The Transcender Team Explains the Coming CISSP Update – Part 2 of 2

October 21, 2011 at 1:37 pm | Posted in CISSP | 1 Comment

As many of you may have noted in Part I of this post (published in September; review it here), an update to the CISSP exam is scheduled for January 1, 2012. Make a quick visit to the ISC2 website,, and you can download the newest Candidate Information Bulletin (CIB) for the CISSP. The CIB is a document that lists the knowledge areas that are covered in the exam. The CIB also contains candidate-focused information on the exam format, exam guidelines, and so on.

The 2012 update to CISSP covers 10 main Knowledge Areas (changes are in bold, red font):

  • Access Control
  • Telecommunications and Network Security
  • Information Security Governance and Risk Management
  • Software Development Security (formerly Application Development Security)
  • Cryptography
  • Security Architecture and Design
  • Security Operations (formerly Operations Security)
  • Business Continuity and Disaster Recovery Planning,
  • Legal, Regulations, Investigations, and Compliance
  • Physical (Environmental) Security

What follows is a brief description of the changes to the last five Knowledge Areas (the first five are covered in my previous post). Please keep in mind that I am analyzing only the content of the CIB. I do not in any way have any inside knowledge about the new CISSP version that is coming in January aside from what is listed in the CIB. For each Knowledge area, I will be highlighting any changes in red. Changes include any new data or any data that is moved from one Knowledge Area, or subobjective, to another.

In the Security Architecture and Design Knowledge Area, there are still six subobjectives. Subobjective 5 has several small changes and has added distributed systems. In subobjective 5, the word application was changed to software, warehousing was added to the Database security area, and Distributed systems were added. Here are the new subobjectives for the Security Architecture and Design Knowledge Area (changes are in red and boldface font):

subobj 1 Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-Level Models)
subobj 2 Understand the components of information systems security evaluation models: product evaluation models (e.g., common criteria) and industry and international security implementation guidelines (e.g., PCI-DSS, ISO)
subobj 3 Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module)
subobj 4 Understand the vulnerabilities of security architectures: system (e.g., covert channels, state attacks, emanations) and technology and process integration (e.g., single point of failure, service oriented architecture)
subobj 5 Understand software and system vulnerabilities and threats: Web-based (e.g., XML, SAML, OWASP), Client-based (e.g., applets), Server-based, (e.g., data flow control), Database security (e.g., inference, aggregation, data mining, warehousing), Distributed systems (e.g., cloud computing, grid computing, peer to peer)
subobj 6 Understand countermeasure principles (e.g., defense in depth)

In the Security Operations Knowledge area, there are still seven subobjectives. In Subobjective 2, the Personnel privacy and safety content has been removed. (This is now covered in the Physical Security Knowledge area.) In addition, the Asset management topic in Subobjective 2 has been expanded. In Subobjective 3, the Remediation topic has been expanded. Subobjective 4 has been reworded, but the rewording reflects no real topic change. Subobjective 6 has been edited slightly to include change management. Finally, subobjective 7 now includes system resilience. Here are the new subobjectives for the Security Operations Knowledge area (changes are in red and boldface font):

subobj 1 Understand security operations concepts : Need to know/least privilege, Separation of duties and responsibilities, Monitor special privileges (e.g., operators, administrators), Job rotation, Marking, handling, storing, and destroying of sensitive information, record retention
subobj 2 Employ resource protection: Media management, Asset management (e.g., equipment life cycle, software licensing)
subobj 3 Manage incident response: Detection, Response, Reporting, Recovery, Remediation and review (e.g., root cause analysis)
subobj 4 Implement preventative measures against attacks (e.g., malicious attacks, zero-day exploit, denial of service)
subobj 5 Implement and support patch and vulnerability management
subobj 6 Understand change and configuration management (e.g., versioning, baselining)
subobj 7 Understand system resilience and fault tolerance requirements

In the Business Continuity and Disaster Recovery Planning Knowledge area, there are now 5 subobjectives instead of 6. The Provide training subobjective is now part of Subobjective 4 (the Understand disaster recovery process subobjective). Objective 5 is slightly reworded. Exercise replaces the test and update topics. Here are the new subobjectives for the Business Continuity and Disaster Recovery Process Knowledge area (changes are in red and boldface font):

subobj 1 Understand business continuity requirements: Develop and document project scope and plan
subobj 2 Conduct business impact analysis: Identify and prioritize critical business functions, Determine maximum tolerable downtime and other criteria, Assess exposure to outages (e.g., local, regional, global), Define recovery objectives
subobj 3 Develop a recovery strategy: Implement a backup storage strategy (e.g., offsite storage, electronic vaulting, tape rotation), Recovery site strategies
subobj 4 Understand disaster recovery process: Response, Personnel, Communications, Assessment, Restoration, Provide training
subobj 5 Exercise, assess, and maintain the plan (e.g., version control, distribution)

In the Legal, Regulations, Investigations, and Compliance Knowledge area, there are now 6 subobjectives, instead of 4. Subojective 2 has been moved to this Knowledge area from the Information Security Governance and Risk Management Knowledge area. Subobjective 3 has been expanded to include roles and responsibilities. Subobjective 4 has been expanded to include Hardware/embedded device analysis. Subobjective 6 is completely new. Here are the new subobjectives for the Software Development Security Knowledge area (changes are in red):

subobj 1 Understand legal issues that pertain to information security internationally: Computer crime, Licensing and intellectual property (e.g., copyright, trademark), Import/Export, Trans-border data flow, Privacy
subobj 2 Understand professional ethics: (ISC)2 Code of Professional Ethics, Support organization’s code of ethics.
subobj 3 Understand and support investigations: Policy, roles, and responsibilities (e.g., rules of engagement, authorization, scope), Incident handling and response, Evidence collection and handling (e.g., chain of custody, interviewing), Reporting and documenting
subobj 4 Understand forensic procedures: Media analysis, Network analysis, Software analysis, Hardware/embedded device analysis
subobj 5 Understand compliance requirements and procedures: Regulatory environment, Audits, Reporting
subobj 6 Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)

In the Physical (Environmental) Security Knowledge area, there are now 6 subobjectives, instead of 5. Subobjective 1 has only been slightly reworded. Subobjective 6 has been moved from the Operations Security Knowledge area. Here are the new subobjectives for the Physical (Environmental) Security Knowledge area (changes are in red):

subobj 1 Understand site and facility design considerations.
subobj 2 Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)
subobj 3 Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)
subobj 4 Support the implementation and operation of facilities security (e.g., technology convergence): Communications and server rooms, Restricted and work area security, Data center security, Utilities and Heating, Ventilation, and Air Conditioning (HVAC) considerations, Water issues (e.g., leakage, flooding), Fire prevention, detection, and suppression
subobj 5 Support the protection and securing of equipment
suboj 6 Understand personnel privacy and safety (e.g., duress, travel, monitoring)

Overall, these changes are fairly minor. New topics have been added that are the reflection of changes in the information security world. But any information security professional should already have experience in these new topics. As for our Transcender practice test, you can expect an update in 2012. This update will mainly consist of the shuffling of existing practice questions. However, where truly new topics have been introduced, we will be adding questions to ensure that our customers understand these new topics.

In the interim, we have completed an update to our current CISSP offering (to be released in a couple of days). This update adds around 70 new questions to our practice test, still based on the 2011 CIB, and updates the reference to Shon Harris’ 5th Edition. Watch for this update early next week!


1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. […] the CISSP updates that are coming in January. Immediately following the post of the 2nd part (here), I started receiving e-mails from customers asking me how they can get this recent update and the […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at
Entries and comments feeds.

%d bloggers like this: