The current job market of IT companies can hardly be called interesting and diverse. However, even in it you can meet the requirements for employees on the availability of CISSP certificate. This certification is standard de facto in the west, but our employee Sergei Polunin shared how to get this certificate in Russia.
In fact, the decision to get the CISSP arose in 2017, when it became obvious that the professional certificates of major vendors finally ceased to fulfill their main function - to confirm the knowledge and experience of specialists. This is due to the collection of dumps, the overall level of questions in the tests, the bad faith of the test centers and many other objective and not very factors.
I have always considered the process of obtaining certificates as an opportunity to improve knowledge of the desired product or technology. Because there is no better way to fill in the gaps in education than to take the manual from the guru and read from cover to cover, while doing the exercises. And so it was for some time, until the official leadership began to slip into “press the button in the upper right corner to make it work,” as well as frank advertising. The situation is no better in most educational centers, but this is a completely different story.
What to do?
In addition to the certificates themselves from vendors, there are vendor-independent certification systems, towards which I recommend looking to specialists who have not abandoned the idea of independent development and professional growth.
In fact, I already had the experience of passing a similar exam in 2010, when I passed CompTIA Security +. This is a very good option for a beginner to assess their level and even broaden their horizons in some issues. CompTIA Secuity + is such a blitz of 90 questions in 90 minutes. The exam, by the way, has been regularly updated since 2006, and to this day contains current trends in the field of information security.
So you decided to become CISSP
Certified Information Systems Security Professional is a vendor-independent information security certification from an organization called the International Information Systems Security Certifications Consortium (ISC) ². This is a non-profit international organization for testing and certification of specialists in the field of information security.
This certification appeared back in 1991 and is intended for consultants, architects and analysts in the field of information security.
CISSP, as you can guess, is among the highest certifications in the field of information security.
In addition, by the way, there is also CISA (information systems auditor) and CISM (information security manager), but now it’s not about them.
So, the decision is made, we begin to look for materials for preparation and we find several sources:
First, the official guide "CISSP (ISC) 2 Certified Information Systems Security Professional Official Study Guide", James M. Stewart, Mike Chapple, Darril Gibson:
I used this particular book. In addition, there is an Android / iOS application with a practical exam. These are not dumps, but they allow you to evaluate and feel the logic of the questions.
Second, the CISSP All-in-One Exam Guide, Shon Harris:
This is an informal guide, but a bit more voluminous, and, subjectively, more difficult to read.
Thirdly, there is a small book “Eleventh Hour CISSP: Study Guide”, Eric Conrad, Joshua Feldman, Seth Misenar:
This is just over 200 pages, which would be very good to read just before the exam, to refresh the reading.
And besides this, there are endless mayndcards, notes, slides from those who give and handed over.
The main thing that an experienced specialist can learn from these books is to draw up terms. What is the difference between Preventive and Deterrent? What is ALE? How does it relate to ARO and EF? What is the difference between due care and due diligence? Such questions should disappear in the process of reading.
It’s time to remind you that all the books, of course, in English and in general, the exam implies that you have 5 years of paid experience in the field of information security in two or more domains (see below). It is unlikely that you, the name of this experience, will not be able to master 1000+ pages in English.
These five years, by the way, can be reduced by 1 year, if you have a specialized education in the field of information security, or some relevant certificate (yes, at least the same CompTIA Security + or MCSE. I have both, but only for 1 year).
Now about the domains. All questions are divided into eight domains, i.e. areas:
1. Security and Risk Management (Information Security Risk Management)
This module discusses the main theoretical foundations of information security: information security models, Biba / Clark-Wilson or Bell-LaPadula, the Information Security Triad, risk analysis and management, approaches to information security management. The issues of professional ethics and legislation are touched upon.
2. Asset Security
In this domain, we are talking about assets, and if we raise the question already - about data. Main topics: data management, classification, data owners, roles, access control, data storage and destruction.
3. Security Architecture and Engineering (Engineering and Architectural Security)
This, apparently, is the widest domain in terms of topics, because here there is physical security (alarms, barriers, fire suppression, etc.), and cryptography, and specific technical solutions, and even the architectural features of various access models and their implementation .
4. Communication and Network Security (Communication and Network Security)
Probably the most practical and understandable domain where you have to remember about SSL, TLS, HMAC, S-RPC, EAP, etc. If data is transmitted over networks, there is a question about this in the specified domain.
5. Identity and Access Management
Here are all the questions about the users of the system and their credentials. We remember how authorization differs from authentication and all of them together from identification. Then we figure out what the account management cycle looks like, and how two-factor authentication can help us.
6. Security Assessment and Testing
This domain deals with practical security testing issues. Why do we need security scanners? Who is OWASP? What threatens pentest without the sanction of the information owner?
7. Security Operations
This is the most boring of all domains, where the practical aspects of the daily routine of the information security department are dealt with - incident investigation, application processing, media labeling, separation of duties and authority, change management, etc.
8. Software Development Security (Security Software Development)
The domain looks somewhat alien because it considers all sorts of things like SDLC, PERT, Agile, and other software development models. But in fact, the CISSP should be competent in all aspects of information security, so you will need to understand even this. Some specific programming skills are not required here, but who knows what one day you have to do.
To some extent I was lucky - I am really interested in my profession, and most of the topics did not cause any additional questions, except perhaps the last domain. There is nothing difficult in it, I just did not come across this in practice.
Register for the exam
The exam is taken in the well-known Pearson VUE test system, where the same Cisco or Microsoft exams are taken. However, the trick is that not every test center takes this exam. In St. Petersburg, for example, there is only one such center. The thing is that test centers that take the CISSP exam have more severe requirements than usual. For example, when registering at a test center, biometric identification is required from the pattern of the veins of the palm, and corresponding equipment should be provided for the test center.
You cannot take anything with you to the exam, except for necessary medications and, perhaps, something to eat. But do not forget to have an identity document with you.
On the exam
On the appointed day we come to the test center, go through formalities and sit down at the computer. The test consists of 250 questions in all domains. It takes 6 hours, no breaks. Moreover, there are practically no questions on the knowledge of any concepts, facts or definitions. Most of the questions are aimed at testing knowledge of best practices, methodologies and standards. Those. a question may have all the answers logically correct, but only one meets the standard. For example, if among the answers there is something about “ensuring the physical safety of people”, then this answer is always the right one.
I did it in about 3.5 hours, and this is quite good, because after two hours of hard work, the attention slowly disperses, the logic stops working. On the other hand, common sense and experience are included, which allow us to sift out obviously false answers, and choose the most accurate one from the rest.
So, we get to the last question, click “Finish” and finally ... nothing actually happens. It is necessary to approach the Administrator of the test center, who will issue a printout with congratulations. Either with the notification that the exam is not passed, and you have to pay $ 699 for the new attempt again. At the same time, if the exam is not passed, the printout will indicate how many points were scored and how many were not enough.
I passed the first time, moreover, it took about three months to prepare. I read endless stories about how people took this exam 3-4 times, and morally prepared for the same scenario. However, everything turned out to be simpler, apparently for good reason the actual work experience is indicated in the requirements.
My disappointment with the “complexity” of this exam was shared by several foreign colleagues. Moreover, each for his own reason: someone was upset by the simplicity of the exam (so much time was spent on acquaintance with international law, GDPR and amendments to the US Constitution, and on this subject there were only 3 questions), and someone was disconnected from real life (or one lab work!).
But this is not the essence of the exam. It is intended to be “a mile wide, but an inch deep”. The candidate must show his broad outlook on the topic, as well as understand which business processes are behind the checkboxes in the Active Directory settings, and which policies implement the routing tables. CISSP should love the process approach and start thinking already as a manager in a good sense of the word.
What's next
So, the exam is passed, and you have become CISSP (ha ha, actually, no). Now your experience must be confirmed by someone in the active CISSP. This may be a colleague, a friend or even a completely unfamiliar person - nowhere in the rules does it indicate in what relations you should be with him.
Next, you must adopt a code of ethics (ISC) ² (https://www.isc2.org/Ethics), wait for another confirmation letter and finally get the coveted status. In fact, just for a year. The fact is that the CISSP status must be confirmed every year. It is not necessary to retake the exam, instead, the CPE (Continuing professional education) mechanism works, i.e. continuing professional education. In order not to lose CISSP status, it is necessary to participate in the life of the information security community: write articles, participate in events, give lectures, self-educate, or, at worst, listen to thematic podcasts. For each type of activity points are awarded. For the year you need to dial at least 40. Only in this case, the status will be extended.
What is wrong?
Pretty quickly it turns out that only you and a couple of colleagues know about the existence of CISSP. These cryptic letters do not appear in job titles, unless, of course, they are not a foreign company, where CISSP are often a prerequisite for an invitation to an interview. This is neither good nor bad, it is the reality of the Russian information security market. We don’t have our similar certifications, and the only relevant document is a diploma of higher education in the field of information security.
However, the prestige of the profession is gradually falling, and applicants prefer more promoted and socially attractive specialties, and university graduates who come to interviews more often cannot formulate what exactly they have been doing for the last 5 years in their alma mater.
The paradox is different - the number of certified CISSP, CISA and CISM in the Russian Federation is gradually increasing, which means all is not lost.
Sergey's blog in English can be read
here .