The New A+ 900 Series: What’s New (Part 5 of 5)

May 20, 2016 at 3:09 pm | Posted in Uncategorized | Leave a comment

Welcome back to my series of posts on the new A+ exam. Did you think I was NEVER going to finish this blog series? Me too! But I have been really snowed in working on some new products that I think will really please our customers. One of those is a practice test for (ISC)2’s SSCP exam. And there are a few more exciting security titles are coming soon! Watch our website for more information.

The old A+ 220-801 and 220-802 exams are still available, but they will retire on June 30, 2016 in the United States. CompTIA released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15, 2015.

  • In my first post, I went over the timeline and what to expect from the exam changes as a whole.
  • In my second post, I went into detail regarding the first two objectives for 220-901, Hardware and Networking.
  • In my third post, I went into detail regarding the last two objectives for 220-901, Mobile Devices and Hardware & Network Troubleshooting.
  • In my fourth post, I covered the first two objectives for 220-902, Windows Operating Systems and Other Operating Systems and Technologies.

In this post, I will cover the rest of 220-902, a total of three objectives: Security, Software Troubleshooting, and Operational Procedures. I’ll give you the entire overview of each objective, list each subobjective, tell you where each topic fell in the old A+ 800-series (if applicable), and put all changes or additions in RED ITALICS.

I will not call out any deleted topics, although CompTIA has removed some topics. This is because I am not really sure if those topics were actually removed from the exam, or if they are just so insignificant that they aren’t called out in the objective listing, but are still floating around in some test questions. Remember that CompTIA’s objective listing contains a disclaimer that says,

“The lists of examples provided in bulleted format below each objective are not exhaustive lists. Other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam although not listed or covered in this objectives document.”

For this reason, I didn’t want to focus on what was removed. My exam experience has shown that the bullet lists are not exhaustive. Spending time focusing on what was removed may give you a false sense of security by making you think you don’t need to study those topics. So I am just ignoring any topic removals.

First, a note about “Bloom’s Levels”

You’ll see me refer to topics changing their Bloom’s level. In the instructional design world, Bloom’s taxonomy is used to describe the depth or complexity of a learning outcome, just as the OSI model describes the level at which a network component operates. Level 1 is basic memorization (what is a router?), where level 6 is complete mastery of a concept (designing a network from scratch).

If I mention here that a Bloom’s level has changed, it generally means that CompTIA is asking for something more complex than memorization. While these changes shouldn’t scare you, there is a bit more “rubber meeting the road” to the higher Bloom’s levels. For example, instead of recognizing various LCD technologies from a list, you may be asked to evaluate which LCD is the best choice for a given scenario. Instead of answering a question about how CIDR notation behaves in the abstract, you may be asked to configure a subnet mask.

220-902 Objective 3: Security

A+ 220-802 covered Security in its own domain. It included prevention methods, security threats, securing a workstation, data destruction/disposal, and wired/wireless network security. The biggest change in this objective is the new topics that are covered (obviously because new security threats have emerged) and the inclusion of Windows OS security settings and securing mobile devices.

What’s changed? In A+ 220-902, Security now includes OS security settings. No big surprise: Windows is widely used, and securing it should be the top priority of anyone using it daily. This objective also includes mobile device security, which should also not be a surprise with the popularity of these devices increasing, particularly in enterprises.

3.1 Identify common security threats and vulnerabilities. – From Objective 3, subobjective 2 in the old 220-802. The wording changed to “Identity” from “Compare and contrast,” which affected the Bloom’s level by moving up to the application level.  New topics were added:

  • Malware – Revised to include spyware, viruses, worms, trojans, and rootkits under a single bullet with ransomware being a new entry.
  • Spear Phishing – added
  • Spoofing – added
  • Zero day attack – added
  • Zombie/botnet – added
  • Brute forcing – added
  • Dictionary attacks – added
  • Non-compliant systems – added
  • Violations of security best practices – added
  • Tailgating – added
  • Man-in-the-middle – added

3.2 Compare and contrast common prevention methods. – From Objective 3, subobjective 1 in 220-802. The wording changed to “Compare and contrast” from “Apply and use,” which affected the Bloom’s level  by moving down the comprehension level. These new topics were added:

  • Physical security 
    • Mantrap – changed from Tailgating in the 220-802 to more accurately reflect the actual preventive control
    • Cable locks – added to the Physical security section
    • ID badges – changed from Badges in the 220-802 to more accurately reflect the preventive control
    • Smart card – added to the Physical security section
    • Tokens – changed from RSA tokens in the 220-802 to more accurately reflect the preventive control
    • Entry control roster – added to the Physical security section
  • Digital security
    • Antivirus/Antimalware – added Antimalware to the Digital security section
    • Multifactor authentication – added to the Digital security section
    • VPN – added to the Digital security section
    • DLP – added Data loss prevention (DLP) to the Digital security section
    • Disabling ports – added to the Digital security section
    • Access control lists – added to the Digital security section
    • Smart card – added to the Digital security section
    • Email filtering – added to the Digital security section
    • Trusted/untrusted software sources – added to the Digital security section
  • User education/AUP – Acceptable Use Policy (AUP) added

Continue Reading The New A+ 900 Series: What’s New (Part 5 of 5)…

The New A+ 900 Series: What’s New (Part 4 of 5)

March 9, 2016 at 2:48 pm | Posted in CompTIA | 1 Comment
Tags: , ,

Welcome back to my series of posts on the new A+ exam. The old 220-801 and 220-802 exams are still available, but they will retire on June 30, 2016 in the United States. CompTIA has released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15, 2015.

  • In my first post, I went over the timeline and what to expect from the exam changes as a whole.
  • In my second post, I went into detail regarding the first two objectives for 220-901, Hardware and Networking.
  • In my third post, I went into detail regarding the last two objectives for 220-901, Mobile Devices and Hardware & Network Troubleshooting.

In this post, I will cover the first two objectives for 220-902, Windows Operating Systems and Other Operating Systems & Technologies. I’ll give you the entire overview of each objective, list each subobjective, tell you where each topic fell in the old A+ 800-series (if applicable), and put all changes or additions in RED ITALICS.

I will not call out any deleted topics, although CompTIA has removed some topics. This is because I am not really sure if those topics were actually removed from the exam, or if they are just so insignificant that they aren’t called out in the objective listing, but are still floating around in some test questions. Remember that CompTIA’s objective listing contains a disclaimer that says,

“The lists of examples provided in bulleted format below each objective are not exhaustive lists. Other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam although not listed or covered in this objectives document.”

For this reason, I didn’t want to focus on what was removed. My exam experience has shown that the bullet lists are not exhaustive. Spending time focusing on what was removed may give you a false sense of security by making you think you don’t need to study those topics. So I am just ignoring any topic removals.

First, a note about “Bloom’s Levels”

You’ll see me refer to topics changing their Bloom’s level. In the instructional design world, Bloom’s taxonomy is used to describe the depth or complexity of a learning outcome, just as the OSI model describes the level at which a network component operates. Level 1 is basic memorization (what is a router?), where level 6 is complete mastery of a concept (designing a network from scratch).

If I mention here that a Bloom’s level has changed, it generally means that CompTIA is asking for something more complex than memorization. While these changes shouldn’t scare you, there is a bit more “rubber meeting the road” to the higher Bloom’s levels. For example, instead of recognizing various LCD technologies from a list, you may be asked to evaluate which LCD is the best choice for a given scenario. Instead of answering a question about how CIDR notation behaves in the abstract, you may be asked to configure a subnet mask.

220-902 Objective 1: Windows Operating Systems

A+ 220-802 covered Windows operating systems in its own domain. It included Windows operating system (OS) features and requirements, installation, command-line tools, tools and features, Control Panel utilities, networking, and maintenance. The biggest change in this objective is the OSs versions that are included.

What’s changed? In A+ 220-902, Windows operating systems now include Windows 8 and 8.1. No big surprise: Windows XP was removed. But contrary to popular belief, Windows 10 is NOT included. Often I hear complaints that the A+ certification doesn’t include the latest Windows version (because this happens in almost every iteration of A+.) But keep in mind that the objectives for this exam were ironed out last year while Windows 10 was still in its infancy.

1.1 Compare and contrast various features and requirements of Microsoft Operating Systems (Windows Vista, Windows 7, Windows 8, Windows 8.1). – From Objective 1, subobjective 1 in the old 220-802. New topics were added:

  • Features 
    • Side by side apps – added to the Features section
    • Metro UI – added to the Features section
    • Pinning – added to the Features section
    • One Drive – added to the Features section
    • Windows Store – added to the Features section
    • Multimonitor task bars – added to the Features section
    • Charms – added to the Features section
    • Start Screen – added to the Features section
    • Power Shell – added to the Features section
    • Live sign in – added to the Features section
    • Action Center – added to the Features section

1.2 Given a scenario, install Windows PC operating systems using appropriate methods. – From Objective 1, subobjective 2 in 220-902. These new topics were added:

  • Boot methods 
    • Solid state/flash drives – added to the Boot methods section
    • Netboot – added to the Boot methods section
    • External/hot swappable drive – added to the Boot methods section
    • Internal hard drive (partition) – added to the Boot methods section
  • Type of installations
    • Recovery partition – added to the Type of installations section
    • Refresh/restore – added to the Type of installations section
  • Partitioning
    • GPT – added to the Partitioning section
  • File system types/formatting
    • ExFAT – added to the File system types/formatting section
    • NFS – added to the File system types/formatting section
    • ext3, ext4 – added to the File system types/formatting section
  • Properly formatted boot drive with the correct partitions/format– added

1.3 Given a scenario, apply appropriate Microsoft command line tools. – From Objective 1, subobjective 3 in 220-802. The Networking command-line tools that were included in this objective in 220-802 have been moved to the Networking objective in 220-901. These new topics were added:

  • GPUPDATE – added
  • GPRESULT – added
  • DIR – added
  • EXIT – added
  • HELP – added
  • EXTRACT – added
  • Commands available with standard privileges vs. administrative privileges. – added

1.4 Given a scenario, use appropriate Microsoft operating system features and tools. – From Objective 1, subobjective 4 in 220-902. These new topics were added:

  • Disk Management
    • Initializing – added to the Disk Management section
    • Shrink partitions – added to the Disk Management section
    • Assigning/changing drive letters – revised to include changing
    • Storage spaces – added to the Disk Management section
  • Other
    • Windows Upgrade Advisor – added to the Other section
  • System Utilities
    • DEFRAG – added to the System Utilities section
    • System restore –  added to the System Utilities section
    • Windows Update –  added to the System Utilities section

1.5 Given a scenario, use Windows Control Panel utilities. – From Objective 1, subobjective 5 in 220-802. These new topics were added:

  • Display/Display Settings – revised to include Display Settings
    • Color depth – added to the Display/Display Settings section
    • Refresh rate – added to the Display/Display Settings section
  • Folder Options
    • General options – added to the Folder Options section
    • View options – added to the Folder Options section
  • System
    • Hardware profiles – added to the System section
  • Programs and features – added
  • Devices and Printers – added
  • Sound – added
  • Network and Sharing Center – added
  • Device Manager – added

1.6 Given a scenario, install and configure Windows networking on a client/desktop. – From objective 1, subobjective 6 in 220-802. The Bloom’s level has increased. “Given a scenario” requires applying your knowledge, rather than the old wording of “Setup and configure” (demonstrating knowledge without application). These new topics were added:

  • Network shares/administrative shares/mapping drives – changed to include administrative shares
  • Printer sharing vs. network printer mapping – added
  • Remote Desktop Connection – changed to proper name of tool
  • Remote Assistance – added
  • Network card properties
    • BIOS (on-board NIC) – added to Network card properties section

1.7 Perform common preventive maintenance procedures using the appropriate Windows OS tools. – From objective 1, subobject 7 in 220-802.

  • Best practices
    • Scheduled disk maintenance – changed to disk maintenance instead of separate check disks and defragmentation
    • Antivirus/ Antimalware updates – changed to include antimalware
  • Tools
    • Disk maintenance utilities – changed to disk maintenance utilities instead of check disk and defrag
220-902 Objective 2: Other Operating Systems & Technologies

This is a mostly new objective for the A+ certification. For those of you that go way back (and I am talking way, way back here), you’ll remember that the A+ certification used to cover the Apple and Linux operating systems, cloud technologies, and network hosts. With this latest version, you will see a return of those operating systems in this objective, as well as covering the mobile device operating systems, virtualization, mobile device connectivity and email, and mobile devices synchronization, which were all covered in 220-802.

Continue Reading The New A+ 900 Series: What’s New (Part 4 of 5)…

The New A+ 900 Series: What’s New (Part 3 of 5)

February 10, 2016 at 10:56 am | Posted in CompTIA, Study hints, study tips | 1 Comment

Welcome back to my series of posts on the new A+ exam. The old 220-801 and 220-802 exams are still available, but they will retire on June 30, 2016 in the United States. CompTIA has released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15, 2015.

  • In my first post, I went over the timeline and what to expect from the exam changes as a whole.
  • In my second post, I went into detail regarding the first two objectives for 220-901, Hardware and Networking.

In this post, I will cover the second two objectives for 220-901, Mobile Devices and Hardware and Network Troubleshooting. I’ll give you the entire overview of each objective, list each subobjective, tell you where each topic fell in the old A+ 800-series (if applicable), and put all changes or additions in RED ITALICS.

I will not call out any deleted topics, although CompTIA has removed some topics. This is because I am not really sure if those topics were actually removed from the exam, or if they are just so insignificant that they aren’t called out in the objective listing, but are still floating around in some test questions. Remember that CompTIA’s objective listing contains a disclaimer that says,

“The lists of examples provided in bulleted format below each objective are not exhaustive lists. Other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam although not listed or covered in this objectives document.”

For this reason, I didn’t want to focus on what was removed. My exam experience has shown that the bullet lists are not exhaustive. Spending time focusing on what was removed may give you a false sense of security by making you think you don’t need to study those topics. So I am just ignoring any topic removals.

First, a note about “Bloom’s Levels”

You’ll see me refer to topics changing their Bloom’s level. In the instructional design world, Bloom’s taxonomy is used to describe the depth or complexity of a learning outcome, just as the OSI model describes the level at which a network component operates. Level 1 is basic memorization (what is a router?), where level 6 is complete mastery of a concept (designing a network from scratch).

If I mention here that a Bloom’s level has changed, it generally means that CompTIA is asking for something more complex than memorization. While these changes shouldn’t scare you, there is a bit more “rubber meeting the road” to the higher Bloom’s levels. For example, instead of recognizing various LCD technologies from a list, you may be asked to evaluate which LCD is the best choice for a given scenario. Instead of answering a question about how CIDR notation behaves in the abstract, you may be asked to configure a subnet mask.

220-901 Objective 3: Mobile Devices

A+ 220-802 covered mobile devices in its own domain. It included features of mobile operating systems,  basic network connectivity, configuring email, securing mobile devices, hardware differences in regards to tablets and laptops, and mobile device synchronization. Laptops were covered separately, in the 220-801 Laptops domain.

What’s changed? In A+ 220-901, mobile devices now includes laptop hardware and components, laptop display components, laptop features, features of other mobile devices, and accessories and ports of other mobile devices. In some cases, minor wording changes occurred at the subobjective level.

3.1 Install and configure laptop hardware and components. – From Objective 3, subobjective 1 in the old 220-801. New topics were added:

  • Ports/Adapters section  – added entire section
    • Thunderbolt – added to the Ports/Adapters section
    • DisplayPort – added to the Port/Adapters section
    • USB to RJ-45 dongle – added to the Ports/Adapters section
    • USB to WiFi dongle – added to the Ports/Adapters section
    • USB to Bluetooth – added to the Ports/Adapters section
    • USB Optical Drive – added to the Ports/Adapters section
  • SSD vs. Hybrid vs. Magnetic disk – added to the Hard Drive subsection
  • 1.8in vs. 2.5in – added to the Hard Drive subsection
  • Smart card reader – added to the Hardware/Device Replacement section
  • Optical drive – added to the Hardware/Device Replacement section

3.2 Explain the function of components within the display of a laptop. – From Objective 3, subobjective 2 in 220-801. The Bloom’s level has increased. “Explain the function of” requires applying your knowledge, rather than the old wording of “Compare and contrast” (demonstrating knowledge without application). These new topics were added:

  • TTL vs. IPS – added to LCD subsection
  • Webcam – added
  • Microphone – added
  • Digitizer – added

3.3 Given a scenario, use appropriate laptop features. – From Objective 3, subobjective 3 in 220-801. The Bloom’s level (and therefore the difficulty) for this objective changed, because the “Given a scenario, use” phrase replaced “Compare and contrast” (demonstrating knowledge without application) in the old version. One new topic was added:

  • Rotating / removable screens – added

3.4 Explain the characteristics of various types of other mobile devices. – This objective was not part of the A+ 900-series exams. The topics in this objective are:

  • Tablets – added
  • Smart phones – added
  • Wearable technology devices section – added entire section
    • Smart watches – added to the Wearable technology devices section
    • Fitness monitors – added to the Wearable technology devices section
    • Glasses and headsets – added to the Wearable technology devices section
  • Phablets – added
  • e-Readers – added
  • Smart camera – added
  • GPS – added

3.5 Compare and contrast accessories & ports of other mobile devices. – This objective was not in the A+ 900-series exams. The topics in this objective are:

  • Connection types – added section
    • NFC – added
    • Proprietary vendor specific ports (communication/power) – added
    • microUSB/miniUSB – added
    • Lightning – added
    • Bluetooth – added
    • IR – added
    • Hotspot / tethering – added
  • Accessories – added section
    • Headsets – added
    • Speakers – added
    • Game pads – added
    • Docking stations – added
    • Extra battery packs/battery chargers – added
    • Protective covers / water proofing – added
    • Credit card readers – added
    • Memory/MicroSD – added
220-901 Objective 4: Hardware & Network Troubleshooting

The old A+ 220-802 covered troubleshooting in its own domain. It included the troubleshooting theory, hardware troubleshooting, network troubleshooting, operating system troubleshooting, security troubleshooting, laptop troubleshooting, and printer troubleshooting.

In A+ 220-901, this objective covers hardware troubleshooting, network troubleshooting, mobile device troubleshooting, and printer troubleshooting. The other aspects of troubleshooting have been moved to the A+ 220-902 exam. All changes are in RED ITALICS.

4.1 Given a scenario, troubleshoot common problems related to motherboards, RAM, CPU and power with appropriate tools. – From Objective 4, subobjective 2 in 220-802. This subobjective had no changes.

4.2 Given a scenario, troubleshoot hard drives and RAID arrays with appropriate tools. – From Objective 4, subobjective 3 in 220-802. This subobjective had no changes.

4.3 Given a scenario, troubleshoot common video, projector and display issues. – From Objective 4, subobjective 4 in 220-802. This subobjective had no changes.

4.4 Given a scenario, troubleshoot wired and wireless networks with appropriate tools. – From Objective 4, subobjective 5 in 220-802. This subobjective had no changes.

4.5 Given a scenario, troubleshoot, and repair common mobile device issues while adhering to the appropriate procedures. – From Objective 4, subobjective 6 in 220-802. The old version of this objective only mentioned laptops, not mobile devices. So keep in mind that you must expand all of the troubleshooting scenarios to include all other mobile devices, including laptops, tablets, and smart phones. New topics include:

  • Touchscreen non-responsive – added to Common symptoms
  • Apps not loading – added to Common symptoms
  • Slow performance – added to Common symptoms
  • Unable to decrypt email – added to Common symptoms
  • Extremely short battery life – added to Common symptoms
  • Overheating – added to Common symptoms
  • Frozen system – added to Common symptoms
  • No sound from speakers – added to Common symptoms
  • GPS not functioning – added to Common symptoms
  • Swollen battery – added to Common symptoms

2.6 Given a scenario, troubleshoot printers with appropriate tools. – From Objective 4, subobjective 9 in 220-802. This subobjective had no changes.

Closing Thoughts

As you can see, I am just covering the high points and not delving too deeply into these topics. My point here is to help those who already know the A+ understand exactly what new topics they need to study. CompTIA has started a series of Webinars called Deep Dive: A Look Inside the A+ 900 Series Objectives that cover these topics much more deeply than I do. You can access these Webinars  by joining the CompTIA Instructor Network at http://bit.ly/1Sxj3h9.

Remember, this post is part of a series of posts I will be completing. Here are the details for those posts:

To help you start your A+ 900-series study schedule off right, we have launched our 220-901 practice test! It includes performance-based questions and covers all the 220-901 topics.

cert-220-901

Thanks again for reading!

-Robin Abernathy

The New A+ 900 Series: What’s New (Part 2 of 5)

January 28, 2016 at 1:08 pm | Posted in Certification Paths, CompTIA, Study hints, study tips | 1 Comment
Tags: ,

As I explained in my last post, CompTIA has released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15, 2015. The old 220-801 and 220-802 exams are still available, but they will retire on June 30, 2016 in the United States.

In this post, I will cover the first two objectives for 220-901, Hardware and Networking. I’ll give you the entire overview of each objective, list each subobjective, tell you where each topic fell in the old A+ 800-series (if applicable), and put all changes or additions in RED ITALICS.

I will not call out any deleted topics, although CompTIA has removed some topics (for example, floppy drives and SCSI). This is because I am not really sure if those topics were actually removed from the exam, or if they are just so insignificant that they aren’t called out in the objective listing, but are still floating around in some test questions. Remember that CompTIA’s objective listing contains a disclaimer that says,

“The lists of examples provided in bulleted format below each objective are not exhaustive lists. Other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam although not listed or covered in this objectives document.”

For this reason, I didn’t want to focus on what was removed. My exam experience has shown that the bullet lists are not exhaustive. Spending time focusing on what was removed may give you a false sense of security by making you think you don’t need to study those topics. So I am just ignoring any topic removals.

First, a note about “Bloom’s Levels”

In this and subsequent posts, you’ll see me refer to topics changing their Bloom’s level. In the instructional design world, Bloom’s taxonomy is a model for describing the depth or complexity of a learning outcome, much like the OSI model describes the level at which a network component operates. Level 1 is basic memorization (what is a router?), where level 6 is complete mastery of a concept (designing a network from scratch).

If I mention here that a Bloom’s level has changed, it generally means that CompTIA is asking for something more complex than memorization. While these changes shouldn’t scare you, there is a bit more “rubber meeting the road” to the higher Bloom’s levels. For example, instead of recognizing various LCD technologies from a list, you may be asked to evaluate which LCD is the best choice for a given scenario. Instead of answering a question about how CIDR notation behaves in abstract, you may be asked to configure a subnet mask.

220-901 Objective 1: Hardware

A+ 220-801 covered hardware in its own domain and included BIOS, motherboards, RAM, expansion cards, storage devices, CPUs and cooling, connectors and cables, power supplies, custom configurations, display devices, and peripherals. In A+ 220-901, hardware has been expanded to include UEFI and printers and multi-functional devices (which  was its own objective in 220-801). In some cases, minor wording changes occured at the subobjective level.

1.1 Given a scenario, configure settings and use BIOS/UEFI tools on a PC. – From Objective 1, subobjective 1 in the old version. The Bloom’s level for this objective increased, because the “Given a scenario” qualification is now part of this objective. Instead of simply identifying what a setting does, you will likely be asked to choose the correct setting for a given set of conditions. There is only one new topic:

  • Secure boot – added to BIOS security sub-section

1.2 Explain the importance of motherboard components, their purpose, and properties. – From Objective 1, subobjective 2 in 220-801. The Bloom’s level (and therefore the difficulty) for this objective changed as well, because the “Explain the importance” phrase is used instead of “Differentiate between” (demonstrating knowledge without application) in the old version. One new topic was added:

  • Mini-ITX – added to Sizes section

1.3 Compare and contrast various RAM types and their features. – From Objective 1, subobjective 3 in 220-801. One new topic was added:

  • Buffered versus unbuffered – added to Types section

1.4 Install and configure PC expansion cards. – From Objective 1, subobjective 4 in 220-801. One new topic was added:

  • Storage cards – added

1.5 Install and configure storage devices and use appropriate media. – From Objective 1, subobjective 5 in 220-801. New topics include:

  • Hybrid and eMMC – added to Solid state/flash drives section

1.6 Install various types of CPUs and apply the appropriate cooling methods. – From Objective 1, subobjective 6 in 220-801. The Bloom’s level for this objective changed because the “Install” phrase (using acquired knowledge) is used instead of “Differentiate among” (demonstrating knowledge without application) in the old version. New topics include:

  • Intel 1150, 2011 – added to Socket types section
  • AMD FM2, FM2+ – added to Socket types section
  • Disable execute bit – added to Characteristics section
  • Fanless/passive – added to Cooling section

1.7 Compare and contrast various PC connection interfaces, their characteristics and purpose. – From Objective 1, subobjective 7 in 220-801. New topics include:

  • Analog and Digital (Optical connector) – added to Audio sub-section
  • NFC – added to Wireless connections section
  • Quality and DRM – added to Characteristics section

1.8 Install a power supply based on given specifications. – From Objective 1, subobjective 8 in 220-801. One new topic was added:

  • Dual rail – added to Specifications section

1.9 Given a scenario, select the appropriate components for a custom PC configuration, to meet customer specifications or needs. – From Objective 1, subobjective 9 in 220-801. The Bloom’s level for this objective was raised to include “Given a scenario.” New topics are:

  • Multicore processor – changed from Powerful processor in Graphic / CAD / CAM design workstation section. This change simply updates the test’s language to current PC technology, as all “powerful” processors today will be multicore by default.
  • Multicore processor – changed from Powerful processor in Gaming PC section.  Again, this is not new knowledge, but rather an update of the test’s nomenclature.
  • Meets recommended requirements for selected OS – changed from Meets recommended requirements for Windows in Standard thick client section. This is an important change because it shows a shift back to including other operating systems besides Windows, which hasn’t been the case in the past few A+ releases.
  • Meets minimum requirements for selected OS – changed from Meets minimum requirements for running Windows in Thin client section.
  • Network connectivity – added to Thin client section.

1.10 Compare and contrast types of display devices and their features. – From Objective 1, subobjective 10 in 220-801. The Bloom’s level for this objective changed because the “Compare and contrast” phrase is used instead of “Given a scenario, evaluate” in the old version. New topics include:

  • TN vs. IPS and Flourescent vs. LED backlighting – added in the LCD sub-section
  • Refresh / frame rates – added frame rates
  • Aspect ratios (16:916:10, and 4:3) – added specific ratios

1.11 Identify common PC connector types and associated cables. – From Objective 1, subobjective 11 in 220-801. New topics include:

  • Adapters and converters (DVI to HDMIUSB A to USB BUSB to EthernetDVI to VGAThunderbolt to DVIPS/2 to USB,  and HDMI to VGA) – all added, and all reflective of the cables commonly available in today’s computing environments.

1.12 Install and configure common peripheral devices. – From Objective 1 subobjective 12 in 220-801. New topics include:

  • Biometric devices, Motion sensor, Touch padsSmart card readers, and Digital cameras – added to the Input devices section
  • Smart TV and Set-Top Box – added to the Input & Output devices section

1.13 Install SOHO multifunction device / printers and configure appropriate settings. – From Objective 4, subobjective 2 in 220-801. The Bloom’s level for this objective changed because the “Given a scenario” phrase has been removed. In addition, multifunction devices have been added and configuration knowledge is required. The new topics include:

  • Configuration settings (DuplexCollateOrientation, and Quality) – added to the Use appropriate drivers for a given operating system section
  • Infrastructure vs. adhoc – added to the Wireless sub-section
  • Cloud printing/remote printing – added to the Device sharing section
  • TCP/Bonjour/AirPrint – added to the Sharing local/networked device via Operating System settings sub-section
  • Data privacy (User authentication on the device and Hard drive caching) – added to the Public/shared devices section

1.14 Compare and contrast differences between the various print technologies and the associated imaging process. – From Objective 4, subobjective 1 in 220-801. The wording changed to “Compare and contrast” from “Explain the differences between,” but in my opinion, this change did not affect the Bloom’s level. New topic is:

  • Virtual (Print to filePrint to PDFPrint to XPS, and Print to image) – added

1.15 Given a scenario, perform appropriate printer maintenance. – From Objective 4, subobjective 3 in 220-801.  New topics include:

  • Inkjet (Clean heads, replace cartridges, calibration, clear jams) – added
220-901 Objective 2: Networking

A+ 220-801 covered networking in its own domain and included network cables and connectors, TCP/IP, TCP and UDP ports and protocols, wireless networking standards and encryption, SOHO wireless/wired router installation and configuration, Internet connection types, network types, network devices, and networking tools. In A+ 220-901, minor wording changes occurred at the subobjective level. All changes are in RED ITALICS.

