Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
March 9, 2017
|
Luke Ahmed
More than helping folks pass their CISSP, I like reading about their study experiences after passing the exam even more!
Here is a collection of some great quotes from those who already cracked their CISSP and shared their experience!
The key to pass this exam are 2 things: 1) how bad you want it, and 2) the force behind you (your wife/husband, your family, your
sons/daughters, your friends, love, a better position, a rise in salary, a better world….the list ca go on and on…you have to find
Well there’s one thing in this world that has the ability to change our whole life in an instant. It’s action. The secret to getting ahead
in this world is first getting started. This is my first tip for you: MAKE A REAL DECISION! It’s not a half decision, a more or less
decision. You need to have a different mindset for this test. My second ip: Schedule right now your exam. Believe me , you will
begin to take your studies seriously when you schedule your exam – How Matheus Cracked His CISSP Exam
Inter-domain knowledge is must. In the scenario based questions they may include more than one domain. – How Amit K. Cracked
1
As others mentioned, the first 15-30 minutes or so was the most stressful as you will begin to get acquainted to what you are
expected to do. Then if you are well prepared you will begin to see the pattern. Its an exam that will make you discover things that
you would not have been able to tackle without the intense reading, note-taking and practicing. Its really an exam that test your limits
in terms of knowledge, management of time and common-sense as a manager. –How Irshaad Cracked His CISSP Exam
You will be able to eliminate 2 options easily, selecting the correct answer of the last 2 would depend on your comprehensive skills
of understanding the question and how fast you recollect the asked topic – How Viral Cracked His CISSP Exam
CISSP is the COMMON LANGUAGE which security folks speak throughout the world! And the easiest method to learn any
language easily, is to surround yourself with it. – How Mohammad R. Cracked His CISSP Exam
I referenced many question banks and almost did 6000+ questions and it was not only clicking the question and seeing the answer
right or wrong but I used to read explanation even if I choose the right answer because onceyou read explanation then your concept
becomes concrete and if it’s wrong then it will become beacon on information for that concept. – How Rahat Cracked His CISSP
Exam
I read CBK full, sybex about half.. cybrary videos, 1 boot camp then some online searches and few units from here and there, around
2500 q from cccure and another 3000 probably from other sources.. review questions from books + eric’s book – How Mudit
2
I would recommend that you schedule your exam on a Monday or Tuesday. Take Friday and Monday off to tie up loose ends that
you are still shaky on, watch Kelly’s video, and maybe take one more practice exam. But be careful – a solid practice exam will take
a lot out of you, so do it at least 48 hours before your real exam to rest appropriately – How Claudia Cracked Her CISSP Exam!
Advice: Don’t fear the exam. If you have learned the basic concept you can pass. Don’t spend time in memorizing the numbers
The week before the exam I took the week off from work. I reviewed the chapter summaries and did the end of chapter exams in
Shon’s book. Of course this helped me to see what my weak areas were so I’d then reread those sections of the chapter. I also used
this time to take one or two 250-question practice exams each day. This was useful for me to know that I can sit for hours for a full
exam. Typically I was completing these full practice exams in 2 to 3 hours. Of course any questions I got wrong meant it was an area
All tests are different, so I do not think there is any magic idea of what to make sure you know. Study all of the domains, understand
them, and remember you will need to apply the knowledge when answering questions. I recommend doing the practice tests and try
to be proficient in each domain. I was scoring about 80% average on most of the domains except my weakest (Security Engineering)
which I was scoring about 70-75% – How Lisa Cracked Her CISSP Exam!
3
I would recommend covering all 8 domains. There are no top 4 domains. You need to make sure you must have practice at least 3
test of 6 hours before facing real exam; otherwise exam will be very exhaustive to you – How Parvez Cracked His CISSP Exam
I started my preparation around mid of December and took almost four months to clear the exam. The exam is all about 50%
preparation and rest your day to day experience in security domains, some logical thinking, strategies during exam and your
temperament. Practiced almost 6000+ questions but the real exam was completely different. Practice helped me in understanding and
retaining the concepts and so important – How Ajeet Cracked His CISSP Exam
Pick a book. Be loyal. Read it end-to-end. Do NOT skip any pages: Like most people, I’d always think it’d be nice if there was just
one book that I could study end-to-end to clear the exam. The answer is “Yes, there is one book – ANY BOOK.” All the authors out
there are very knowledgeable people who have put in years of research and study into their “copyrighted” works. The answer you
must seek is which author’s style suits you best. To get an idea about that, just pick a random topic – Kerberos, for example – and
read it from all the options available. Whichever option suits you best, read it. But be advised, the universe judges your loyalty
Kelly does an excellent job by the way. After completing the reading I would keep logs in a book of my quiz results so I could go
back and KNOW where I stood with a given domain. I then read Eric’s 11’th hour (10 domain format) and listened to his podcasts.
While reading the 11’th hour I joined a Facebook group called “CISSP Study and Theory” and would answer questions others posted
as well as post my own. This gave me confidence to schedule the test and a general idea of where I stood (knowledge wise)
4
compared to those who have passed, and others who plan on testing soon – How Robert Cracked His CISSP Exam
After you will complete your readingsvideos download quick notes of any kind. Sunflower, CCCure notes whatever. Read it. Try to
mark all unknown definitions for you. Drill into these words (techs, practices, laws, processes, etc). For success, you should not have
unknown definitions. You should want to know what the meaning of this thing and this thing is. What is the cons and pros of this
thing? What is better thing1 or thing2? Why? – How Oleg Cracked His CISSP Exam
As many have already said, don’t waste time learning lists. You probably won’t see any, Learn the concept. Think of the answer that
fixes the problem permanently, and not temporarily. Pay attention to the MOST, FIRST, verbiage on the questions, and keep a
managerial perspective. Every decision must be based on RISK MANAGEMENT. Read the question, read the question and then re-
read it. Try and learn what is the best and worst of something and why. EG what is the best Symmetric encryption, what is worse.
Last but not the least, I am very thankful to StudyNotes AndTheory for this platform and for all the posts he puts up summarizing the
hard to understand topics and Ahmed for the wonderful whatsapp group he manages. You guys played a major role in helping me
making right choices through out this Journey – How Mohammed Cracked His CISSP Exam
5
CISSP is a conceptual exam, that needs a reasonable, prudent guy with a managerial mindset. CISSP candidate needs to build their
mentality around the following general bullet points and apply it on each and every domain. The list is by no means, a full list; you are
kindly asked to add your comments, or debate and contradict those listed so that to build a more solid mindset for the exam and the
The list below is written by me from my humble experience in the info. sec and the CISSP study guides and expert inputs and ideas:
- Security can never and should never preempt safety. People are the utmost important asset in your organization.
- Info. Sec people are not the ultimate decision-makers; it suits them accurately to be described as reflectors who can represent their
-Senior management on the other side are ultimately responsible for approving, steering and overseeing security projects within their
corporation.
-Security people should always be prudent, take initiatives and see what other people can't see.
-Your organization is not here to merely invest on security, it is in the market ONLY to make profit, security is just another function
subject to ROI calculations. So your controls needs to be evaluated against these ROI calculations, so only the most cost effective
6
controls are being selected.
-Security is all about maintaining the CIA triad, threats/risks against this triad should be assessed all the way down the security
journey.
-Security is a PROGRAM which being broken into PROJECTS. You can not treat security as merely project.
- Your internal staff is the deadliest threat to your security, be aware of them.
-There's NO way you can totally eliminate risk, you will do your best efforts to mitigate it with the most cost effective manner.
-Be it, a technical control or physical control, building those controls around defense-in-depth methodologies is always the best thing
-You can not install a firewall in your back server room and call it a day "we're safe now". Planning, Planning, Planning. A security
program without a plan, is just mess, ad-hoc kind of thing, that leads only to one way: false sense of security.
7
-Risk assessment is about identifying threats and vulnerabilities to determine appropriate security controls. While risk analysis
provides cost/benefit comparison to security controls (this is where qualitative/quantitative concepts applies). However only senior
-You can't tell your senior management "we are facing XSS attacks on our infrastructure so we need an application layer 7 firewall"
-Every and any member of your organization is part of your security program umbrella (from the security guard up to the CEO).
-Relativity as it applies to physics, it also applied to info. sec. Security goals for military missions can't be the same as those of the
Pizza restaurants. Also CIA triad is relative to each organization, e.g military facilities care more about the "C" of the triad, while
finance and call centers care more about the triad's "I" and "A" respectively and so on.
-Security needs to be periodically (preferably annually) audited and refined. Some times your biggest enemy would be the "false sense
of security".
-Training and awareness on security should be part of the security program and should never be underestimated.
8
-Compliance to the country laws and legislation surpasses those of the company.
9
NIST Special Publication Documents Relevant to the CISSP CBK
SP 800-53 - Security and Privacy Controls for Federal Information Systems and
Organization
10
11
12
13
14
Types of Access Control
Access controls are necessary to protect the confidentiality, integrity, and availability of objects (and by extension, their information and data).
The term access control is used to describe a broad range of controls, from forcing a user to provide a valid username and password to log on to
preventing users from gaining access to a resource outside of their sphere of access.
Access controls can be divided into the following seven categories of function or purpose. You should notice that some security mechanisms can be
labeled with multiple function or purpose categories.
Preventative access control A preventative access control is deployed to stop unwanted or unauthorized activity from occurring. Examples of
preventative access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data
classification, penetration testing, access control methods, encryption, auditing, presence of security cameras or closed circuit television (CCTV),
smart cards, callback, security policies, security awareness training, and antivirus software.
Deterrent access control A deterrent access control is deployed to discourage the violation of security policies. A deterrent control picks up
where prevention leaves off. The deterrent doesn't stop with trying to prevent an action; instead, it ges further to exact consequences in the event
of an attempted or successful violation. Examples of deterrent access controls include locks, fences, security badges, security guards, mantraps,
security cameras, trespass or intrusion alarms, separation of duties, work task procedures, awareness training, encryption, auditing, and firewalls.
Detective access control A detective access control is deployed to discover unwanted or unauthorized activity. Often detective controls are
after-the-fact controls rather than real-time controls. Examples of detective access controls include security guards, guard dogs, motion detectors,
recording and reviewing of events seen by security cameras or CCTV, job rotation, mandatory vacations, audit trails, intrusion detection systems,
violation reports, honey pots, supervision and reviews of users, incident investigations, and intrusion detection systems.
15
Corrective access control A corrective access control is deployed to restore systems to normal after an unwanted or unauthorized activity has
occurred. Usually corrective controls have only a minimal capability to respond to access violations. Examples of corrective access controls include
intrusion detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security policies.
Recovery access control A recovery access control is deployed to repair or restore resources, functions, and capabilities after a violation of
security policies. Recovery controls have more advanced or complex capability to respond to access violations than a corrective access control. For
example, a recovery access control can repair damage as well as stop further damage. Examples of recovery access controls include backups and
restores, fault tolerant drive systems, server clustering, antivirus software, and database shadowing.
Compensation access control a compensation access control is deployed to provide various options to other existing controls to aid in the
enforcement and support of a security policy. Examples of compensation access controls include security policy, personnel supervision,
monitoring, and work task procedures.
Compensation controls can also be considered to be controls used in place of or instead of more desirable or damaging controls. For example, if a
guard dog cannot be used because of the proximity of a residential area, a motion detector with a spotlight and a barking sound playback device
can be used.
Directive access control A directive access control is deployed to direct, confine, or control the actions of subject to force or encourage
compliance with security policies. Examples of Directive access controls include security guards, guard dogs, security policy, posted notifications,
escape route exit signs, monitoring, supervising, work task procedures, and awareness training.
Access controls can be further categorized by how they are implemented. In this case, the categories are administrative, logical/technical, or
physical.
16
Administrative access controls Administrative access controls are the policies and procedures defined by an organizations security policy to
implement and enforce overall access control. Administrative access controls focus on two areas: personnel and business practices (e.g., people
and policies). Examples of administrative access controls include policies, procedures, hiring practices, background checks, data classification,
security training, vacation history, reviews, work supervision, personnel controls, and testing.
Logical/technical access controls Logical access controls and technical access controls are the hardware or software mechanisms used to
manage access to resources and systems and provide protection for those resources and systems. Examples of logical or technical access controls
include encryption, smart cards, passwords, biometrics, constrained interfaces, access control lists (ACLs), protocols, firewalls, routers, intrusion
detection systems, and clipping levels.
Physical access controls Physical access controls are the physical barriers deployed to prevent direct contact with systems or portions of a
facility. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protections,
laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.
17
18
19
20
21
22
23
24
25