This was my exam game plan: (Don’t forget to take notes)
This CISSP exam was really hard (frustrating), as you won’t be knowing that the chosen answer is correct or not during the exam. Because you will be choosing best possible answer for any given question. You will find very (far) less number of direct question (You are damn sure that your answer is correct) and most of the question will be scenario based questions (where you will be applying below logics & ideas). You may be wondering how on the earth you came up with this plan before even appearing for this exam. Well, I’ve appeared for CSSLP last year and spend almost 300$ in practice questions. However I’ve not seen any single question from those practice questions in the actual exam. So this time, I didn’t spend money on practice question and I know what ISC2 is expecting you to understand from this certification. I hope that I’ve answered your question. So lets get started.
I’ve bought the below mentioned three books and I have read the “CISSP Study Guide By Eric Conrad” completely and took notes for the last minute revision. Also I’ve used the official book as reference as needed basis. I’ve used the “Eleventh Hour CISSP” book as last minute brush-up on all the CISSP exam topics.
- Official ISC2 CISSP Book, 4th Edition
- CISSP Study Guide By Eric Conrad
- Eleventh Hour CISSP: Study Guide
Key points to remember & pass this exam successfully:
1. Understand the core concepts
- Confidentiality, Integrity, Availability, Need to know, Least privilege & Layered defense
- Identity, Authorization, Accountability & Auditing
- Confusion, Diffusion, Entrapment, Entitlement, Enticement, Due care & Due diligence
- ISO 27XXX, 9XXX, 15XXX series usage (No need to know in detail)
2. Understand the below topics very clearly
- Access controls, Cryptography, BCP/DRP, Change Management & Configuration management, Asset management (Who is responsible for which Job function & what controls are being used or utilized in that specific area)
- Difference b/w Change Management & Configuration Management – http://www.pmchamp.com/configuration-management-system-change-management-system/
3. Protocols & related stuffs
- Basically all of them – PPP, CHAP, IPSec (AH, ESP), SSL, TLS, federated Identity, SAML & etcetera and also make sure you know about what it supports in the above mentioned core concepts (what it offers n doesn’t offer from the core concept)
4. Application security – This is what I do for living – So I didn’t spend much time on this topic. However OWASP TOP 10 & SANS 25 will help you to understand this domain.
5. Security Models – Bell LaPadula, Biba, Brewer-Nash, Clark Wilson, Lippner and etcetera (Again – what it offers n doesn’t offer from the core concept)
6. Last minute prep:
- Eric Conrad 11th hour study guide
- Cheat Sheet (thanks to Maarten & Christian)
7. Finally, on the day of exam:
- Read answers (multiple choices) from the bottom (basically you need to read all the choices try to fit them into the core concepts and then select the best answer), so that you will not tempted to select the first choice.
- Always prefer two(multi)-factor over single factor authentication, Layered defense over single defense control
- Always report the issue to (business, vertical, department or CEO) owner before fixing or with fixing that issue
- Human safety is most important than anything else
- Always follow the policies, governance, standards & best practice
- Prefer Elliptic curve security in Mobile device (Smart card & Any handheld device)
- Think like a management person not a developer
- Don’t forget to take some snacks & a bottle of water (you are allowed to take multiple breaks, however your exam will not be paused.)
Practice test: (Just to get an idea about the exam & test your knowledge on the core concepts, as I mentioned in the beginning of this article that you won’t find any of these questions in the exam)
- Go through the question in each domain from the official book