2.1 Identify the various types of network cables and connectors. – From Objective 2, subobjective 1 in 220-801. This subobjective had no changes.

2.2 Compare and contrast the characteristics of connectors and cabling. – From Objective 2, subobjective 2 in 220-801. Slight wording change at subobjective level, but no change in the Bloom’s level. New topics include:

  • CAT6e, CAT7 – added to Twisted pair section
  • Splitters and effects on signal quality – added to Twisted pair and Coaxial sections

2.3 Explain the properties and characteristics of TCP/IP. – From Objective 2, subobjective 3 in 220-801. New topics include:

  • Public vs. private vs. APIPA/link local – added link local
  • Subnet mask vs. CIDR – added CIDR

2.4 Explain common TCP and UDP ports, protocols, and their purpose. – From Objective 2, subobjective 4 in 220-801. New topics include:

  • 22 – SSH; 137-139, 445 – SMB; and 548 or 427 – AFP – added to Ports section
  • CIFS and AFP – added to Protocols section

2.5 Compare and contrast various WiFi networking standards and encryption types. – From Objective 2, subobjective 5 in 220-801. New topics include:

  • 802.11ac – added to Standards section

2.6 Given a scenario, install and configure SOHO wireless/wired router and apply appropriate settings. – From Objective 2, subobjective 6 in 220-801. The Bloom’s level for this objective changed because the “Given a scenario” qualification is now part of this objective. New topics include:

  • NAT / DNAT – added DNAT
  • Firmware – added
  • UPnP – added

2.7 Compare and contrast Internet connection types, network types, and their features. – From Objective 2, subobjective 7 and 8 in 220-801. New topics include:

  • Tethering – added in the Cellular subsection

2.8 Compare and contrast network architecture devices, their functions, and features. – From Objective 2, subobjective 9 in 220-801. New topics include:

  • Patch panel– added
  • Repeaters/extenders – added
  • Ethernet over Power – added
  • Power over Ethernet injector – added

2.9 Given a scenario, use appropriate networking tools. – From Objective 2, subobjective 10 in 220-801. New topics include:

  • Cable stripper – added
  • Tone generator & probe – added generator
  • WiFi analyzer – added
Closing Thoughts

As you can see, I am just covering the high points and not delving too deeply into these topics. My point here is to help those who already know the A+ understand exactly what new topics they need to study. CompTIA has started a series of Webinars called Deep Dive: A Look Inside the A+ 900 Series Objectives that cover these topics much more deeply than I do. You can access these Webinars  by joining the CompTIA Instructor Network at http://bit.ly/1Sxj3h9.

Remember, this post is part of a series of posts I will be completing. Here are the details for those posts:

To help you get through the holiday doldrums and start your 2016 study schedule off right, we just launched our 220-901 practice test! It includes performance-based questions and covers all the 220-901 topics.

cert-220-901

Thanks again for reading!

-Robin Abernathy

The New A+ 900 Series: What’s New (Part 1 of 5)

December 22, 2015 at 4:49 pm | Posted in Certification Paths, CompTIA | 2 Comments
Tags: ,

It’s that time again! CompTIA has released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15. The 220-801 and 220-802 exams are still available, but will retire June 30, 2016 in the United States. This deadline should give you enough time to finish studying for the 800 series if you have already taken one test, because you cannot mix and match exam versions. If you pass the 220-801 or 220-802 exam, you must pass the other 800-series exam to obtain your A+. If you pass the 220-901 or 220-902 exam, you must take the other 900-series exam to obtain the A+.

To help you get through the holiday doldrums and start your 2016 study schedule off right, we just launched our 220-901 practice test!

cert-220-901

Once again, with a new release, we see another small shift in the structure and topic coverage of the two exams. Years ago (and I am going to date myself here), the two exams were referred to as a Hardware exam and a Software exam. While I think the topic coverage is moving in this direction again, CompTIA is NOT referring to them in these terms, and all documentation from CompTIA will refer to them as 220-901 and 220-902. Broadly, though, I think of the tests as “hardware and networking” and “software and security.”

For the 220-901 exam, you will be expected to understand installing, configuring, and troubleshooting desktop, laptop, mobile device, and printer hardware, as well as basic networking topics. The breakdown of the exam’s topics are as follows:

  • Hardware – 34%
  • Networking – 21%
  • Mobile Devices – 17%
  • Hardware & Network Troubleshooting – 28%

For the 220-902 exam, you will be expected to understand installing, configuring, and troubleshooting Windows Vista, Windows 7, Windows 8, Windows 8.1, Mac OS, Linux, and mobile device operating systems. (Notice that Windows 10 is NOT included in this list.) It  includes virtualization, cloud, and. server technologies. It also covers security, including security devices and configuring and troubleshooting security components. Finally, it covers those soft skills and operational procedures required by the IT technician. The breakdown of the exam’s topics are as follows:

  • Windows Operating System – 29%
  • Other Operating Systems & Technologies – 12%
  • Security – 22%
  • Software Troubleshooting – 24%
  • Operational Procedures – 13%

When the 800-series A+ was released back in 2012, many test candidates decided to knock out both exams on the same day because there was so much overlap between the topics being covered. For those exams, this was probably a good strategy. But with the 900-series exams, the structure has changed enough that I would suggest that you prepare to take them separately, NOT on the same day. As you can see from the topic listings above, there is hardly any overlap between the two exams.

Over the next few weeks, I will be posting four more parts to this series and discuss changes to each topic area in depth:

CompTIA has launched a new CompTIA Instructor Network (CIN), which I encourage all CompTIA instructors to join. It’s easy as going here to sign up. It is a great way to network with other instructors. Recently, they started a Deep Dive series of Webinars on the new A+ exams! To access the A+ Deep Dive series, go here.

Watch for my upcoming posts!

-Robin

CISSP 2015: What’s New (Part 5 of 5)

December 10, 2015 at 9:47 am | Posted in CISSP, Study hints, study tips | Leave a comment
Tags: ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam. In my third post, I covered Domain 3 and 4 of the new CISSP exam. In my fourth post, I covered Domain 5 and 6 of the new CISSP exam. In this, my FINAL post, I will conclude with Domains 7 and 8, Security Operations and Software Development Security.

Broadly speaking, Domain 7 reflects how security should be included as part of day-to-day organizational operations. Domain 8 covers aspects of designing, implementing, and analyzing security for applications.

For my assessment, I’ll start by giving you the entire overview of each domain with its Key Areas of Knowledge. I’ll tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 7: Security Operations – Framework and Key Areas of Knowledge

CISSP 2012 also covered security operations as its own  domain. The majority of the old Domain 7 (Security Operations) has been retained, with the addition of new topics that cover investigations, monitoring, resource protection, incident response, recovery strategies, and physical security. Because day-to-day security operations are fundamental to security, this domain contains the most topics of any area in the exam.

This domain also includes a few topics that were moved from the old Domain 8 (Business Continuity and Disaster Recovery Planning), Domain 9 (Legal, Regulations, Investigations, and Compliance), and Domain 10 (Physical (Environmental) Security).

Domain 7 Key Areas of Knowledge:

    1. Understand and support investigations – From Domain 9, subheading c in the old version.
      1. Evidence collection and handling (e.g., chain of custody, interviewing) – From Domain 9, subheading c in the old version.
      2. Reporting and documenting – From Domain 9, subheading c in the old version.
      3. Investigation techniques (e.g., root-cause analysis, incident handling) – From Domain 9, subheading c in the old version.
      4. Digital forensics (e.g., media, network, software, and embedded devices) – From Domain 9, subheading d in the old version.
    2. Understand requirements for investigation types – New
      1. Operational – New
      2. Criminal – New
      3. Civil – New
      4. Regulatory – New
      5. Electronic discovery (eDiscovery) – New
    3. Conduct logging and monitoring activities – From Domain 1, subheading a in the old version.
      1. Intrusion detection and prevention – New
      2. Security information and event management – New
      3. Continuous monitoring – New
      4. Egress monitoring (e.g., data loss prevention, steganography, watermarking) – Mostly New. Steganography and watermarking are from Domain 5, subheading 1 in the old version.
    4. Secure the provisioning of resources – From Domain 9, subheading f in the old version.
      1. Asset inventory (e.g., hardware, software) – New
      2. Configuration management – New
      3. Physical assets – New
      4. Virtual assets (e.g., software-defined network, virtual SAN, guest operating systems) – New
      5. Cloud assets (e.g., services, VMs, storage, networks) – From Domain 9, subheading f in the old version.
      6. Applications (e.g., workloads or private clouds, web services, software as a service) – From Domain 9, subheading f in the old version.
    5. Understand and apply foundational security operations concepts – From Domain 7, subheading a in the old version.
      1. Need to know/least privilege (e.g., entitlement, aggregation, transitive trust) – From Domain 1, subheading c and Domain 7, subheading a in the old version.
      2. Separation of duties and responsibilities – From Domain 7, subheading a in the told version.
      3. Monitor special privileges (e.g., operators, administrators) – From Domain 7, subheading a in the old version.
      4. Job rotation – From Domain 7, subheading a in the old version.
      5. Information lifecycle – From Domain 3, subheading e in the old version.
      6. Service-level agreements – New
    6. Employ resource protection techniques – From Domain 7, subheading b in old version.
      1. Media management – From Domain 7, subheading b in old version.
      2. Hardware and software asset management – From Domain 7, subheading b in old version.
    7. Conduct incident management – From Domain 7, subheading c in the old version.
      1. Detection – From Domain 7, subheading c in the old version.
      2. Response – From Domain 7, subheading c in the old version.
      3. Mitigation – New
      4. Reporting – From Domain 7, subheading c in the old version.
      5. Recovery – From Domain 7, subheading c in the old version.
      6. Remediation – From Domain 7, subheading c in the old version.
      7. Lessons learned – New
    8. Operate and maintain preventative measures – From Domain 7, subheading d in the old version.
      1. Firewalls – New
      2. Intrusion detection and prevention systems – New
      3. Whitelisting/Blacklisting – New
      4. Third-party security services – New
      5. Sandboxing – New
      6. Honeypots/Honeynets – New
      7. Anti-malware – New
    9. Implement and support patch and vulnerability management – From Domain 7, subheading e in the old version.
    10. Participate in and understand change management processes (e.g., versioning baselining, security impact analysis) – From Domain 7, subheading f in the old version.
    11. Implement recovery strategies – From Domain 8, subheading c in the old version.
      1. Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotation) – From Domain 8, subheading c in the old version.
      2. Recovery site strategies – From Domain 8, subheadin c in the old version.
      3. Multiple processing sites (e.g., operationally redundant systems) – New
      4. System resilience, high availability, quality of service, and fault tolerance – From Domain 7, subheading g in the old version.
    12. Implement disaster recovery processes – From Domain 8, subheading d in the old version.
      1. Response – From Domain 8, subheading d in the old version.
      2. Personnel – From Domain 8, subheading d in the old version.
      3. Communications – From Domain 8, subheading d in the old version.
      4. Assessment – From Domain 8, subheading d in the old version.
      5. Restoration – From Domain 8, subheading d in the old version.
      6. Training and awareness – From Domain 8, subheading d in the old version.
    13. Test disaster recovery plans – From Domain 8, subheading e in the old version.
      1. Read-through – From Domain 8, subheading e in the old version.
      2. Walkthrough – From Domain 8, subheading e in the old version.
      3. Simulation – From Domain 8, subheading e in the old version.
      4. Parallel – From Domain 8, subheading e in the old version.
      5. Full interruption – From Domain 8, subheading e in the old version.
    14. Participate in business continuity planning and exercises – New
    15. Implement and manage physical security – From Domain 10, subheading b and c in the old version.
      1. Perimeter (e.g., access control and monitoring) – From Domain 10, subheading b in the old version.
      2. Internal security (e.g., escort requirements/visitor control, keys, and locks) – From Domain 10, subheading c in the old version.
    16. Participate in addressing personnel safety concerns (e.g., duress, travel, monitoring) – From Domain 10, subheading f in the old version.
Domain 7 – Just the New Topics, Ma’am

Here’s a shortlist of the entirely new topics in Domain 7.

Knowledge Area B, Understand requirements for investigation types, contains both new and old topics. The definition of “investigation types” is now a little more granular. The candidate will have to understand correct procedures and what constitutes evidence for each type of investigation:

  • Operational – This is a new topic. This topic will focus on the requirements for operational investigations.
  • Criminal – This is a new topic. This topic will focus on the requirements for criminal investigation.
  • Civil – This is a new topic. This topic will focus on the requirements for civil investigations.
  • Regulatory – This is a new topic. This topic will focus on the requirements for regulatory investigations.
  • Electronic Discovery (eDiscovery) – This is a new topic. This topic will focus on the requirements for eDiscovery investigations.

Knowledge Area C, Conduct logging and monitoring activities, contains both new and old topics. As with Knowledge Area B, the topics have become more granular and specific than in the previous exam. These topics within this Domain are new:

  • Intrusion detection and prevention – This is a new topic. This topic will focus on intrusion detection and prevention as part of operational logging and monitoring.
  • Security information and event management – This is a new topic. This topic will focus on security information and event management (SEIM) as part of operational logging and monitoring.
  • Continuous monitoring – This is a new topic. This topic will focus on  continuous monitoring as part of operational logging and monitoring.

Knowledge Area D, Secure the provisioning of resources, contains both new and old topics. The following topics within this Domain are new, and deal with provisioning practices for physical, virtual, and logical assets. Other types of security for these assets are amply covered in Domains 3 and 4. Here the focus is more on sanitation, license management, versioning and baselining, patch management, and inventory control.

  • Asset inventory (e.g., hardware, software) – This is a new topic. This topic will focus on hardware, software, and other asset inventory as a part of resource provisioning.
  • Configuration management – This is a new topic. This topic will focus on configuration management as part of resource provisioning.
  • Physical assets – This is a new topic. This topic will focus on the resource provisioning of physical assets.
  • Virtual assets (e.g., software-defined network, virtual SAN, guest operating systems) – This is a new topic. This topic will focus on the resource provisioning of virtual assets.

Knowledge Area E, Understand and apply foundational security operations concepts, contains mostly old topics, but does contain one new topic. The following topic withing this Domain is new:

  • Service-level agreements – This is a new topic, and like most new topics for 2015, is driven by the move toward cloud provisioning. This topic will cover service-level agreements and their effect on security operations.

Knowledge Area G, Conduct incident management, contains both new and old topics. The following topics within this Domain are new:

  • Mitigation – This is a new topic. This topic will test on best practice concepts for incident mitigation.
  • Lessons learned – This is a new topic. This topic will focus on documenting and integrating lessons learned from incidents.

Knowledge Area H, Operate and maintain preventative measures, contains mostly new topics, although the Knowledge Area itself is not new. Most of the topics were implied by the old Domain 7 Knowledge Area D, “Prevent or respond to attacks (e.g., malicious code, zero-day exploit, denial of service),” but again, CISSP 2015 is far more granular. These specific topics within this Domain are new:

  • Firewalls – This is a new topic. This topic will focus on using firewalls for intrusion prevention. The previous exam mentioned firewalls in the context of securing the firewall itself; here, the focus is deployment.
  • Intrusion detection and prevention systems – This is a new topic. This topic will focus on deploying types of intrusion detection and prevention systems (HIDS, NIDS, IPS, and so on).
  • Whitelisting/Blacklisting – This is a new topic. This topic will focus on using whitelisting/blacklisting as a prevention strategy, including its advantages and disadvantages.
  • Third-party security services – This is a new topic. This topic will focus on using third-party security services as part of prevention.
  • Sandboxing – This is a new topic. This topic will focus on using sandboxing as part of prevention.
  • Honeypots/Honeynets – This is a new topic. This topic will focus on using honeypots/honeynets as part of prevention.
  • Anti-malware – This is a new topic. This topic will focus on using anti-malware as part of prevention.

Knowledge Area K, Implement recovery strategies, contains mostly old and one new topic. This following topic within this Domain is new:

  • Multiple processing sites (e.g., operationally redundant systems) – This is a new topic. This topic will focus on using hot sites, cold sites, service bureaus, and other alternate processing sites for disaster recovery. While the topic may be new, the concept is classic CISSP.

Knowledge Area N, Participate in business continuity planning and exercises, is a new Knowledge Area. It covers designing, maintaining, and implementing business continuity plans and exercises. Again, this is a classic component of risk management and disaster recovery planning; what’s new is the granularity of assigning a complete knowledge area to the concept.

Domain 8: Software Development Security – Framework and Key Areas of Knowledge

Domain 8 consists of content formerly included in the old Domain 4 (Software Development Security). The majority of this Domain was included in CISSP 2012; only a few new topics were introduced for this round. It is primarily concerned with understanding security as part of the software development lifecycle.

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Understand and apply security in the software development lifecycle – From Domain 4, subheading a in the old version.
    1. Development methodologies (e.g., Agile, Waterfall) – From Domain 4, subheading a in the old version.
    2. Maturity models – From Domain 4, subheading a in the old version.
    3. Operation and maintenance – From Domain 4, subheading a in the old version.
    4. Change management – From Domain 4, subheading a in the old version.
    5. Integrated product team (e.g., DevOps) – New
  2. Enforce security controls in development environments – From Domain 4, subheading b in the old version.
    1. Security of the software environments – From Domain 4, subheading b in the old version.
    2. Security weaknesses and vulnerabilities at the source-code level (e.g., buffer overflow, escalation of privilege, input/output validation) – From Domain 4, subheading b in the old version.
    3. Configuration management as an aspect of secure coding – From Domain 4, subheading b in the old version.
    4. Security of code repositories – New
    5. Security of application programming interfaces – From Domain 4, subheading b in the old version.
  3. Assess the effectiveness of software security – From Domain 4, subheading c in the old version.
    1. Auditing and logging of changes – From Domain 4, subheading c in the old version.
    2. Risk analysis and mitigation – From Domain 4, subheading c in the old version.
    3. Acceptance testing – New
  4. Assess security impact of acquired software – New
Domain 8 – Just the New Topics already

Here’s a closer look at the new topics in Domain 8.

Knowledge Area A, Understand and apply security in the software development lifecycle, contains mostly old and one new topic. The following topic within this Domain is new:

  • Integrated product team (e.g., DevOps) – This is a new topic. It covers integrated software development concepts, such as Agile, DevOps, and software assurance.

From Knowledge Area B, Enforce security controls in development environments, contains mostly old and one new topic. The following topic within this Domain is new:

  • Security of code repositories – This is a new topic. It discusses securing code repositories in collaborative development environments.

From Knowledge Area C, Assess the effectiveness of software security, contains mostly old and one new topic. This following topics within this Domain is new:

  • Acceptance testing – This is a new topic. It covers using acceptance testing as part of assessing software security effectiveness.

Knowledge Area D, Assess security impact of acquired software, is a new topic. It covers the procedures for assessing the security impact of acquired software, including commercial software.

Recap

I cannot believe I have finally reached the end of my latest magnum opus. Here’s the complete listing of all parts:

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domains 1 and 2.
      • Part 3 covered new domains 3 and 4.
      • Part 4 covered new domains 5 and 6.
      • Part 5 (this post) covers new domains 7 and 8.

It is our sincere hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin A.

CISSP 2015: What’s New (Part 4 of 5)

November 5, 2015 at 1:19 pm | Posted in CISSP, study tips | 2 Comments
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam. In my third post, I covered Domain 3 and 4 of the new CISSP exam.

Today I will cover the next two domains, Identity and Access Management and Security Assessment and Testing. In a nutshell, Domain 5 reflects the need to integrate cloud-based access control to workflows like Office 365 and Google Drive with on-premise access control, and Domain 6 adds coverage of designing, implementing, and analyzing security testing practices.

First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 5: Identity and Access Management – Framework and Key Areas of Knowledge

CISSP 2012 covered identity management as a knowledge area in the access control domain. In CISSP 2015, identity management is elevated to the domain level and combined with access control. The majority of the old Domain 1 (Access control) has been moved to the new Domain 5 (Identity and Access Management), with the addition of new topics that cover identity, session, and credential management.

This domain also includes a few topics from the old Domain 10 (Physical (Environmental) Security).

Domain 5 Key Areas of Knowledge:

    1. Control physical and logical access to assets – From Domain 10, subheading e in the old version.
      1. Information – New
      2. Systems – From Domain 10, subheading e in the old version.
      3. Devices – From Domain 10, subheading e in the old version.
      4. Facilities – New
    2. Manage identification and authentication of people and devices – From Domain 1, subheading a in the old version.
      1. Identify management implementation (e.g., SSO, LDAP) – From Domain 1 in the old version.
      2. Single/multi-factor authentication (e.g., factors, strength, errors, biometrics) – From Domain 1 in the old version.
      3. Accountability – From Domain 1 in the old version.
      4. Session management (e.g., timeouts, screen savers) – New
      5. Registration and proofing of identity – New
      6. Federated identity management (e.g., SAML) – New
      7. Credential management systems – New
    3. Integrate identity as a service – New
    4. Integrate third-party identity services (e.g., on-premise) – New
    5. Implement and manage authorization mechanisms – From Domain 1, subheading a in the old version.
      1. Role-based access control (RBAC) methods – From Domain 1, subheading a in the old version.
      2. Rule-based access control methods – From Domain 1, subheading a in the told version.
      3. Mandatory access control (MAC) – From Domain 1, subheading a in the old version.
      4. Discretionary access control (DAC) – From Domain 1, subheading a in the old version.
    6. Prevent or mitigate access control attacks – From Domain 1, subheading b in old version.
    7. Manage the identity and access provisioning lifecycle (e.g., provisioning, review) – From Domain 1, subheading c and d in the old version.
Domain 5 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 5.

Knowledge Area A, Control physical and logical access to assets, contains both new and old topics. The definition of “assets” is now a little more granular, replacing “systems and devices” with “information, systems, devices, and facilities.” The following topics within this Domain are new:

  • Information – This is a new topic. This topic will focus on controlling physical and logical access to information.
  • Facilities – This is a new topic. This topic will focus on controlling physical and logical access to buildings and equipment.

Knowledge Area B, Manage identification and authentication of people and devices, contains both new and old topics. The following topics within this Domain are new:

  • Session management (e.g., timeouts, screen savers) – This is a new topic. This topic will focus on mechanisms that provide session management, both online and at the physical client level.
  • Registration and proofing of identity – This is a new topic. This topic will focus on providing registration and using proof of identity mechanisms before issuing authentication credentials to personnel and devices.
  • Federated identity management (e.g., SAML) – This is a new topic. This topic will focus on  enterprise-level federated identity management used for single sign-on, including Active Directory Directory Services, SAML 2.0, and third-party identity providers.
  • Credential management systems – This is a new topic. This topic will focus on using a credential management system for large enterprises.

Knowledge Area C, Integrate identity as a service, is a new knowledge area. It covers using cloud-based identity-as-a-service (IDaaS) to provide single sign-on services for both SaaS and internal applications. 

Knowledge Area D, Integrate third-party identity services (e.g., on-premise), is also a new knowledge area. This covers using third-party identity services in an enterprise to access both cloud-based and on-premise applications.

Domain 6: Security and Assessment Testing – Framework and Key Areas of Knowledge

A portion of Domain 6 consists of content formerly included in the old Domain 1 (Access Control) and Domain 9 (Business Continuity and Disaster Recovery). However, the majority of this Domain contains content that was not specifically listed in the old CISSP version. To master this domain, you should know the various types of test strategies used by organizations, and understand the strengths and weaknesses of each approach. You should also understand how an organization’s information security policies should be implemented and continually validated. This domain combines policy with practice.

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Design and validate assessment and test strategies – New
  2. Control security control testing – New
    1. Vulnerability assessment – From Domain 1, subheading b in the old version.
    2. Penetration testing – From Domain 1, subheading b in the old version.
    3. Log reviews – New
    4. Synthetic transactions – New
    5. Misuse case testing – New
    6. Test coverage analysis – New
    7. Interface testing (e.g., API, UI, physical) – New
  3. Collect security process data – New
    1. Account management (e.g., escalation, revocation) – New
    2. Management review – New
    3. Key performance and risk indicators – New
    4. Backup verification data – New
    5. Training and awareness – New
    6. Disaster recovery and business continuity – New
  4. Analyze and report test outputs (e.g., automated, manual) – New
  5. Conduct or facilitate internal and third party audits – From Domain 9, subheading e in the old version.
Domain 6 – Just the New Topics already

Here’s a closer look at the new topics in Domain 6.

Knowledge Area A, Design and validate assessment and test strategies, is a new knowledge area. It covers the different assessment and test strategies that are used to verify that a control is functioning properly, including automated and manual tests. The key word is “design” – the candidate should understand how to build an integrated strategy, from risk assessment and baselining to implementation and reporting.

From Knowledge Area B, Control security control testing:

  • Log reviews – This is a new topic. It discusses using log review as part of a thorough security control testing plan.
  • Synthetic transactions – This is a new topic. It discusses synthetic transactions as part of security control testing.
  • Misuse case testing – This is a new topic. It discusses misuse cases as part of security control testing.
  • Test coverage analysis – This is a new topic. It discusses analyzing test coverage to ensure that all security controls are tested.
  • Interface testing (e.g., API, UI, physical) – This is a new topic. It discusses testing interfaces as part of security control testing.

From Knowledge Area C, Collect security process data:

  • Account management (e.g., escalation, revocation) – This is a new topic. It covers account management as part of collecting security process data.
  • Management review – This is a new topic. It covers management review of the collected security process data.
  • Key performance and risk indicators – This is a new topic. It covers the key performance and risk indicators that should be collected as part of security process data.
  • Backup verification data – This is a new topic. It covers verifying backup as part of security and assessment testing.
  • Training and awareness – This is a new topic. It covers training and awareness for users to ensure that they understand security and assessment testing.

Knowledge Area D, Analyze and report test outputs (e.g., automated, manual), is a new topic. It covers interpreting and recording the results of your own testing, as well as the results from third-party audits, and developing new mitigations based on test results.

Recap

In the coming weeks, I will be posting the other 2 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domain 1 and 2.
      • Part 3 covered new domain 3 and 4.
      • Part 4 (this post ) covers new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The last post will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

CISSP 2015: What’s New (Part 3 of 5)

September 30, 2015 at 3:51 pm | Posted in CISSP, Study hints, study tips, Vendor news | Leave a comment
Tags:

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam.

Today I will cover the next two domains, Security Engineering and Communications and Network Security. First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 3: Security Engineering – Framework and Key Areas of Knowledge

The majority of the new Domain 3 merges topics from the old Domain 5 (Cryptography), Domain 6 (Security Architecture and Design), and Domain 10 (Physical Security).

Domain 3 Key Areas of Knowledge:

    1. Implement and manage engineering processes using secure design principles. – New
    2. Understand the fundamental concepts of security models (e.g., confidentiality, integrity, multi-level models) – From Domain 6, subheading a in the old version.
    3. Select controls and countermeasures based upon systems security evaluation models – From Domain 6, subheading b and f in the old version.
    4. Understand security capabilities of information systems (e.g. memory protection, virtualization, trusted platform module, interfaces, fault tolerance) – From Domain 6, subheading c in the old version.
    5. Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
      1. Client-based (e.g., applets, local caches) – From Domain 6, subheading e in the old version.
      2. Server-based (e.g., data flow control) – From Domain 6, subheading 3 in he told version.
      3. Database security (e.g., inference, aggregation, data mining, data analytics, warehousing) – From Domain 6, subheading e in the old version.
      4. Large-scale parallel data systems – New
      5. Distributed system (e.g., cloud computing, grid computing, peer to peer) – From Domain 6, subheading e in the old version.
      6. Cryptographic systems – New
      7. Industrial control system (e.g., SCADA) – New
    6. Assess and mitigate  vulnerabilities in web-based systems (e.g., XML, OWASP) – From Domain 6, subheading 3 in old version.
    7. Assess and mitigate vulnerabilities in mobile systems – New
    8. Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, Internet of things (IoT)) – New
    9. Apply crytography
      1. Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) – From Domain 5, subheading b a in the old version.
      2. Cryptographic types (e.g., symmetric, asymmetric, elliptic curves) – From Domain 5, subheading c in the old version.
      3. Public Key Infrastructure (PKI) – From Domain 5, subheading j in the old version.
      4. Key management practices – From Domain 5, subheading d in the old version.
      5. Digital signatures – From Domain 5, subheading e in the old version.
      6. Digital rights management – New
      7. Non-repudiation – From Domain 5, subheading f in the old version.
      8. Integrity (hashing and salting) – From Domain 5, subheading c in the old version.
      9. Methods of cryptoanalytic attacks (e.g., brute force, cipher-text only, known plaintext) – From Domain 5, subheading g in the old version.
    10. Apply secure principles to site and facility design – From Domain 10, subheading a in the old version.
    11. Design and implement physical security.
      1. Wiring closets – New
      2. Server rooms – From Domain 10, subheading d in the old version.
      3. Media storage facilities – New
      4. Evidence storage – New
      5. Restricted and work area security (e.g., operations centers) – From Domain 10, subheading d in old version.
      6. Data center security – From Domain 10, subheading d in old version.
      7. Utilities and HVAC considerations – From Domain 10, subheading d in old version.
      8. Water issues (e.g., leakage, flooding) – From Domain 10, subheading d in old version.
      9. Fire prevention, detection, and supression – From Domain 10, subheading d in the old version.
Domain 3 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 3.

Knowledge Area A, Implement and manage engineering processes using secure design principles, is a new knowledge area. It covers the secure design principles that need to be understood to pass the exam, including ISO/IEC and NIST standards.

From Knowledge Area E. Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements:

  • Large-scale parallel data systems – This is a new topic. This topic will focus on the vulnerabilities of large-scale parallel data systems.
  • Cryptographic systems – This is a new topic. This topic will focus on the vulnerabilities of crytographic systems.
  • Industrial control system (e.g., SCADA) – This is a new topic. This topic will focus on the vulnerabilities of industrial control systems.

Knowledge Area G, Assess and mitigate vulnerabilities in mobile systems, is also a new knowledge area. It covers the vulnerabilities of mobile systems. 

Knowledge Area H, Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, Internet of things (IoT)), is also a new knowledge area. This covers the vulnerabilities of embedded devices and cyber-physical systems.

From Knowledge Area I. Apply crytography:

  • Digital rights management – This is a new topic. It focuses on using cryptography to provide digital rights management (DRM), including digital watermarking and other access control methods.

From Knowledge Area K. Design and implement physical security:

  • Wiring closets – This is a new topic. It discusses the physical security of wiring closets.
  • Media storage facilities – This is a new topic. It discusses the physical security of media storage facilities.
  • Evidence storage – This is a new topic. It discusses how to properly store evidence.
Domain 4: Communication and Network Security – Framework and Key Areas of Knowledge

The majority of Domain 4 consists of content formerly included in the old Domain 2 (Telecommunications and Network Security).

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation)
    1. OSI and TCP/IP models – From Domain 2, subheading a in the old version.
    2. IP networking – From Domain 2, subheading a in the old version.
    3. Implications of multilayer protocols (e.g., DNP3) – From Domain 2, subheading a in the old version.
    4. Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI) – New
    5. Software-defined networks – New
    6. Wireless networks – New
    7. Cryptography used to maintain communication security – From Domain 5, subheading h in the old version.
  2. Secure network components.
    1. Operation of hardware (e.g., modems, switches, routers, wireless access points, mobile devices) – From Domain 2, subheading b in the old version.
    2. Tranmission media (e.g., wired, wireless, fiber) – From Domain 2, subheading b in the old version.
    3. Network access control devices (e.g., firewall, proxies) – From Domain 2, subheading b in the old version.
    4. Endpoint security – From Domain 2, subheading b in the old version.
    5. Content-distribution networks – New
    6. Physical devices – New
  3. Design and establish secure communication channels.
    1. Voice – From Domain 2, subheading c in the old version.
    2. Multimedia collaboration (e.g., remote meeting technology, instant messaging) – From Domain 2, subheading c in the old version.
    3. Remote access (e.g., VPN, screen scraper, virtual application/desktop, telecommuting) – From Domain 2, subheading c in the old version.
    4. Data communications (e.g., VLAN, TLS/SSL) – From Domain 2, subheading c in the old version.
    5. Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation) – New
  4. Prevent or mitigate network attacks – From Domain 2, subheading d in the old version.
Domain 4 – Just the New Topics already

Here’s a closer look at the new topics in Domain 4.

From Knowledge Area A, Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation):

  • Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI) This is a new topic. It discusses secure design principles for converged protocols.
  • Software-defined networksThis is a new topic. It covers secure design principles for software-defined networks at the infrastructure, control, and application layers.
  • Wireless networks – This is a new topic. It covers secure design principles for wireless networks. 

From Knowledge Area B, Secure network components 

  • Content-distribution networks – This is a new topic. It discusses secure network components for content-distribution networks.
  • Physical devices – This is a new topic. It discusses issues of security for the physical devices used for content-distribution networks.

From Knowledge Area C, Design and establish secure communication channels

  • Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation) – This is a new topic. It covers the secure communication channels for virtualized networks.
Recap

In the coming weeks, I will be posting the other 2 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domain 1 and 2.
      • Part 3 (this post) covers new domain 3 and 4.
      • Part 4 will cover new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The next two posts will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

CISSP 2015: What’s New (Part 2 of 5)

September 16, 2015 at 6:29 am | Posted in CISSP, Study hints, study tips, Vendor news | Leave a comment
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam. The topics there should at least help you get started preparing for the exam. With this post, I’ll start discussing the domains covered by the new CISSP exam.

The former version of CISSP had 10 domains:

  1. Access Control
  2. Telecommunications and Network Security
  3. Information Security Governance and Risk Management
  4. Software Development Security
  5. Cryptography
  6. Security Architecture and Design
  7. Security Operations
  8. Business Continuity and Disaster Recovery Planning
  9. Legal, Regulations, Investigations, and Compliance
  10. Physical Security

With the 2015 update, the content was rearranged into 8 domains:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

Today I will cover the first two domains, Security and Risk Management and Asset Security. First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 1: Security and Risk Management – Framework and Key Areas of Knowledge

The majority of the new Domain 1 merges topics from the old Domain 3 (Information Security Governance & Risk Management) and Domain 9 (Legal, Regulations, Investigations, & Compliance).

Domain 1 Key Areas of Knowledge:

    1. Understand and apply concepts of confidentiality, integrity, and availability. – From Domain 3, subheading C in old version.
    2. Apply security governance principles through:
      1. Alignment of security function to strategy, goals, mission, and objectives (e.g., business case, budget, and resources) – From Domain 3, subheading a and j in old version.
      2. Organizational processes (e.g., acquisitions, divertitures, governance committees) – From Domain 3, subheading b in old version.
      3. Security roles and responsibilities – From Domain 3, subheading b and Domain 9, subheading c in old version.
      4. Control frameworks – From Domain 3, subheading b in old version.
      5. Due care – From Domain 3, subheading b in old version.
      6. Due diligence – From Domain 3, subheading b in old version.
    3. Compliance
      1. Legislative and regulatory compliance – From Domain 3, subheading b and Domain 9, subheading e in old version.
      2. Privacy requirements compliance – From Domain 3, subheading b in old version.
    4. Understand legal and regulatory issues that pertain to information security in a global context.
      1. Computer crimes – From Domain 9, subheading a in old version.
      2. Licensing and intellectual property (e.g., copyright, trademark, digital-rights management) – From Domain 9, subheading a in old version.
      3. Import/export controls – From Domain 9, subheading a in old version.
      4. Trans-border data flow – From Domain 9, subheading a in old version.
      5. Privacy – From Domain 9, subheading a in old version.
      6. Data breaches – New
    5. Understand professional ethics.
      1. Exercise (ISC)2 Code of Professional Ethics. – From Domain 9, subheading b in old version.
      2. Support organization’s code of ethics. – From Domain 9, subheading b in old version.
    6. Develop and implement documented security policy, standards, procedures, and guidelines. – From Domain 3, subheading d and j in old version.
    7. Understand business continuity requirements.
      1. Develop and document project scope and plan. – From Domain 8, subheading a in old version.
      2. Conduct business impact analysis. – From Domain 8, subheading b in old version.
    8. Contribute to personnel security policies.
      1. Employment candidate screening (e.g, reference checks, education verification) – From Domain 3, subheading h in old version.
      2. Employment agreement and policies – From Domain 3, subheading h in old version.
      3. Employment termination processes – From Domain 3, subheading h in old version.
      4. Vendor, consultant, and contractor controls – From Domain 3, subheading h in old version.
      5. Compliance – New
      6. Privacy – New
    9. Understand and apply risk management concepts.
      1. Identify threats and vulnerabilities. – From Domain 3, subheading g in old version.
      2. Risk assessment/analysis (qualitative, quantitative, hybrid) – From Domain 3, subheading g in old version.
      3. Risk assignment/acceptance (e.g., system authorization) – From Domain 3, subheading g in old version.
      4. Countermeasure selection – From Domain 3, subheading g in old version.
      5. Implementation – New
      6. Types of controls (preventive, directive, corrective, etc.) – From Domain 1, subheading a in old version.
      7. Control assessment – New
      8. Monitoring and measurement – New
      9. Asset valuation – From Domain 1, subheading b and Domain 3, subheading g in old version.
      10. Reporting – New
      11. Continuous improvement – New
      12. Risk frameworks – New
    10. Understand and apply threat modeling. – Although some of this topic was covered in Domain 1, subheading b, the majority of this topic is new.
      1. Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – New
      2. Determining and diagramming potential attacks (e.g., social engineering, spoofing) – New
      3. Performing reduction analysis – New
      4. Technologies and processes to remediate threats (e.g, software architecture and operations) New
    11. Integrate security risk considerations into acquisition strategy and practice
      1. Hardware, software, and services – New
      2. Third-party assessment and monitoring (e.g. on-site assessment, document exchange and review, process/policy review) – From Domain 3, subheading f in the old version.
      3. Minimum security requirements – New
      4. Service-level requirements – New
    12. Establish and manage information security education, training, and awareness – From Domain 3, subheading 1 in old version. Although this topic is covered there, the 2015 subheadings are all new.
      1. Appropriate levels of awareness, training, and education required within organization – New
      2. Periodic reviews for content relevancy – New
Domain 1 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 1.

From Knowledge Area D. Understand legal and regulatory issues that pertain to information security in a global context:

  • Data breaches – While this is a “new” topic because it wasn’t originally in Domain 9, subheading a, most of the topics covered in this section should already be known to the security professional.

From Knowledge Area H. Contribute to personnel security policies:

  • Compliance – This is a new topic. While compliance is covered in other areas, the CISSP exam has never specifically covered compliance as related to personnel security policies. This topic will focus on the ways an organization can ensure that personnel complies with any security policies that are in place.
  • Privacy – This is a new topic. While privacy is covered in other areas, the CISSP exam has never specifically covered privacy as related to personnel. This topic will focus on the organization’s responsibility to ensure that personnel’s information remains private, and also on how to ensure that personnel understand the importance of privacy for any data the organization owns.

From Knowledge Area I. Understand and apply risk management concepts:

  • Implementation – This is a new topic. It focuses on following implementation guidelines when implementing a risk management process at an organization.
  • Control assessment – This is a new topic. It covers how to assess the controls that you have implemented.
  • Monitoring and measurement – This is a new topic. It covers monitoring and measuring risk and the controls that are implemented to protect against the risks.
  • Reporting – This is a new topic. It explains the process for reporting on risk management.
  • Continuous improvement – This is a new topic. It covers how to improve the risk management process over time.
  • Risk frameworks – While technically a new topic, risk frameworks were generally covered as part of the risk management process, just not as an individual topic. This topic is about any international and industry risk frameworks that may be available to help guide your organization.

From Knowledge Area J. Understand and apply threat modeling:

  • Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – This is a new topic. It discusses the different threats to organizational security.
  • Determining and diagramming potential attacks (e.g., social engineering, spoofing) – This is a new topic. It focuses on the potential attacks that the threats can carry out.
  • Performing reduction analysis – This is a new topic. It discusses how to determine if threats and the attacks they carried out can be reduced.
  • Technologies and processes to remediate threats (e.g, software architecture and operations) – This is a new topic. It focuses on how to remediate the threats that you identified.

From Knowledge Area K. Integrate security risk considerations into acquisition strategy and practice:

  • Hardware, software, and services – This is a new topic. It analyzes the security risks when integrating hardware, software, and services when acquisitions occur.
  • Minimum security requirements – This is a new topic. It focuses on determining the minimum security requirements when an acquisition occurs.
  • Service-level requirements – This is a new topic. It discusses all facets of service-level requirements when acquisitions occur.

From Knowledge Area L. Establish and manage information security education, training, and awareness:

  • Appropriate levels of awareness, training, and education required within organization – This is a new topic. It covers levels of security awareness, training, and education that should be provided to personnel.
  • Periodic reviews for content relevancy – This is a new topic. It focuses on reviewing the security education, training, and awareness program to ensure that new security topics are covered.
Domain 2: Asset Security – Framework and Key Areas of Knowledge

The majority of Domain 2 consists of new knowledge areas and topics, though it also pulls in a bit of content formerly included in the old Domains 5 (Cryptopgraphy) and Domain 7 (Operations Security). Why is there so much new content to cover here? Big data is a big asset, and as ISC(2) points, privacy considerations have increased due to “the rapid expansion in the collection and storage of digitized personal information.”

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Classify information and supporting assets (e.g., sensitivity, criticality) – New
  2. Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – New
  3. Protect privacy – New
    1. Data owners – New
    2. Data processors – New
    3. Data remanence – New
    4. Collection limitation – New
  4. Ensure appropriate retention (e.g., media, hardware, personnel) – From Domain 7, subheading a in the old version.
  5. Determine data security controls (e.g., data at rest, data in transit) – From Domain 5, subheading a in old version. Although this topic is covered there, the 2015 subheadings are all new.
    1. Baselines – New
    2. Scoping and tailoring – New
    3. Standards selection – New
    4. Cryptography – New
  6. Establish handling requirements (markings, labels, storage, destruction of sensitive information) – From Domain 7, subheading a in the old version.
Domain 2 – Just the New Topics already

Here’s a closer look at the new topics in Domain 2.

Knowledge Area A, Classify information and supporting assets (e.g., sensitivity, criticality) – Although this is a new knowledge area, it was covered (though briefly) as part of the former CISSP. It covers the procedures for classifying information and assets as part of securing them.

Knowledge Area B, Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – This is a new knowledge area. It focuses on determining which organizational entity or personnel owns the assets you have identified.

Knowledge Area C, Protect privacy – This is another new knowledge area. It discusses protecting the privacy of information and assets. All of the subheadings in this category are also new.

  • Data owners – This is a new topic. It covers the responsibilities of data owners to ensure the privacy of information and assets.
  • Data processors – This is a new topic. It focuses on ensuring that all data processors (including personnel and other assets) understand the importance of information and asset privacy.
  • Data remanence – This is a new topic. It discusses data remanence and its effects on information and asset privacy.
  • Collection limitation – This is a new topic. It focuses on the collection limitations regarding asset privacy.

From Knowledge Area E, Determine data security controls (e.g., data at rest, data in transit):

  • Baselines – This is a new topic. It covers how to obtain data security control baselines.
  • Scoping and tailoring – This is a new topic. It analyzes how to scope and tailor the data security controls to meet the organization’s needs.
  • Standards selection – This is a new topic. It focuses on how the select the security control standards that your organization will use.
  • Cryptography – While technically a new topic, knowledge of cryptography and its effect on data security were covered in Domain 5 in the old version.
Recap

In the coming weeks, I will be posting the other 3 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 (this post) covers new domain 1 and 2.
      • Part 3 will cover new domain 3 and 4.
      • Part 4 will cover new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The next three posts will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

CISSP 2015: What’s New (Part 1 of 5)

August 26, 2015 at 8:43 am | Posted in CISSP, Study hints, study tips | Leave a comment
Tags: , ,

As many of you are probably aware, (ISC)2 updated the Certified Information Systems Security Professional (CISSP) exam in April 2015. You may be worried that the update meant all the existing CISSP products out there immediately became obsolete. Fortunately, that is just not true.

So what did change? Well, there are several points that you need to understand about this new version. (ISC)2 posted a wonderful FAQ regarding the new version: https://www.isc2.org/cissp-sscp-domains-faq/default.aspx.

Here’s what I found from my own investigation of the new CISSP exam.

No topics were REMOVED from the exam.

From the FAQ link above: “Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains.” There was also this answer to a question: “Content was not removed from the exam and/or training material, but rather refreshed and reorganized to include the most current information and best practices relevant to the global information security industry.”

New topics WERE added to the exam.

From the FAQ link above: “The CISSP exam is being updated to stay relevant amidst the changes occurring in the information security field. Refreshed technical content has been added to the Official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today.”

New item types WERE added to the exam.

The exam includes both multiple choice and “advanced innovative” questions. The new innovative questions are hot spot and drag-and-drop questions. For more information on these question types, see https://www.isc2.org/innovative-cissp-questions/default.aspx.

The exam contains the same number of questions as before.

This exam still have 250 questions. You still have 6 hours to complete the exam.

The exam was condensed from 10 domains to 8 domains.

But let me repeat, content was not removed. It was simply restructured.

The new domains are:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)
The experience prerequisites have not changed.

Again, as per the FAQ: “For the CISSP, a candidate is required to have a minimum of 5 years of cumulative paid full-time work experience in 2 out of the 8 domains (experience in 2 out of the total number of domains) of the CISSP CBK.”

If you don’t meet the experience requirements, you can still take the exam.

Basically, if you take and pass the exam without having the experience requirements, you don’t get the CISSP certification, but you do become an Associate of (ISC)2. That means they give you six years to meet the experience and CISSP endorsement requirements. See https://www.isc2.org/how-to-become-an-associate.aspx for more information on this loophole.

More detailed analysis is in the works!

Now that you are caught up on the basics regarding this exam, you need to understand the difference between the old domains and new domains. In the coming weeks, I will be posting the other 4 parts of this series. (Hyperlinks will be added as the posts are written.)

  • Part 2 covers new domain 1 and 2
  • Part 3 covers new domain 3 and 4
  • Part 4 covers new domain 5 and 6
  • Part 5 covers new domain 7 and 8

Each of these posts will show you where any topics that were in the old version came from and highlight any new topics.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin Abernathy

Next Page »

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: