

Hand boo k (2011 CD-ROM Ed ition)1

Vacca, J.R., (2010). Biomet ric Tec hno log ies and Verifica tion Systems

Telec om municat ions

and Netw ork Sec urity

Cheswick, W.R., S.M. Bellov in, A.D. Rub in, (2003). Firewalls and Internet

Sec urity: Rep elling the Wily Hac ker (2nd Edition)

Daniel V. Hoffman, D.V., (2008). Imp lementing NAP and NAC Sec urityTec hnologies: The Com plete Guide to Netwo rk Ac c ess Cont rol

Davis, C., (2001). IPSec : Sec uring VPNs

Hogg , S., E. Vync ke, (2008). IPv6 Sec urity

Kad ric h, M., (2007). Endpoint Sec urity

1This reference can be used for multiple domains.


26/42

26






Telec om municat ions

and Netw ork Sec urity

(cont)

Luotonen, A., (1997). Web Proxy Servers

Porte r, T., J. Kanc lirz, B. Baskin, (2006). Prac tic a l VoIP Sec urity

Prow ell, S., R.Kraus, M. Borkin, (2010). Seven Deadliest Net wo rk Atta c ks

Ste vens, W.R., G.R. Wright, (2001). TCP/ IP Illustrated (3 Vo lume Set )

Wetteroth, D., (2001). OSI Referenc e Mod el for Telec om municat ions

Informa tion Sec urityGovernanc e a nd Risk

Management

(ISC)2, Cod e o f Ethic s(https://www.isc2.org/ethics/default.aspx)

Bac ik, S., (2008). Build ing a n Effec tive Informa tion Sec urity Policy

Architecture

Brotby, K., (2010). Informa tion Sec urity Gove rnanc e

Calder, A., S. Watkins, (2008). IT Go vernanc e: A Ma nag er's Guide t o Dat a

Security a nd ISO 27001/ ISO 27002

Hayd en , L., (2010). IT Sec urity Me trics: A Prac tic a l Fram ewo rk fo r

Measuring Sec urity & Protec ting Da ta

Herold , R., (2010). Ma nag ing an Information Sec urity and Privac yAwarene ss and Tra ining Prog ram, (2nd Edition)

Jaquith, A., (2007). Sec urity Met rics: Rep lac ing Fea r, Unc erta inty, and

Doubt

Landoll, D.J., (2005). The Sec urity Risk Assessment Handboo k: A Co mplete

Guide for Performing Sec urity Risk Assessments

Thomas L. Norman, T.L., (2009). Risk Ana lysis and Security

Co unte rmea sure Selec tion

Tipton, H.F., (2009). Offic ial (ISC)2 Guid e to the CISSP CBK, (2nd Edition)2

Whitman, M.E., H.J. Mattord, (2010). Ma nage me nt of Informat ion Sec urity

(3rd Edition)

Softw a re Developm ent

Sec urity

Allen , J.A., S.J. Barnum , R.J. Ellison, G. Mc Graw , N.R. Mead , (2008).

Soft wa re Sec urity Eng ineering: A Guide fo r Projec t Ma na ge rs

Chess, B., J. West, (2007). Sec ure Program ming with Sta tic Ana lysis

Clarke, J., (2009). SQL Injec tion At ta c ks and Defense

Dow d , M., J. Mc Dona ld, J. Sc huh, (2006). The Art of Sof twa re Sec urity

Assessment : Ident ifying and Preve nting Softwa re Vulnerab ilities

Dwived i, H., (2010). Mob ile Ap plica tion Sec urity

Howard, M., D. LeBlanc, J. Viega, (2009). 24 Dea d ly Sins of Sof twa re

Sec urity: Prog ram ming Flaw s and How t o Fix Them

Howard, M., S. Lipner, (2006). The Sec urity Develop ment Lifec yc le: SDL: A

Proc ess for Deve lop ing Demonstrab ly More Sec ure Soft wa reLigh, M., S. Ada ir, B. Hartste in, M. Richa rd, (2010). Ma lware Ana lyst's

Co okboo k and DVD: Too ls and Tec hniques for Fighting Ma lic ious Code

Stut ta rd, D., M. Pinto , (2007). The Web Ap plica tion Hac ker's Handb ook:

Discove ring and Exploiting Sec urity Flaws

https://www.isc2.org/ethics/default.aspxhttps://www.isc2.org/ethics/default.aspxhttps://www.isc2.org/ethics/default.aspxhttps://www.isc2.org/ethics/default.aspx


27/42

27






Cryptography

Boudriga , N., (2009). Sec urity of Mob ile Comm unica tions

Co le, E., (2003). Hiding in Plain Sight: Stega nog raphy and the Art of

Covert Communication

D. Hanke rson , A.J. Menezes, S. Va nsto ne , (2010). Guid e to Elliptic Curve

Cryptography

Daem en, J., V. Rijmen, (2002). The Design o f Rijnd aeL: AES - The

Advanc ed Enc ryption Sta nda rd

Ga rfinkel, S., (1994). PGP: Pret ty G oo d Privac y

Karam anian, A., S. Tenne ti, (2011). PKI Unc ove red : Certific a te -Based

Sec urity Solutions for Next-Generat ion Netw orks

Me nezes, A.J., P. van Oorschot, S. Vansto ne , (1996). Handb ook of

Applied Cryptograp hy (Disc rete Mat hem at ics and Its Applica tions)

Sc hneier, B., (1996). App lied Cryp tog rap hy: Proto c ols, Algorithms, a nd

Source Cod e in C (2nd

Edition)Tennoe, L.M., M.T. Henssonow, S.F. Surhone, (2010). Token iza tion (Data

Sec urity)

W. Stallings, (2010). Cryptog raphy and Netw ork Sec urity: Princip les and

Prac tice (5th Edition)

Sec urity Architec ture

and Design

Anderson, R.J., (2008). Sec urity Eng ineering: A Guide to Building

Dep end ab le Distributed Systems3

Cha llener, C., K. Yod er, R. Ca therman, D. Sa ffo rd, L.V. Doorn, (2008). A

Prac tica l Guide t o Trusted Com put ing

Gillis, T., (2010). Sec uring the Borderless Netwo rk: Sec urity fo r the Web 2.0

World

Higaki, W.H., Y. Higaki, (2010). Suc c essful Com mon Criteria Eva luations: APrac tica l Guide for Vend ors

Kanneganti, R., P.R. Cho dava rapu, (2008). SOA Sec urity

Kenan, K., (2005). Cryptog raphy in the Da ta base: The Last Line of

Defense

Petkovic , M., W. Jonker, (2010). Sec urity, Privac y, and Trust in Mod ern

Data Ma nagement

Santos, O., (2007). End -to-End Netwo rk Sec urity: De fense-in-Dep th

Shimonski, R., W. Sc hm ied , V. Chang , T.W. Shind er, (2003). Building DMZs

For Enterprise Networks

Swiderski, F., W. Snyder, (2004). Threa t Modeling



28/42

28






Sec urity

Operations

Aie llo, R., (2010). Configuration Ma nag em ent Best Prac tices: Prac tica l

Me tho ds tha t Work in the Rea l World

Bejtlich, R., (2005). Extrusion De tec tion: Sec urity Mo nitoring for Internal

Intrusions

Bosworth, S., M. E. Kabay, E. Whyne, (2009). Computer Sec urity

Hand bo ok (2 Volume Set)

Cole, E., S. Ring, (2006). Insider Threa t: Protec ting the Enterp rise from

Sabotage, Spying, and Theft

Foreman, P. (2009). Vulnerab ility Mana gem ent

Fry, C., M . Nystrom, (2009). Sec urity Monitoring: Prove n Me tho ds for

Inc ident Detec tion o n Enterprise Netwo rks

Had nagy, C., (2010). Soc ial Eng ineering: The Art of Human Hac king

Koren, I., C.M . Krishna , (2007). Fault-Tolerant Syste ms

Ra jnov ic , D., (2010). Comp uter Inc ident Response and Prod uct Sec urityTrost, R., (2009). Prac tica l Intrusion Ana lysis: Preve ntion a nd Dete c tion fo r

the Twe nty-First Ce ntury

Business Continuity

and Disaster

Recovery

Planning

Bowman, R.H., (2008). Business Continuity Planning for Da ta Cente rs and

Systems: A Strateg ic Imp leme nta tion Guid e

Buffing ton, J., (2010). Data Prote c tion for Virtua l Data Cent ers

Cla rk, T., (2005). Sto rag e Virtua liza tion : Tec hno log ies for Simp lifying Data

Storag e a nd Ma nagem ent

Hiles, A., P. Barnes, (2001). The De finitive Handboo k of Business Co nt inuity

Management

Little, D.B., D.A. Cha pa , (2003). Imp lementing Bac kup a nd Rec overy: TheReadiness Guide for the Enterprise

National Fire Protection Association, (2007). NFPA 1600 Sta nd a rd o n

Disaster/Emergency Management and Business Continuity

Preston, C., (2007). Bac kup & Rec ove ry: Inexpensive Backup Solutions for

Op en Systems

Schmidt, K., (2010). High Ava ilability and Disaste r Rec ove ry: Conc ep ts,

Design, Imp lementa tion

Snedaker, S., (2007). Business Co ntinu ity a nd Disaste r Rec overy Planning

fo r IT Professiona ls

Toigo, J.W., (2002). Disaste r Rec overy Planning : Prepa ring for the

Unthinkable (3rd Edition)

Legal,

Regulations,

Investiga tions and

Compliance

Barret t, D., G . Kipp er, (2010). Virtualization and Forensics: A Digital

Forensic Investiga to r's Guid e to Virtua l Environm ents

Casey, E., (2011). Digita l Evidenc e a nd Com puter Crime, Forensic

Sc ience, Com puters, and the Internet (3rd Edition)

Ermann, M.D., M.S. Shauf, (2002). Co mpute rs, Ethics, and Soc iety, (3RD

Edition)


29/42

29






Legal,

Regulations,

Investiga tions and

Compliance

(contd)

Garner, B.A., (2009). Black's Law Dictionary (9th edition)

Kuner, C., (2007). Europ ea n Data Prote c tion Law : Corp orate Reg ula tion

and Comp liance

Mather, T., S. Kumaraswamy, S. Latif, (2009). Cloud Sec urity and Privac y

Moe ller, R.R., (2010). IT Aud it, Control, and Sec urity (2 Edition)

Nissenbaum, H., (2009). Privac y in Context: Tec hno logy, Policy, and the

Integrity of Soc ial Life

Prosise, C., K. Mandia, (2003). Incident Response and Computer Forensics

(2nd Edition)

Van Lindberg, V., (2008). Intellec tua l Prop erty and Op en Source : A

Prac tical Guide to Protec ting Cod e

Physical

(Environmental)

Sec urity

Alger, D., (2005). Build the Best Da ta Ce nte r Fac ility fo r Your Business

Arata, A., (2005). Perime ter Sec urity

Damjanovski, V., (2005). CCTV, Netwo rking and Digital Tec hno logy, (2nd

Edition)

Fennelly, L., (2003). Effec tive Physica l Sec urity, (3rd Edition)

Ga rcia , M.L., (2005). Vulnerab ility Assessment o f Physica l Protec tion

Systems

Kha ira llah, M., (2005). Physica l Sec urity Systems Hand boo k: The Design

and Imp lementa tion of Elec tronic Sec urity Systems

Nilsson, F., (2008). Intelligent Netwo rk Video : Understa nding Mod ern

Video Surveillanc e Syste ms

Schulz, G., (2009). The Green a nd Virtua l Data C ente r

Snevely, R. (2002). Enterprise Da ta Center Design and Method ology


30/42

30






SAMPLE EXAM QUESTIONS

1. Whic h one of the follow ing is the MOST important sec urity c onsideration whe n selec ting a

new c omputer fac ility?

(A) Loc a l law enforcem ent response times

(B) Ad jac ent to c om petitors fac ilities

(C) Airc ra ft flight pa ths

(D) Utility infrastruc ture

Answer - D

2. Whic h one of the follow ing desc ribes a SYN floo d a tta c k?

(A) Rap id transmission of Inte rnet Relay Cha t (IRC) me ssages

(B) Creating a high number of ha lf-op en c onnec tions

(C) Disab ling the Domain Name Service (DNS) server

(D) Excessive list linking of users and files

Answer - B

3. The typ ica l func tion of Secure Soc kets Layer (SSL) in sec uring Wireless Ap p lic a tion

Protocol (WAP) is to protect transmissions

(A) betwe en the WAP ga teway and the wireless de vic e.

(B) betwe en the we b server and WAP ga teway.(C) from the we b server to the wireless device.

(D) betwe en the wireless de vic e and the base station.

Answer - B


31/42

31






GENERAL EXAMINATION INFORMATION

Paper Based Test (PBT)

General Information The doo rs to a ll exam ination rooms will op en a t 8:00a.m. Examination

instruc tions will begin p rom ptly at 8:30a.m. All examinations will beg in a t approxima tely

9:00a.m.

The ma ximum duration o f the CISSP exam is 6 hours. The ma ximum duration of a ll othe r exams

excep t the CSSLP is 3 hours. The CSSLP c and ida tes are a llowe d a maximum of 4 ho urs to

c omp lete the exam .

Plea se note there will be no lunch b rea k during the te sting p eriod . How eve r, you a re

pe rmitted to bring a snac k with you. You may, at your option, take a break and ea t your

snac k a t the ba c k o f the examination room . No add itiona l time will be allotted for breaks.

Examination Admittance Plea se a rrive a t 8:00a .m. whe n the d oo rs a r e op ene d . Plea se

bring your admission lette r to the e xamination site. In order to be a dmitted , photo

identifica tion is a lso required . You w ill not b e a dmitted without p rop er identifica tion. The only

acc ep tab le forms of identific a tion a re a d rivers lic ense, gove rnme nt-issued identific a tion

c ard , or passport. No other written forms of identifica tion will be ac cep ted .

Examination Security Failure to follow oral and written instructions will result in your applic a tionbeing voided and a p p lic a tion fee b eing forfeited . Conduc t that results in a violation of

security or disrupts the administration of the examination could result in the confiscation of

your test and your dismissal from the examination. In addition, your examination will be

considered void and will not be scored. Examp les of miscond uct include, but are not limited

to, the follow ing: writing on anything o ther than d esigna ted examination ma teria ls, writing a fter

time is called , looking a t a nother c andida te s examination ma terials, talking with other

candidates at any time during the examination period, failing to turn in all examination

materials before leaving the testing room.

You must no t d isc uss or sha re refe rence m aterials or any othe r examina tion informa tion

with any ca ndida te during the entire exam ina tion p eriod . You a re partic ularly c autionednot to do so after you have c omp leted the exam and c hec ked out of the test room, as

other candidates in the area might be taking a break and still not have completed the

examination. You ma y no t a ttend the examination only to review or aud it test ma teria ls.

You ma y not c op y any portion of the examination for any rea son. No examination ma teria ls

may leave the test room under any circumstances and all examination materials must be


32/42

32






turned in and a c c ounte d for before lea ving the testing room . No unauthorized persons will be

ad mitted into the testing a rea .

Please b e further adv ised tha t all examina tion co ntent is stric tly c onfide ntial. You may onlyc ommunica te ab out the test, or questions on the test, using the ap propria te c omment

forms p rovide d b y the exam ina tion sta ff a t the test site. At no othe r time, befo re, during or

a fter the examination, ma y you c om munica te orally, elec tronica lly or in writing with any

person or entity about the content of the examination or individual examination questions.

Reference Material Candida tes writing on a nything othe r tha n examination ma terials

d istributed by the p roc tors will be in violation of the sec urity polic ies above . Referenc e

ma terials are no t a llowed in the testing room. Ca ndida tes are asked to b ring a s few p ersona l

and other item s as possible to the te sting a rea .

Hard c op ies of language transla tion d ic tionaries a re permitted for the examination, shou ldyou c hoo se to b ring one to assist you with lang uage c onve rsions. Elec tronic d ictiona ries

will no t be p ermitted und er any c irc umstanc es. The Examination Sup ervisor will fully inspec t

your dictionary at c hec k-in. Your d ic tiona ry ma y not c onta in a ny writing or extraneous

ma terials of any kind. If the dic tiona ry conta ins writing o r other ma teria ls or pa pers, it will not

be permitted in the examination room. Add itiona lly, you are not pe rmitted to w rite in your

dictiona ry at a ny time during the examination, and it will be inspe c ted a sec ond time prior

to d ismissa l from the examination. Finally, (ISC) ta kes no responsibility for the content of

suc h d ic tiona ries or interpreta tions of the c ontents by a c and ida te.

Examination Protocol While the site c lima te is c ontrolled to the extent p ossible, be prep ared

for either warm or cool temperatures at the testing center. Cellular phones and beepers are

p rohibited in the testing a rea . The use of hea dphone s inside the testing a rea is prohibited.

Elec trica l out lets will not b e ava ilab le fo r any rea son. Earplugs for sound suppression a re

a llowed . No smoking o r use o f tobac c o prod uc ts will be a llowed inside the testing area.

Food and drinks are only allowed in the snac k area loc ate d a t the rear of the examination

room. You must vac ate the testing a rea after you have c omp leted the examination. If you

require spec ial a ssista nc e, you must c ontac t (ISC) Ca nd ida te Services (see a ddress a t the

bottom of this do c ument) a t least one week in ad vanc e of the exam ina tion d a te and

approp ria te a rrangements will be ma de. Due to limited parking fac ilities a t some sites, p lea se

a llow am ple time to pa rk and reac h the testing a rea .

Admission Problem s A p rob lem table for those c andida tes who d id not rece ive a n a dm ission

notice o r nee d othe r assistanc e w ill be a va ilab le 30 minutes prior to the opening o f the d oors.

Examina tion Forma t and Scoring

The CISSP examina tion c onsists of 250 multip le c hoice questions with four (4)

c hoice s ea c h.


33/42

33






The CSSLPexam ination c onsists of 175 multip le c hoice questions with four (4) choic es

each.

The SSCP e xamination c onta ins 125 multip le c hoic e questions with fo ur (4) c hoice seach.

The ISSAP, ISSEP, and ISSMP c o nc e nt ra t io n exam inations c onta in 125, 150, 125

multip le c hoice questions respec tively with four (4) choices ea ch.

The Ce rtified Autho riza tion Professiona l (CAP) examinat ion c onta ins 125 multiple

c hoice q uestions with four (4) c hoices ea ch. Also, a dministered in co mp uters.

There ma y be sc ena rio-ba sed items which m ay have more tha n one multip le c hoice

question a ssoc iate d with it. These items will be spec ifica lly identified in the test boo klet .

Eac h of these exam s c onta ins 25 que stions which are inc luded for resea rc h purposes only.

The resea rc h questions a re not identified ; therefore, answe r a ll questions to the best of yourab ility. There is no pena lty for guessing, so c and ida tes should not lea ve any item una nswered .

Examinat ion results will be based only on the sc ored questions on the examina tion. There

are several versions of the examination. It is imp ortant that e ac h candida te have an

eq ua l op portunity to pass the examinat ion, no ma tter which ve rsion is administered . Sub jec t

Ma tte r Experts (SMEs) ha ve p rovided inp ut as to the d iffic ulty level of all questions used in the

exam ina tions. Tha t information is used to de velop exam ination forms tha t have comp arab le

d iffic ulty leve ls. When there are d ifferences in the exam ina tion d iffic ulty, a ma them atica l

p roc ed ure ca lled e qua ting is used to ma ke the difficulty level of eac h test form eq ual.

Because the number of questions required to pass the examination may be different for each

version, the sc ores a re c onve rted onto a rep orting sc a le to ensure a c om mo n standard . Thepassing grade req uired is a sc ale sc ore o f 700 out o f a possib le 1000 po ints on the grad ing

scale.

Examination Results Examinat ion results will normally be relea sed , via e ma il, within 4 to 6

we eks of the examination da te. A c om prehe nsive sta tistic a l and psychom etric ana lysis of

the sc ore data is c ond uc ted prior to the relea se of sc ores. A minimum numb er of

candidates must have taken the examination for the analysis to be conducted.

Accordingly, depending upon the schedule of test dates for a given cycle, there may be

oc casions when sc ores a re d elayed beyond the 4-6 wee k time fram e in order to c omplete

this c ritica l p rocess. I f t he te st i s a d m in iste red v ia c o m p ut e rs, c a nd id a te s

p a ss/ fa i l sta tu s i s p rov id e d a t t he e nd o f t he te st ing o n t he si te . Results WILL NOT

be released over the telephone. In order to rec eive your results, your p rim a ry e m a il

a d d ress must b e c urrent and any em a il address c hanges must be submitted to (ISC)

Custom er Support via em a [email protected] , or may be upd ated online in your

c and ida te p rofile.
mailto:[email protected]:[email protected]:[email protected]:[email protected]


34/42

34






Exam Response Information Your a nswe r shee t MUST be c om plete d with your name and

othe r informa tion as req uired . The a nswe r shee t must be used to rec ord all answers to the

multiple-choice que stions. Upo n c omp letion, you a re to w a it for the p roc tor to collec t your

exam ina tion ma teria ls. Answe rs ma rked in the test bo oklet w ill not b e c ounte d o r grad ed , and

add itional time w ill not b e a llowed in orde r to transfer answe rs to the answer shee t. All marks

on the answer sheet must b e ma de with a No. 2 penc il. You must b lac ken the a pp rop ria te

c irc les c omplete ly and c om plete ly erase a ny incorrec t ma rks. Only your responses ma rked o n

the answe r shee t w ill be c onsidered . An unanswe red question w ill be sc ored as inco rrec t.

Dress is business casua l (ne at...but c erta inly com fortab le).

Any questions?

(ISC)2 Ca ndida te Servic es

33920 US Highway 19 North

Suite 205Palm Harbor, FL 34684

Phone: 1.866.331.ISC2 (4722) in the United Sta tes

1.727.785.0189 a ll othe rs

Fax: 1.727.683.0785


35/42

35






RAL EAMINATION INFORMATION

GENERAL EXAMINATION INFORMATION

Computer Based Testing (CBT)

Registering fo r the Exam

Proc ess for Reg istration Ove rview

This sec tion d esc ribes p roc ed ures for c and ida tes reg istering to sit for a Co mp uter Based Test

(CBT). The test is administered a t Pearson VUE Testing c ente rs in the US, Cana da , and othe r

parts of the wo rld.

1. Go towww.pearsonvue.com/isc2to reg ister for a test appointment.2. Selec t the mo st co nvenient test cente r3. Select a n ap po intment time .4. Pay for your exam ap po intment.5. Rec eive c onfirma tion from Pea rson VUE with the appointment d eta ils, test c ente r

loca tion a nd othe r releva nt instruc tions, if any.

Please no te tha t your reg istration informa tion w ill be transferred to (ISC) and all

communica tion about the testing p roc ess from (ISC) and Pea rson VUE will be sent to you viaemail.

Fees

Plea se visit the (ISC) website https://www.isc2.org/certification-register-now.aspx for the m ost

current exam ination reg istra tion fees.

U.S. Government Ve terans Administration G.I. Bill

The U.S. Dep artment of Veterans Affa irs has approved reimb ursem ent to veterans und er the G.I.

Bill for the c ost o f the Ce rtified Informa tion System Sec urity Professiona l (CISSP), the CISSP

Co nc entra tions (ISSAP, ISSEP, ISSMP), the Certifica tion and Ac c red itation Professional (CAP), a ndthe System Sec urity Certified Prac titione r (SSCP) exa minations. Plea se refer to the U.S.

Dep artme nt of Vete rans Affairs Website a t ww w.va .gov fo r mo re d eta ils.
http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2https://www.isc2.org/certification-register-now.aspxhttps://www.isc2.org/certification-register-now.aspxhttps://www.isc2.org/certification-register-now.aspxhttp://www.pearsonvue.com/isc2


36/42

36






CBT Demonstration

Ca nd id a tes c a n exper ienc e a d em onst ra t i on and t u t o r ia l o f t he C BT expe rienc e

on o u r Pea rson V UE we b p a ge . The t u t o ri a l ma y be f o und a t

www.pea rsonvue .com / i sc 2.

Scheduling a Test Appointment

Proc ess for Reg istration Ove rview

Ca nd ida tes ma y reg ister for a testing a ppointment d irec tly with Pea rson VUE (

www.pearsonvue.com/isc2). Ca nd idate s who do not p ass the test will be sub jec t to the retakepolic y and must wa it the applic ab le time b efore they are allowed to re-sit for the examination.

Exam App ointment

Test c ente rs ma y fill up q uic kly bec ause o f high volume and p reviously sc hed uled spec ial

events. Pea rson VUE testing c ente rs a lso serve c and ida tes from other entities; thus waiting to

sc hed ule the testing appointment ma y signific antly limit the o ptions for ca nd ida te s desired

testing da tes a t the c losest cente r ava ilab le.

Sc heduling for a Testing App ointment

Ca ndida tes ma y sc hed ule the ir appointment online a t (ISC) CBT Website loc a ted a twww.pearsonvue.com/isc2. Ca nd ida tes will be required to c rea te a Pea rson VUE ac c ount inorde r to c omp lete reg istra tion. Ca nd ida tes profile will be transferred to (ISC) and b ec om espart of the candida te s permanent rec ord. Ca ndida tes will be able to loc a te test centers andselec t from a c hoice o f ava ilab le examination a ppointment times a t the Pea rson VUE we b site.

Ca nd ida tes ma y also reg ister ove r the te lephone with a CBT reg istration spec ialist. Please refe rto C onta c t Informa tion for loc al telepho ne numbers for your reg ion.
http://www.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2http://www6.pearsonvue.com/isc2/http://www6.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2/


37/42

37






Rescheduling or Canc ellation of a Testing Appo intment

If you wish to resc hed ule o r canc el your exam appointment, you m ust c onta c t Pea rson VUE a t

least 48 hours be fore the exam d ate b y c ontac ting Pearson VUE online (www.pearsonvue.com/isc2), OR a t lea st 24 hours prior to exam ap po intment time byc onta c ting Pea rson VUE over the phone. Canc eling or resched uling a n exam ap pointment lesstha n 24 hours via p hone not ifica tion, or less tha n 48 hours via o nline not ifica tion is sub jec t to aforfeit o f exam fee s. Exam fee s are a lso forfeited for no-shows. Please note tha t Pea rson VUEc harges a fee of US$ 20 for resc hedules or canc ellations.

Resc hed ules and c anc ella tions ma y be done a t the (ISC) CBT Ca nd ida te Web site(www.pearsonvue.com/isc2) or via te lephone . Please refer to Co ntac t Information fo r mo reinforma tion a nd loc al telephone numb ers for your reg ion.

Late Arrivals or No Shows

If the c and ida te d oes not a rrive w ithin 15 minutes of the sc hed uled exam starting time, he orshe ha s tec hnica lly forfeited his or her assigned sea t.

If the c and ida te a rrives late (afte r 15 minutes of his/ her sc hed uled ap pointment), it is up to thed isc retion o f the testing c ente r as to w hethe r or not the c and ida te may still take the exam. If thetest adm inistrato r a t the testing loca tion is ab le to ac c ommoda te a la te a rriving c andida te,without a ffec ting subseq uent c andida tes appo intments, he/she w ill let the c andida te to sit forthe exam a nd launc h his/ her exam.

Any/ all attemp ts are ma de to a cc omm od ate c and ida tes who arrive late. Howeve r, if thesc hed ule is such tha t the test ce nter is not a ble to a cc ommo da te a la te a rrival, the c and ida tewill be turned a wa y and his/ her exam fee s will be forfeited .

If a c and ida te fa ils to a ppe ar for a testing ap pointment, the test result will app ea r in the systemas a No-Show and the c andida te s exam fees will be forfeited .

Proced ure for Requesting Spec ial Ac commoda tions

Pea rson VUE Professional Centers can a cc ommo date a va riety o f cand ida tes nee ds, as theyare fully co mp liant w ith the Am ericans with Disab ility Ac t (ADA), and the e quiva lentrequirem ents in othe r countries.

Req uests for ac c om modations should b e made to (ISC) in advance o f the d esired testingappointment. Onc e (ISC) grants the acc omm od ations req uest, the c andida te ma y sc hed ulethe testing appointment using Pea rson VUEs spec ial ac c om mo da tions numb er. From there, aPea rson VUE c oo rd inator will hand le a ll of the arrangements.
http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2http://www6.pearsonvue.com/isc2/http://www6.pearsonvue.com/isc2/http://www6.pearsonvue.com/isc2/http://www6.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2


38/42

38






PLEASE NOTE: Cand ida tes tha t request spec ial ac c om mo dations should no t schedule the irappointment online or ca ll the ma in CBT reg istra tion line.

What to Bring to the Test Center

Proper Identification

(ISC) req uires two forms of identifica tion, a p rima ry and a sec ond ary, when c hec king in for aCBT test appointment a t a Pea rson VUE Test Ce nter. All ca nd ida te identific a tion d oc ume ntsmust be valid (not e xpired ) and must be an original doc ument (not a photoc op y or a fa x).

Prima ry IDs: Must c onta in a pe rma nently a ffixed photo of the c and ida te, along with the

c andida te s signa ture.

Sec ond ary IDs: Must have the cand ida te s signa ture.

Accepted Prima ry ID (photog raph and signature, not exp ired )

Government issued Drivers License or Identification Card

U.S. Dept of State Drivers License

U.S. Lea rners Permit (card only with pho to a nd signa ture)

National/State /Country Identific ation Ca rd

Passport

Passport Cards

Military ID

Military ID for spouses and dep end ents

Alien Registration Card (Green Card, Permanent Resident Visa)

Gove rnment Issued loc a l langua ge ID (plastic card with pho to a nd signa ture

Employee ID

School ID

Credit Card* (A cred it c ard can be used as a prima ry form o f ID only if it c onta ins bo th aphoto a nd a signa ture and is not expired . Any credit ca rd c an be used as a sec ond aryform of ID, as long as it conta ins a signa ture and is not expired . This inc ludes ma jor c red itcards, suc h as VISA, MasterCard, American Express and Discover. It also inc lude sdep artment store and ga soline c red it cards.

Accepted Sec onda ry ID (contains signature, not exp ired)

U.S. Soc ial Security Card

Deb it/(ATM) Card

Credit Ca rds

Any form of ID on the p rima ry list


39/42

39






Name Matc hing Policy

Ca ndida te s first a nd last name on the presented ide ntific a tion d oc ument must exac tly ma tchthe first a nd last na me on the reg istra tion rec ord w ith Pea rson VUE. If the name the c and ida tehas reg istered with does not ma tch the nam e on the identifica tion d oc ument, proof of leg alnam e c hang e must be b rought to the test ce nter on the d ay of the test. The only ac c ep tab leforms of lega l doc umenta tion a re ma rriage lic enses, divorc e dec rees, or court sanctioned leg alnam e c hang e d oc uments. All doc uments presented a t the test ce nter must be originaldoc uments. If a mistake is ma de with a na me during the app lic a tion p roc ess, ca ndida tesshould c ontac t (ISC) to c orrec t the information we ll in a dva nce of the a c tual test da te. Namec hange s c annot be ma de at the test center or on the da y of the exam . Ca ndidates who d onot me et the requireme nts p resented in the nam e ma tching p olic y on the da y of the test ma ybe sub jec t to forfeiture of testing fees and a sked to leave the testing c ente r.

Non Disclosure

Prior to sta rting the exam , all ca nd ida tes a re presente d with (ISC) non-d isc losure agree ment(NDA), and a re required in the c ompute r to ac cep t the ag reem ent p rior to being p resentedwith exam q uestions. If the NDA is not a cc ep ted by the c andida te, or refused to a c cep t withinthe time a llotted , the exam will end , and the c andida te w ill be asked to leave the test center.No refund of exam fe es will be given. For this rea son, a ll cand ida tes a re strong ly enc ourag ed toreview the non-d isc losure ag reeme nt p rior to sc hed uling for, or taking the e xam.

The a greement is loc a ted a twww.pearsonvue.com/isc2/isc2_nda.pdf.

Day of the Exam

Check-In Process

Plan to a rrive a t the Pea rson VUE testing c enter a t least 30 minute s befo re the sc heduled testingtime. If you a rrive more tha n 15 minutes la te to your sc hed uled a ppointme nt, you m ay lose yourexamination ap po intment. For c hec king-in:

You w ill be req uired to p resent tw o a cc ep tab le forms of identific a tion. You w ill be a sked to p rovide your signa ture, submit to a pa lm ve in sc an, and have

your photo grap h ta ken. Ha ts, sc arves and coa ts ma y not be worn in the testing room,or while your photograp h is be ing taken.

You w ill be req uired to lea ve yo ur persona l be longings outside the testing roo m.Sec ure storag e will be p rovided . Storag e spac e is sma ll, so c and ida tes should p lanappropria te ly. Pea rson Professiona l Ce nte rs assume no responsibility for cand ida tespersona l be long ings.
http://www.pearsonvue.com/isc2/isc2_nda.pdfhttp://www.pearsonvue.com/isc2/isc2_nda.pdfhttp://www.pearsonvue.com/isc2/isc2_nda.pdfhttp://www.pearsonvue.com/isc2/isc2_nda.pdf


40/42

40






The Test Ad ministrato r (TA) w ill give you a short o rienta tion, and then w ill esc ort you toa c om puter terminal. You must rem ain in your sea t during the examination, excep twhen autho rized to leave b y test center sta ff. You may not c hang e your com pute r

terminal unless a TA d irec ts you to do so.

Raise yo ur hand to notify the TA if you

be lieve you have a p rob lem w ith your c omp uter. need to c hange note b oards. need to take a break. nee d the a dministra tor for any rea son.

Breaks

You w ill have up to six hours to c omp lete the CISSP, up to four hours to c omp lete the CSSLPandup to three hours to c omp lete the following e xaminations:

SSCP

CAP

ISSAP

ISSEP

ISSMP

Tota l exam ination time inc ludes any unsc hed uled b rea ks you ma y take. All b rea ks c ountaga inst your testing t ime . You m ust lea ve the testing roo m d uring your break, but you m ay notleave the build ing o r ac c ess any p ersona l be long ings unless absolutely nec essary (e.g. fo rretrieving med ic ation). Add itiona lly, whe n you take a b rea k, you will be required to submit to a

pa lm vein sc an b efore and afte r your b rea k.

Tec hnical Issues

On rare oc c asions, technic al p rob lem s ma y req uire resc hed uling of a c and ida te s examination.If c irc umstanc es arise c ausing you to wa it more tha n 30 minutes a fter your sc hed uledappointment time, or a restart delay lasts longe r tha n 30 minutes, you w ill be g iven the c hoiceof c ontinuing to wa it, or resc hed uling your ap pointme nt without an a dditiona l fee.

If you cho ose to wa it, but late r c hang e your mind a t any time p rior to b eg inning o r

restarting the examination, you will be a llowe d to ta ke exam a t a la ter da te, atno a dditiona l c ost. If you choo se no t to resc hed ule, but ra ther test a fter a d elay, you will have no

furtherrecourse, and your test results will be c onside red va lid . If you choose to resched ule your ap pointment, or the p rob lem c ausing the d elay

c anno t be resolved, you will be a llowe d to test at a late r date a t no add itiona lc harge . Every attemp t will be m ad e to c ontac t c and ida tes if technic al problemsare identified prior to a sc hed uled ap pointment.


41/42

41






Testing Environment

Pea rson Professiona l Ce nte rs administer ma ny types of e xaminat ions includ ing som e thatrequire written responses (essay-type ). Pea rson Profe ssiona l Cente rs ha ve no c ontrol ove r typingnoises ma de by c and ida tes sitting next to you while writing their examination. Typing noise isc onsidered a norma l pa rt of the c om puterized testing environm ent, just as the no ise o f turningpage s is a norma l part of the p aper-and pe nc il testing environm ent. Ea rp lugs a re a va ilab leupo n request.

When the Exam is Finished

After you ha ve finished the examination, ra ise your ha nd to summo n the TA. The TA will c ollec tand inventory a ll no te boa rds. The TA w ill dismiss you when a ll requirem ents a re fulfilled .

If you b elieve there was an irregularity in the administration o f your test, or the assoc iate d testc ond itions adversely affec ted the outc om e of your examinat ion, you should no tify the TAbefore you lea ve the te st center.

Results Reporting

Ca nd ida tes will receive their uno ffic ial test result at the test c enter. The results will be ha ndedout by the Test Administrator during the c heckout p roc ess. (ISC) will then follow up with anoffic ial result via em ail.

In some instances, rea l time results ma y not b e ava ilable. A c om prehensive sta tistic a l andpsychom etric ana lysis of the sc ore data is c ond uc ted during eve ry testing cyc le b efore scoresare relea sed . A minimum numb er of ca ndida tes are required to ta ke the exam b efore thisanalysis can be c ompleted . Dep end ing up on the volume o f test takers for a given c ycle, therema y be oc c asions when sc ores are d elayed for approxima tely 4-6 weeks in order to c omp letethis c ritica l p roc ess. Results WILL NOT be released over the phone. They will be sent via emailfrom (ISC) as soo n as the sc ores are fina lized . If you have any questions reg arding this policy,you should c onta c t (ISC) prior to your examinat ion.

Retake Policy

Test ta kers who d o not pass the exam the first time will be a ble to retest a fter 30 days. Testtakers tha t fail a sec ond time w ill nee d to wa it 90 days prior to sitting fo r the e xam a ga in. In theunfortunate event tha t a c andida te fa ils a third time , the next ava ilab le time to sit for the examwill be 180 days a fter the most rec ent e xam a ttem pt. The reta ke wa it time then resets a fter thefourth a ttemp t starting a ga in with a 30-day wa iting pe riod .


42/42




Rec ertification by Ex

Documents

CISSP - Certified Security Professional