Book details of 'CISSP: Certified Information Systems Security Professional Study Guide'

Title	CISSP: Certified Information Systems Security Professional Study Guide
Author(s)	Ed Tittel, Mike Chapple, James Michael Stewart
ISBN	0782141757
Language	English
Published	March 2003
Publisher	Sybex Books

---

Back to shelf Computer security
Amazon.com info for CISSP: Certified Information Systems Security Professional Study Guide

Score:

Vote for this book

The Virtual Bookcase Reviews of 'CISSP: Certified Information Systems Security Professional Study Guide':

Reviewer Rob Slade wrote:
Although the table of contents departs from the usual ten domains of the CISSP CBK (Common Body of Knowledge), the introduction points out that the nineteen chapters actually represent two chapters for each of the ten domains, except for physical security. While begging the question of why the domains need to be so divided, the structure doesn't quite follow the (ISC)^2 domains: security models, for example, are covered in the chapter on access control, rather than the chapter on security models. An interesting aspect of this book is an "assessment test," given at the beginning of the book. This is a good idea to focus the student on both the content and the type of questions likely to be on the CISSP exam--or, it would be, if the test was representative of the CISSP exam itself. Unfortunately, too many of the queries presented are the usual sad mix: strictly fact based and too simplistic. A number of others use nonstandard terminology, and the answers given in the key are correct only in the sense that they are the "least wrong" of the options provided. This quality of enquiry holds true for the other quizzes in the book. Chapter one deals with a part of access control, but the vital topic of controls themselves is only partially covered, neglecting, for example, deterrent, directive, and recovery controls. At the same time, idiosyncratic terms are added, such as a "Type 1," Type 2," and "Type 3" distinctions for different authentication factors. A number of topics, such as biometrics, Kerberos, and the Bell-LaPadula security model, are not explained in a depth appropriate to the level of the exam. Attacks and monitoring, in chapter two, provides too much space to the assaults, at the expense of detail in terms of intrusion detection (the difference between host and network based systems is not properly explained, and the four types are reduced to two). A standard overview of TCP/IP, with almost no reference to security, is given in chapter three. (The minimal mention of firewalls is very brief, confuses firewall types and topologies, and completely misses circuit-level proxies.) Chapter four covers a number of communications security technologies, but tersely, and without any organizational structure. I frequently note that security essentially *is* management, so the ludicrously inadequate list of random concepts and terminology in chapter five's dismissal of security management comes as a shock. Chapter six is better, with a review of the aspects of a security policy (though not much help in creating one) and a reasonably adequate overview of risk analysis and management. Data and application security, in chapter seven, has a very ragged structure, and an obvious lack of familiarity with basic issues. (Polyinstantiation is an aspect of object-oriented programming, rather than a risk of database security.) Malicious code gets a fair, but dated, examination, but chapter eight also contains a random assortment of other threats, many of which should be dealt with elsewhere. Chapter nine lists a number of basic concepts in cryptography, as well as major encryption systems, but the explanations clearly demonstrate that the authors do not understand the fundamental operations. (Modular arithmetic is not restricted to decimal representation, and the transposition example used does not require a keyword or alphabetical ordering.) As with the other "second chapters" in the book, chapter ten collects the random cryptography topics that haven't been dealt with. Chapter eleven presents a list of computer hardware basics, rather than the computer architecture that it should be discussing. Security models are mentioned briefly in chapter twelve (sometimes contradicting the earlier material), but most of the content is a grab bag of certification terms and some vulnerabilities missed in the prior compilations. Updating antivirals, performing backups, and protecting media passes for operations security in chapter thirteen, while auditing and monitoring are covered better in fourteen. Business continuity and disaster recovery are given the usual treatment in chapter fifteen and sixteen respectively. Law and investigation, in chapter seventeen, concentrates too much on specific US statutes, and far too little on legal principles and forensic examination. Chapter eighteen spends too much time on specific incidents, rather than process, and, predictably, allows ethics only two pages. At first glance, the material on physical security, in chapter nineteen, seems adequate, but closer examination reveals gaps and missing information. When physically lined up with the other CISSP guides, this one appears to be closest in size to Harris' leading "All-in-One" guide (see reviews). Appearances, and particularly shear physical bulk, can obviously be deceiving. The actual useful content, when stripped of the excessive verbiage, is only about the same as the lower ranked works, such as Harris' second attempt (see reviews), Endorf's (see reviews), or Miller/Gregory (see reviews). Possibly it is equal to the similarly bulky, and unreliable, entry by Bragg (see reviews). Krutz and Vines' "Gold Edition" , comparable in size, has a greater breadth of coverage, although possibly less depth. Could this book get you through the CISSP exam? Well, that would depend upon your background. If you had a lot of experience in security, then possibly yes. But then, you wouldn't need the book, now would you? copyright Robert M. Slade, 2003
Add my review for CISSP: Certified Information Systems Security Professional Study Guide

Book description:

IT security skills are in high demand, and the CISSP Study Guide can give you the skills you need to pursue a successful career as an IT security professional. Sponsored by (ICS2), CISSP was selected as one of the "10 Hottest Certifications for 2002" by the leading certification web site, CertCities.com. It was developed to validate mastery of an international standard for information security. Topics covered include security architecture, access control systems, cryptography, operations and physical security, law, investigation & ethics. Written by IT security experts with years of real-world security experience, this book provides in-depth coverage of all official exam domains and includes hundreds of challenging review questions, electronic flashcards, and a searchable electronic version of the entire book.