2012 CISSP Update Released by Transcender

March 14, 2012 at 8:27 am | Posted in CISSP, Transcender news, Vendor news | 7 Comments
Tags: ,

Back in September and October, I wrote a few posts regarding the 2012 update to the CISSP exam. (If you missed them, see the post on part I of the changes here, and the post on part II of the changes here).  If you remember, there wasn’t a large amount of new content. Most of the changes are mainly the moving of a subdomain from one domain to another or the revision of the wording of a subdomain.

With that said, we have now released a new version of our CISSP practice test that covers the 2012 Exam Guide. For these latest updates, we have taken the time to write new questions to ensure that you understand these topics. We have also moved the content according to the new Exam Guide. Finally, we have revised some of our old questions to better reflect the live exam experience.

We hope that you’ll take the time to study the explanations when studying for this exam. The explanations often go beyond the scope of the question itself to ensure that you fully understand the topics that you may see on the exam.

Keep in mind that we reference Shon Harris’ CISSP All-in-One Exam Guide, 5th Edition. Word is that a 6th Edition will be released at some point. When that occurs, we’ll be sure to update the reference list on the product so you can have a direct link to the new book.

Be sure to drop a comment here if you have any questions regarding this latest update!

-Robin

Transcender’s Cert-CISSP Practice Test: Now and 2012

October 31, 2011 at 8:45 am | Posted in CISSP | Leave a comment
Tags:

Many of you have probably read the two-part blog post regarding the CISSP updates that are coming in January. Immediately following the post of the 2nd part (here), I started receiving e-mails from customers asking me how they can get this recent update and the update in 2012. Most customers were concerned that they would not be able to get the 2012 updates if they purchased the product now. So I am going to explain what’s different about this version, and how to ensure that you can access these updates.

Current release

The current update for Transcender’s Cert-CISSP practice test (version 2.4.1) is complete, published, and available for purchase. If you previously purchased our Cert-CISSP practice test, and your product is still active, you are eligible to update to this new version at no extra cost. For the online practice test, the updates are performed automatically. If you have the download version or the CD-ROM edition, you will need to update using the update feature in our engine. (Please check our Customer FAQ for more details about the update feature.)

We added about 70 new questions. We also revised the references to point to the Fifth Edition of Shon Harris’ CISSP All-on-One Exam Guide.

Future releases

What about the coming updates in 2012? This update will be a revision of the current content. This will involve writing new questions to cover the new topics that I talked about in the two-part blog post.  When complete, this will be version 2.5.1 (you can find your test version number in the “About” section of the test engine).

Please keep in mind that our online edition of the CISSP practice test, which is the least expensive option, only comes with a 30-day license. This means that if you purchase the online version NOW, your license will be expired by the time the next update is published (sometime in Q1 2012). However, if you purchase the download or CD-ROM versions, your license will enable you to update your product using the update feature once we release the 2012 updates. So purchasing the download or CD-ROM version is a better choice if you are not sure you can successfully pass the live exam before ISC2 releases its updates in 2012.

I hope this helps to clarify things a bit for you! Please keep the questions coming.

-Robin

The Transcender Team Explains the Coming CISSP Update – Part 2 of 2

October 21, 2011 at 1:37 pm | Posted in CISSP | 1 Comment
Tags:

As many of you may have noted in Part I of this post (published in September; review it here), an update to the CISSP exam is scheduled for January 1, 2012. Make a quick visit to the ISC2 website, https://www.isc2.org/cib/Default.aspx, and you can download the newest Candidate Information Bulletin (CIB) for the CISSP. The CIB is a document that lists the knowledge areas that are covered in the exam. The CIB also contains candidate-focused information on the exam format, exam guidelines, and so on.

The 2012 update to CISSP covers 10 main Knowledge Areas (changes are in bold, red font):

  • Access Control
  • Telecommunications and Network Security
  • Information Security Governance and Risk Management
  • Software Development Security (formerly Application Development Security)
  • Cryptography
  • Security Architecture and Design
  • Security Operations (formerly Operations Security)
  • Business Continuity and Disaster Recovery Planning,
  • Legal, Regulations, Investigations, and Compliance
  • Physical (Environmental) Security

What follows is a brief description of the changes to the last five Knowledge Areas (the first five are covered in my previous post). Please keep in mind that I am analyzing only the content of the CIB. I do not in any way have any inside knowledge about the new CISSP version that is coming in January aside from what is listed in the CIB. For each Knowledge area, I will be highlighting any changes in red. Changes include any new data or any data that is moved from one Knowledge Area, or subobjective, to another.

In the Security Architecture and Design Knowledge Area, there are still six subobjectives. Subobjective 5 has several small changes and has added distributed systems. In subobjective 5, the word application was changed to software, warehousing was added to the Database security area, and Distributed systems were added. Here are the new subobjectives for the Security Architecture and Design Knowledge Area (changes are in red and boldface font):

subobj 1 Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-Level Models)
subobj 2 Understand the components of information systems security evaluation models: product evaluation models (e.g., common criteria) and industry and international security implementation guidelines (e.g., PCI-DSS, ISO)
subobj 3 Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module)
subobj 4 Understand the vulnerabilities of security architectures: system (e.g., covert channels, state attacks, emanations) and technology and process integration (e.g., single point of failure, service oriented architecture)
subobj 5 Understand software and system vulnerabilities and threats: Web-based (e.g., XML, SAML, OWASP), Client-based (e.g., applets), Server-based, (e.g., data flow control), Database security (e.g., inference, aggregation, data mining, warehousing), Distributed systems (e.g., cloud computing, grid computing, peer to peer)
subobj 6 Understand countermeasure principles (e.g., defense in depth)

In the Security Operations Knowledge area, there are still seven subobjectives. In Subobjective 2, the Personnel privacy and safety content has been removed. (This is now covered in the Physical Security Knowledge area.) In addition, the Asset management topic in Subobjective 2 has been expanded. In Subobjective 3, the Remediation topic has been expanded. Subobjective 4 has been reworded, but the rewording reflects no real topic change. Subobjective 6 has been edited slightly to include change management. Finally, subobjective 7 now includes system resilience. Here are the new subobjectives for the Security Operations Knowledge area (changes are in red and boldface font):

subobj 1 Understand security operations concepts : Need to know/least privilege, Separation of duties and responsibilities, Monitor special privileges (e.g., operators, administrators), Job rotation, Marking, handling, storing, and destroying of sensitive information, record retention
subobj 2 Employ resource protection: Media management, Asset management (e.g., equipment life cycle, software licensing)
subobj 3 Manage incident response: Detection, Response, Reporting, Recovery, Remediation and review (e.g., root cause analysis)
subobj 4 Implement preventative measures against attacks (e.g., malicious attacks, zero-day exploit, denial of service)
subobj 5 Implement and support patch and vulnerability management
subobj 6 Understand change and configuration management (e.g., versioning, baselining)
subobj 7 Understand system resilience and fault tolerance requirements

In the Business Continuity and Disaster Recovery Planning Knowledge area, there are now 5 subobjectives instead of 6. The Provide training subobjective is now part of Subobjective 4 (the Understand disaster recovery process subobjective). Objective 5 is slightly reworded. Exercise replaces the test and update topics. Here are the new subobjectives for the Business Continuity and Disaster Recovery Process Knowledge area (changes are in red and boldface font):

subobj 1 Understand business continuity requirements: Develop and document project scope and plan
subobj 2 Conduct business impact analysis: Identify and prioritize critical business functions, Determine maximum tolerable downtime and other criteria, Assess exposure to outages (e.g., local, regional, global), Define recovery objectives
subobj 3 Develop a recovery strategy: Implement a backup storage strategy (e.g., offsite storage, electronic vaulting, tape rotation), Recovery site strategies
subobj 4 Understand disaster recovery process: Response, Personnel, Communications, Assessment, Restoration, Provide training
subobj 5 Exercise, assess, and maintain the plan (e.g., version control, distribution)

In the Legal, Regulations, Investigations, and Compliance Knowledge area, there are now 6 subobjectives, instead of 4. Subojective 2 has been moved to this Knowledge area from the Information Security Governance and Risk Management Knowledge area. Subobjective 3 has been expanded to include roles and responsibilities. Subobjective 4 has been expanded to include Hardware/embedded device analysis. Subobjective 6 is completely new. Here are the new subobjectives for the Software Development Security Knowledge area (changes are in red):

subobj 1 Understand legal issues that pertain to information security internationally: Computer crime, Licensing and intellectual property (e.g., copyright, trademark), Import/Export, Trans-border data flow, Privacy
subobj 2 Understand professional ethics: (ISC)2 Code of Professional Ethics, Support organization’s code of ethics.
subobj 3 Understand and support investigations: Policy, roles, and responsibilities (e.g., rules of engagement, authorization, scope), Incident handling and response, Evidence collection and handling (e.g., chain of custody, interviewing), Reporting and documenting
subobj 4 Understand forensic procedures: Media analysis, Network analysis, Software analysis, Hardware/embedded device analysis
subobj 5 Understand compliance requirements and procedures: Regulatory environment, Audits, Reporting
subobj 6 Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)

In the Physical (Environmental) Security Knowledge area, there are now 6 subobjectives, instead of 5. Subobjective 1 has only been slightly reworded. Subobjective 6 has been moved from the Operations Security Knowledge area. Here are the new subobjectives for the Physical (Environmental) Security Knowledge area (changes are in red):

subobj 1 Understand site and facility design considerations.
subobj 2 Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)
subobj 3 Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)
subobj 4 Support the implementation and operation of facilities security (e.g., technology convergence): Communications and server rooms, Restricted and work area security, Data center security, Utilities and Heating, Ventilation, and Air Conditioning (HVAC) considerations, Water issues (e.g., leakage, flooding), Fire prevention, detection, and suppression
subobj 5 Support the protection and securing of equipment
suboj 6 Understand personnel privacy and safety (e.g., duress, travel, monitoring)

Overall, these changes are fairly minor. New topics have been added that are the reflection of changes in the information security world. But any information security professional should already have experience in these new topics. As for our Transcender practice test, you can expect an update in 2012. This update will mainly consist of the shuffling of existing practice questions. However, where truly new topics have been introduced, we will be adding questions to ensure that our customers understand these new topics.

In the interim, we have completed an update to our current CISSP offering (to be released in a couple of days). This update adds around 70 new questions to our practice test, still based on the 2011 CIB, and updates the reference to Shon Harris’ 5th Edition. Watch for this update early next week!

-Robin

The Transcender Team Explains the Coming CISSP Update – Part 1 of 2

September 16, 2011 at 3:03 pm | Posted in CISSP, CompTIA, Vendor news | 5 Comments
Tags: , , , ,

Well, 2011 is more than halfway done, and my world has revolved around all things CompTIA. Between Windows 7 updates for the A+ exams and a new Security+ exam, I have had little time to focus on anything else. But the CISSP certification has been on my mind, mainly because I was already working on security topics for the Security+. So immediately after completing our new Security+ (SY0-301) practice test development, I began updating our CISSP practice test. This update will focus on expanding the explanations for our items, writing new items on new content, and editing existing references to cover the All-In-One CISSP Exam Guide, Fifth Edition.

The latest news is that an update to the CISSP exam is scheduled for January 1, 2012. A quick visit to the ISC2 website, https://www.isc2.org/cib/Default.aspx, and you can download the newest Candidate Information Bulletin (CIB) for the CISSP. The CIB is a document that lists the knowledge areas that are covered in the exam. The CIB also contains candidate-focused information on the exam format, exam guidelines, and so on.

After downloading and reviewing the CIB, I realized our students (you) would probably appreciate an explanation of the changes that I noted. So what follows is a brief description of the changes. Please keep in mind that I am strictly analyzing the content of the CIB. I do not in any way have any inside knowledge about the new CISSP version that is coming in January aside from what is listed in the CIB. For each Knowledge area, I will be highlighting any changes in red. Changes include any new data or any data that is moved from one Knowledge Area, or subobjective, to another.

As always, the 2012 update to CISSP covers 10 main Knowledge Areas (changes are in bold, red font):

  • Access Control
  • Telecommunications and Network Security
  • Information Security Governance and Risk Management
  • Software Development Security (formerly Application Development Security)
  • Cryptography
  • Security Architecture and Design
  • Security Operations (formerly Operations Security)
  • Business Continuity and Disaster Recovery Planning,
  • Legal, Regulations, Investigations, and Compliance
  • Physical (Environmental) Security

I will analyze the first five Knowledge Areas in this post. In the coming weeks, I will analyze the second five Knowledge Areas.

In the Access Control Knowledge Area, there are now four subobjectives instead of three. Subobjective 4 is completely new. Here are the new subobjectives for the Access Control Knowledge Area (changes are in red and boldface font):

subobj 1 Control access by applying the following concepts/methodologies/techniques: policies, types of controls (preventative, detective, corrective, etc.), techniques (e.g., non-discretionary, discretionary, and mandatory), identification and authentication, decentralized/distributed access control techniques, authorization mechanisms, and logging and monitoring.
subobj 2 Understand access control attacks: threat modeling, asset valuation, vulnerability analysis, access aggregation
subobj 3 Assess effectiveness of access controls: user entitlement, access review and audit
subobj 4 Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)

In the Telecommunications and Network Security Knowledge area, there are now four subobjectives instead of three. The first subobjective for this Knowledge area, Establish secure data communications, is actually included as part of subobjective 3. Here are the new subobjectives for the Telecommunications and Network Security Knowledge area (changes are in red and boldface font):

subobj 1 Understand secure network architecture and design (e.g., IP and non-IP protocols, segmentation): OSI and TCP/IP models, IP networking, implications of multi-layer protocols
subobj 2 Securing network components: hardware (e.g., modems switches, routers, wireless access points), transmission media (e.g., wired, wireless, fiber), network access control devices (e.g., firewalls, proxies), end-point security
subobj 3 Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN): voice (e.g., POTS, PBX, VoIP), multimedia collaboration (e;g;, remote meeting technology, instant messaging), remote access (e.g., screen scraper, virtual application/desktop, telecommuting), data communications
subobj 4 Understand network attacks (e.g., DDoS, spoofing)

In the Information Security Governance and Risk Management Knowledge area, there are now 10 subobjectives instead of 14. The Support certification and accreditation subobjective was completely deleted. The Develop and implement information security strategies and Assess the completeness and effectiveness of the security program subobjectives are now part of the Manage the security function subobjective. Finally the professional ethics subobjective has been moved to the Legal, Regulations, Investigations, and Compliance Knowledge area. While subobjective 5 and 6 may at first appear new, but they are actually just existing subobjectives that has been reworded. Here are the new subobjectives for the Information Security Governance and Risk Management Knowledge area (changes are in red and boldface font):

subobj 1 Understand and align security function to goals, mission, and objectives of the organization.
subobj 2 Understand and apply security governance: organizational processes(e.g., acquisitions, divestitures, governance committee), security roles and responsibilities, legislative and regulatory compliance, privacy requirements compliance, control frameworks, due care, and due diligence.
subobj 3 Understand and apply concepts of confidentiality, integrity, and availability.
subobj 4 Develop and implement security policy: security policies, standards/baselines, procedures, guidelines, and documentation.
subobj 5 Manage the information life cycle (e.g., classification, categorization, and ownership)
subobj 6 Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)
subobj 7 Understand and apply risk management concepts: identify threats and vulnerabilities, risk assessment/analysis (qualitative, quantitative, hybrid) , risk assignment/acceptance, countermeasure selection, tangible and intangible asset valuation
subobj 8 Manage personnel security: employment candidate screening (e.g., reference checks, education verification), employment agreements and policies, employee termination processes, and vendor, consultant, and contractor controls.
subobj 9 Develop and manage security education, training, and awareness.
subobj 10 Manage the security function: budget, metrics, resources, develop and implement information security strategies, assess the completeness and effectiveness of the security program

In the Software Development Security Knowledge area, the same subobjectives are listed. But within each subobjective, there are some minor changes. For subobjective 1, risk analysis was removed. For subobjective 3, the listing of the tools to assess the effectiveness of software security are no longer listed. Here are the new subobjectives for the Software Development Security Knowledge area (changes are in red):

subobj 1 Understand and apply security in the system life cycle: Development Life Cycle, Maturity models, Operation and maintenance, and Change management.
subobj 2 Understand the environment and security controls: security of the software environment, security issues of programming languages, security issues in source code (e.g, buffer overflow, escalation of privilege, backdoor), and configuration management.
subobj 3 Assess the effectiveness of software security

In the Cryptography Knowledge area, a new subobjective has been added and two subobjectives have been minimally revised. Here are the new subobjectives for the Cryptography Knowledge area (changes are in red):

subobj 1 Understand the application and use of cryptography: data at rest (e.g, hard drive) and data in transit (e.g., “on the wire”).
subobj 2 Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithms/protocol governance)
subobj 3 Understand encryption concepts: foundational concepts, symmetric cryptography, asymmetric cryptography, hybrid cryptography, message digests, and hashing.
subobj 4 Understand key management process: creation/distribution, storage/destruction, recovery, and key escrow.
subobj 5 Understand digital signatures.
suboj 6 Understand non-repudiation.
subobj 7 Understand methods of cryptanalytic attacks: chosen plain-text, social engineering for key discovery, brute force (e.g., rainbow tables, specialized/scalable architecture), cipher-text only, known plaintext, frequency analysis, chosen cipher-text, and implementation attacks.
subobj 8 Use cryptography to maintain network security.
subobj 9 Use crypgraphy to maintain application security.
subobj 10 Understand Public Key Infrastructure (PKI).
subobj 11 Understand certificate-related issues.
subobj 12 Understand information hiding alternatives (e.g., steganography, watermarking).

Watch in the coming weeks for the second half of this post that covers the other Knowledge areas. During that post, I will explain how these changes may affect your studying habits and what it all means for our Transcender practice test.

-Robin

Blog at WordPress.com. | Theme: Customized Pool by Borja Fernandez.
Entries and comments feeds.

Follow

Get every new post delivered to your Inbox.

Join 35 other followers

%d bloggers like this: