The Transcender Team Explains the Coming CISSP Update – Part 1 of 2

September 16, 2011 at 3:03 pm | Posted in CISSP, CompTIA, Vendor news | 5 Comments
Tags: , , , ,

Well, 2011 is more than halfway done, and my world has revolved around all things CompTIA. Between Windows 7 updates for the A+ exams and a new Security+ exam, I have had little time to focus on anything else. But the CISSP certification has been on my mind, mainly because I was already working on security topics for the Security+. So immediately after completing our new Security+ (SY0-301) practice test development, I began updating our CISSP practice test. This update will focus on expanding the explanations for our items, writing new items on new content, and editing existing references to cover the All-In-One CISSP Exam Guide, Fifth Edition.

The latest news is that an update to the CISSP exam is scheduled for January 1, 2012. A quick visit to the ISC2 website, https://www.isc2.org/cib/Default.aspx, and you can download the newest Candidate Information Bulletin (CIB) for the CISSP. The CIB is a document that lists the knowledge areas that are covered in the exam. The CIB also contains candidate-focused information on the exam format, exam guidelines, and so on.

After downloading and reviewing the CIB, I realized our students (you) would probably appreciate an explanation of the changes that I noted. So what follows is a brief description of the changes. Please keep in mind that I am strictly analyzing the content of the CIB. I do not in any way have any inside knowledge about the new CISSP version that is coming in January aside from what is listed in the CIB. For each Knowledge area, I will be highlighting any changes in red. Changes include any new data or any data that is moved from one Knowledge Area, or subobjective, to another.

As always, the 2012 update to CISSP covers 10 main Knowledge Areas (changes are in bold, red font):

  • Access Control
  • Telecommunications and Network Security
  • Information Security Governance and Risk Management
  • Software Development Security (formerly Application Development Security)
  • Cryptography
  • Security Architecture and Design
  • Security Operations (formerly Operations Security)
  • Business Continuity and Disaster Recovery Planning,
  • Legal, Regulations, Investigations, and Compliance
  • Physical (Environmental) Security

I will analyze the first five Knowledge Areas in this post. In the coming weeks, I will analyze the second five Knowledge Areas.

In the Access Control Knowledge Area, there are now four subobjectives instead of three. Subobjective 4 is completely new. Here are the new subobjectives for the Access Control Knowledge Area (changes are in red and boldface font):

subobj 1 Control access by applying the following concepts/methodologies/techniques: policies, types of controls (preventative, detective, corrective, etc.), techniques (e.g., non-discretionary, discretionary, and mandatory), identification and authentication, decentralized/distributed access control techniques, authorization mechanisms, and logging and monitoring.
subobj 2 Understand access control attacks: threat modeling, asset valuation, vulnerability analysis, access aggregation
subobj 3 Assess effectiveness of access controls: user entitlement, access review and audit
subobj 4 Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)

In the Telecommunications and Network Security Knowledge area, there are now four subobjectives instead of three. The first subobjective for this Knowledge area, Establish secure data communications, is actually included as part of subobjective 3. Here are the new subobjectives for the Telecommunications and Network Security Knowledge area (changes are in red and boldface font):

subobj 1 Understand secure network architecture and design (e.g., IP and non-IP protocols, segmentation): OSI and TCP/IP models, IP networking, implications of multi-layer protocols
subobj 2 Securing network components: hardware (e.g., modems switches, routers, wireless access points), transmission media (e.g., wired, wireless, fiber), network access control devices (e.g., firewalls, proxies), end-point security
subobj 3 Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN): voice (e.g., POTS, PBX, VoIP), multimedia collaboration (e;g;, remote meeting technology, instant messaging), remote access (e.g., screen scraper, virtual application/desktop, telecommuting), data communications
subobj 4 Understand network attacks (e.g., DDoS, spoofing)

In the Information Security Governance and Risk Management Knowledge area, there are now 10 subobjectives instead of 14. The Support certification and accreditation subobjective was completely deleted. The Develop and implement information security strategies and Assess the completeness and effectiveness of the security program subobjectives are now part of the Manage the security function subobjective. Finally the professional ethics subobjective has been moved to the Legal, Regulations, Investigations, and Compliance Knowledge area. While subobjective 5 and 6 may at first appear new, but they are actually just existing subobjectives that has been reworded. Here are the new subobjectives for the Information Security Governance and Risk Management Knowledge area (changes are in red and boldface font):

subobj 1 Understand and align security function to goals, mission, and objectives of the organization.
subobj 2 Understand and apply security governance: organizational processes(e.g., acquisitions, divestitures, governance committee), security roles and responsibilities, legislative and regulatory compliance, privacy requirements compliance, control frameworks, due care, and due diligence.
subobj 3 Understand and apply concepts of confidentiality, integrity, and availability.
subobj 4 Develop and implement security policy: security policies, standards/baselines, procedures, guidelines, and documentation.
subobj 5 Manage the information life cycle (e.g., classification, categorization, and ownership)
subobj 6 Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)
subobj 7 Understand and apply risk management concepts: identify threats and vulnerabilities, risk assessment/analysis (qualitative, quantitative, hybrid) , risk assignment/acceptance, countermeasure selection, tangible and intangible asset valuation
subobj 8 Manage personnel security: employment candidate screening (e.g., reference checks, education verification), employment agreements and policies, employee termination processes, and vendor, consultant, and contractor controls.
subobj 9 Develop and manage security education, training, and awareness.
subobj 10 Manage the security function: budget, metrics, resources, develop and implement information security strategies, assess the completeness and effectiveness of the security program

In the Software Development Security Knowledge area, the same subobjectives are listed. But within each subobjective, there are some minor changes. For subobjective 1, risk analysis was removed. For subobjective 3, the listing of the tools to assess the effectiveness of software security are no longer listed. Here are the new subobjectives for the Software Development Security Knowledge area (changes are in red):

subobj 1 Understand and apply security in the system life cycle: Development Life Cycle, Maturity models, Operation and maintenance, and Change management.
subobj 2 Understand the environment and security controls: security of the software environment, security issues of programming languages, security issues in source code (e.g, buffer overflow, escalation of privilege, backdoor), and configuration management.
subobj 3 Assess the effectiveness of software security

In the Cryptography Knowledge area, a new subobjective has been added and two subobjectives have been minimally revised. Here are the new subobjectives for the Cryptography Knowledge area (changes are in red):

subobj 1 Understand the application and use of cryptography: data at rest (e.g, hard drive) and data in transit (e.g., “on the wire”).
subobj 2 Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithms/protocol governance)
subobj 3 Understand encryption concepts: foundational concepts, symmetric cryptography, asymmetric cryptography, hybrid cryptography, message digests, and hashing.
subobj 4 Understand key management process: creation/distribution, storage/destruction, recovery, and key escrow.
subobj 5 Understand digital signatures.
suboj 6 Understand non-repudiation.
subobj 7 Understand methods of cryptanalytic attacks: chosen plain-text, social engineering for key discovery, brute force (e.g., rainbow tables, specialized/scalable architecture), cipher-text only, known plaintext, frequency analysis, chosen cipher-text, and implementation attacks.
subobj 8 Use cryptography to maintain network security.
subobj 9 Use crypgraphy to maintain application security.
subobj 10 Understand Public Key Infrastructure (PKI).
subobj 11 Understand certificate-related issues.
subobj 12 Understand information hiding alternatives (e.g., steganography, watermarking).

Watch in the coming weeks for the second half of this post that covers the other Knowledge areas. During that post, I will explain how these changes may affect your studying habits and what it all means for our Transcender practice test.

-Robin

5 Comments »

RSS feed for comments on this post. TrackBack URI

  1. […] Wow! We are really cycling through some changes on the CISSP exam. If you take a look at this blog from the exam development team at Transcender (a well-known and widely respected purveyor of premium-priced IT certification practice exams, and now also a part of Kaplan, Inc.) you’ll get a pretty good sense of what’s in the offing for half of the domains in the Common Body of Knowledge (aka CBK) for the CISSP exam. Check it out at “The Transcender Team Explains the Coming CISSP Update – Part 1 of 2.” […]

  2. […] many of you may have noted in Part I of this post (published in September; review it here), an update to the CISSP exam is scheduled for January 1, 2012. Make a quick visit to the ISC2 […]

  3. where is the second part?

  4. […] the 2012 update to the CISSP exam. (If you missed them, see the post on part I of the changes here, and the post on part II of the changes here).  If you remember, there wasn’t a large amount […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: