Preface
The Significance
What is the CISSP and why is it important? Well, the Certified Information Systems Security Professional certification, awarded by the International Information System Security Certification Consortium (ISC)², is a globally recognized certification in the field of information security. Probably the most coveted cyber security certification one might obtain during their career in this field.
I think a very important reason for a person to obtain this certification would be because of its industry recognition. This certificate is a comprehensive body of knowledge with a broad range of topics covering risk management, network security, cryptography, security operations, access controls, and many more information security topics. By completing this exam, you are showing the dedication and knowledge you have in the field of information security.
Honestly, I didn't even think I would be attempting this exam. Heck, when I started at CAPITAL Services as an intern, I was still in my final year of college. I thought my first certificate would be Security+ or Pentest+, but nope, straight into the deep end!
Prep Work
Preparation for the exam began when I first started for CAPITAL Services in the summer of 2021. The team there was already in the process of studying for the exam and threw me in on their lunch n' learn training sessions; this is where we watched the Keven Henry CISSP course on Pluralsight. Kevin's training was very good and informative but also very slow. We had to run the video at 1.25-1.5 times the original speed, but otherwise, it was still a good course that covered all 8 domains in depth.
After the team decided to keep me on as a part-time employee, I was given the CISSP book. I'm not gonna lie, I did read through and take notes on the first chapter, followed by giving up on the book entirely. In my opinion, the best thing that came from that book was the online practice tests which were a great way to gauge your knowledge of each of the domains. Once we finished with the videos, our Lunch n' Learns consisted of completing all the practice tests. Doing these tests with a team had to be the best studying I got leading up to the exam. Everyone else in the room had much more experience than me so when a question was foreign, the other guys would elaborate when needed on top of the explanation given in the practice test.
Finally, the last study material I used was the CISSP MindMaps series on Youtube. This provided a high-level overview of all of the domains and everything they covered. You wouldn't get in-depth information but it did help in filling in the gaps on topics I wasn't comfortable with and later doing more research to gain a better understanding before the exam. Although it is a couple of years old, I still recommend watching it as it highlights most of the important topics in each domain.
Take and complete all the practice tests then follow up on the information you didn't know using the study materials mentioned above.
Understanding the Domains
There are 8 domains that you have to know for the CISSP Exam:
Security & Risk Management - 15%
The first domain, Security and risk management are essential for preserving important assets in the wide digital ecosystem. They entail employing clever techniques to recognize, evaluate, and reduce risks while preserving the privacy, integrity, and accessibility of sensitive data. Organizations may confidently traverse the evolving threat landscape and ensure the security of their digital frontiers by combining comprehensive security measures and proactive risk management methods.
Asset Security - 10%
The ideas, frameworks, guiding principles, and standards related to Asset Security are included in the second domain. These assets encompass anything that may be valuable to the company, including partners, staff members, facilities, equipment, and data. Asset security refers to the ideas, arrangements, guiding principles, and requirements for keeping track of and safeguarding all types of resources that may be crucial to the business, including partners, personnel, buildings, tools, and data.
Security Architecture & Engineering - 13%
The Security Architecture and Engineering domain of the CISSP certification, as the name states, focuses on the design, implementation, and management of secure systems and architectures. This domain provides professionals with the knowledge and skills necessary to create robust security architectures, ensure the integrity of system components, and implement effective security measures throughout the system development lifecycle.
Communications & Network Security - 13%
The Communications and Network Security domain focuses on safeguarding the integrity, confidentiality, and availability of information as it is transmitted across networks. This domain encompasses the protection of network infrastructure, devices, and protocols, as well as the secure transmission of data through encryption, VPNs, and secure protocols. It involves implementing and managing network security controls, such as firewalls, intrusion detection and prevention systems, and access control mechanisms. Additionally, this domain covers the security aspects of telecommunications and network architecture, ensuring secure and reliable communication channels within and between organizations.
Identity & Access Management - 13%
Identity and access management (IAM) refers to the framework of policies, technologies, and processes that ensure appropriate and secure access to an organization's resources. It involves managing user identities, their authentication, and their authorized access to systems, applications, and data. IAM aims to strike a balance between security and usability by granting the right level of access to the right individuals at the right time. It encompasses activities such as user provisioning, role-based access control, authentication mechanisms like multi-factor authentication, and managing user lifecycle events, such as onboarding and offboarding. Overall, IAM plays a crucial role in protecting sensitive information, preventing unauthorized access, and maintaining compliance with security and regulatory requirements.
Security Assessment & Testing - 12%
Security assessment and testing is an important aspect of the CISSP exam, focusing on the evaluation of security controls, identifying vulnerabilities, and assessing risks. It involves thorough planning to define the assessment's scope, objectives, and methodology. A vulnerability assessment is conducted to identify weaknesses in systems and infrastructure through automated tools and manual inspection. Penetration testing takes it a step further by attempting to exploit identified vulnerabilities to simulate real-world attacks. The ultimate goal is to ensure the effectiveness of security measures, enhance resilience against potential threats, and support risk mitigation strategies.
Security Operations - 13%
Security operations focus on the day-to-day activities involved in safeguarding an organization's assets and responding to security incidents. It encompasses incident management, where procedures are established to detect, report, and respond to security incidents. This includes incident classification, containment, eradication, and recovery, aiming to minimize the impact of incidents and restore normal operations. Security operations also involve continuous monitoring of systems and networks, including log analysis, threat intelligence, and vulnerability management, to identify and mitigate potential security threats. Lastly, security operations encompass the implementation and maintenance of security controls, such as access control, encryption, and security awareness training, to protect against unauthorized access and ensure compliance with security policies.
Software Development Security - 11%
Software development security is a critical domain within CISSP (also my weakest topic) that focuses on integrating security measures into the software development lifecycle process(SDLC) to build secure and resilient applications. It involves incorporating security requirements, controls, and best practices throughout the software development process. Key aspects include secure coding practices, secure configuration management, and vulnerability management. The goal is to identify and mitigate software vulnerabilities to prevent potential exploits and protect against unauthorized access, data breaches, and many other security risks. By implementing robust security measures during software development, organizations can ensure the delivery of secure and trustworthy applications.
You don't need to be a subject matter expert on all of these domains but you must feel comfortable in all of them before taking the exam or your weakest subject could be your downfall during the assessment.
Day of Exam
My exam was taken through a Pearson Vue testing center at a local college in South Dakota; there is no remote testing available. Honestly, the day leading up to the exam was quite nerve-racking, and the classic cramming technique that I employed throughout my schooling went into effect that morning.
Once I arrived, I signed in, showed my two IDs, did my palm scan, and started the test. I think the most important piece of information I can leave you with about the test is that it uses a Computerized Adaptive Testing format. After each response, the scoring algorithm adjusts the candidate's ability estimate based on the question difficulty and answers given. This makes the exam 4 hours and the required items to assess competency is 125 questions, which is the passing score out of a max of 175 questions. Then, once the exam was over, I signed out and plam scanned once more to confirm the person leaving was the same person who entered. Finally, a printout was handed to me on my way out containing my pass or fail results.
Lessons Learned
I think the hardest domain for me in that exam was the software development security domain. I suggest once you take your practice test, assess your 3 weakest domains and hammer yourself on it by either reading, taking notes, or retaking the practice test over and over until you feel comfortable with that subject. As I said, you're not trying to be a subject matter expert per se, but you want to be competent in all the domains as much as possible.
The test questions aren't very clear either. The entire test is multiple choice but the answers that they give you could all potentially be correct, but it is your job to select the MOST correct one.
For example:
Question: Which of the following is the most effective control for mitigating the risk of unauthorized access to a network?
A) Intrusion Detection System (IDS)
B) Firewall
C) Multi-factor authentication (MFA)
D) Access Control Lists (ACLs)
Answer: C) Multi-Factor Authentication (MFA)
All of the above answers will help in mitigating the risks of unauthorized access but MFA has the best chance, hence it being the correct answer.
Conclusion
I honestly can't believe I passed that exam. It felt so good since I wasn't the greatest test taker. I believe the weekly training sessions and all the hard work from college led to everything coming together for me to pass that test. I just want to thank my team at CAPITAL Services for being so encouraging, supportive, and helpful on my journey to becoming a CISSP Associate and soon-to-be certificate holder as my career progresses to meet those requirements.
Hopefully, this post helped you in your journey to obtaining your own CISSP certification! Thanks for reading!