miércoles, 1 de abril de 2009

Changes to the CISSP Exam

The CISSP exam is getting better about mapping to the needs of the industry and keeping up with where the changes are taking place in technology, methodologies, and practical security models. The exam has had a reputation of being out of date and covering things that we have not done in our industry since caveman days. I have been a critic about the exam pertaining to this issue, but I must admit that the exam is changing more quickly. This allows people who are studying for the exam to study topics and concepts that they will run into in their careers and are required to be understood.

One of the smaller changes that took place was that (ISC)2 changed the names of some of the CISSP Common Body of Knowledge (CBK) domain names. While these names do map to some of the changes in the material within the CBK, this has caused some people to be confused on the current materials available for study purposes. The core of each domain has not changed. Some items have been added to some of the domains, which we will cover in this article.

The current domains in the CBK (Common Body of Knowledge) are listed below.

  • Access Control
  • Application Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security and Risk Management
  • Legal, Regulations, Compliance and Investigations
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security

A common saying about the CISSP exam is that it is a mile wide and an inch deep’. For the most part this is true, but I think in some topics the exam now goes at least six inches deep. Now some of the topics are a bit odd, as in lock picking and extensive coverage of CCTV lenses, but most of the newer topics I have great respect for.

This is the first part of my new series about changes to the CISSP exam and tutorials on this new information. Below are some of the topics we will get into as it pertains to each CISSP domain;

  • Information Security Risk Management
    • New – Security program and blueprints
    • New – Risk Models
  • Access Control
  • Cryptography
    • New – more block cipher modes and integrity controls
    • New – more attack types
  • Physical Security - Environmental
    • New – Light types, CCTV, lock picking, lock type
    • New – More focus on methodology and process
  • Application Security
    • New – more focus on methodology and process
    • New – web site and application security
    • New – more malware types and attack types
  • Business Continuity and Disaster Recovery Planning
    • New – more focus on methodology and process
  • Telecommunications and Network
    • New – 802.11 types and security
    • New – instant messaging
  • Operations Security
    • New - Vulnerability and Penetration Testing
    • New - Attack Types
    • New – Malware Control Types
  • Security Architecture and Design
    • New – enterprise architecture, building, maintaining, holistic security, security trust zones, Zackman Framework
    • New – less Orange Book and more Common Criteria
  • Legal, Regulations, Compliance and Investigation
    • New - types of Laws
    • New – focus on forensics and methodology

Fuente: Shon Harris’ CISSP Blog

No hay comentarios: