[转载]ISC2网络安全认证之CISSP
信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])文章作者:ISC2
{ISC}2网络安全认证之CISSP (Certification for Information System Security Professional)
信息技术在人们生活中的应用越來越广泛,伴随而來的信息安全问题也日益严重。随着科技的发展和商业竞争日益激烈,许多公司越來越认识到系统安全的重要性,僱请专业的系统安全分析员來订立规则,保护公司商业机密和用戶資料。
最近的一份报告预计,到2005 年,计算机罪案将激增 100 倍,不能有效保护数据和系统的企业将遭受重大損失。掌握解决信息系统安全问题的能力,已经成为了未来网络人的必修课,这方面的认证考试也就成为了热门中的热门。
CISSP认证可以帮助企业与组织发现技术人才;获得CISSP认证可以证明你是有相当的知识水平与经验能力的安全专家,并且关注于安全技术的最新动态。作为业内人士技术能力的证明,CISSP得到广泛的认可,目前许多组织都在寻找安全专业人员,拥有CISSP证书将具有非常大的优势。目前全世界获得CISSP证书的人员不超过3000人,平均初始年薪为7.5万美金,若同时具有Cisco, Microsoft的证书,那么结合你的经验与职务责任,初始年薪在9.5-12.5万美金之间。但没有任何组织要求一定有该证书。
(ISC)2的历史
(ISC)2成立于1989年中期,作为一个独立的、非盈利的组织,他的目标为发展与管理一个信息安全管理人员认证管理组织,总部设立在北美,其认证很快得到国际的认可。从1992年起,(ISC)2进行CISSP认证考试。更多的信息可以通过[url]www.isc2.org[/url]了解。
CISSP申请的要求
遵守(ISC)2的规章制度;
在信息系统安全CBK(Common Body of Knowledge)规定的10个考试领域中的一个或多个中工作3年以上;你可以是信息安全相关领域的从业者、审计员、咨询者、客户、投资商或教师,要求你在工作中直接应用信息系统安全知识。3年的实际工作,可以是累加的。
每3年需要重新认证,需要你在3年内获得120个Continuing Professional Education (CPE)信用分。
Cissp Exam overview:
What does the CISSP examination consist of?
The CISSP exam is a 250 question English language examination. Two hundred and twenty-five of the questions are scored. The remaining twenty-five are unscored pre-tested questions. Candidates are given 6 hours to complete the exam although most complete it in about 4 hours.
Are there different versions for each country?
No, the test is based on Internationally accepted information security standards and practices. There are no country specific questions or language. The same English language version is given throughout the world.
What do the questions cover?
Examination questions cover all ten domains in the Common Body of Knowledge (CBK). Questions are "scrambled" on the examination, they are not presented in domain order. The domains are:
1. Access Control Systems and Methodology
2. Telecommunications and Networking Security
3. Security Management Practices
4. Application and Systems Development Security
5. Cryptography
6. Security Architecture and Models
7. Operations Security
8. Business Continuity and Disaster Recovery Planning
9. Law, Investigation and Ethics
10. Physical Security
Are the pre-test questions identified?
No. They are scrambled into the examination along with the scored items.
What type of questions are there?
All test questions are multiple choice with four possible answers. They are designed to test a candidate's knowledge of information security facts and concepts and their application.
How hard is the examination?
The examination tests the expected knowledge a 3-5 year practitioner should have. It is designed to test for the minimum level of competency acceptable for someone to be certified as an information systems security professional. A knowledgeable candidate should not find the examination difficult.
If the examination isn't particularly difficult, why don't more people pass it?
What makes the examination difficult is the expansive knowledge base it covers. It's difficult to develop expertise in all ten domains.
Are the questions in the Study Guide really representative of examination questions?
The study guide questions are good examples of the format and type of questions you would see on the exam but are not necessarily representative of the difficulty.
Which domains are the hardest?
The domains that are not commonly used in every day security management such as cryptography, system architecture, and physical security usually score the lowest.
How current is the examination?
Each year between 100 and 150 new questions are added to the question pool, many are based on new security technologies. You can expect to find questions on current technologies, practices and standards.
Are there questions on NT or UNIX?
The CISSP examination is not vendor or commercial product specific. There are questions on the security models and methodologies used by these systems but only security products that are commonly used and freely available (i.e., SATAN) are acceptable for examination questions.
What's the passing score?
There is no fixed passing score for the examination. The cut score for each examination is calculated by equating the scoring values associated with each question. Passing rates estimated to be in the 70% to 80% range. Less than 8% of those tested achieve scores higher than 85%.
How detailed are the questions, what depth of knowledge is being tested?
The CISSP examination is designed to evaluate the ability of a security manager, engineer or architect to properly evaluate, select, deploy and assess security measures. A candidate should have a detailed enough knowledge of security designs, measures, vulnerabilities, etc. to successfully accomplish these tasks.
Term for certification
适合人仕 :
有志投身 I.T. 信息安全領域的人仕,系統安全工程師,I.T. 部門主管,网络管理人員。
修读条件 :
对 Windows / UNIX / Linux 系統有基本认识,对互联网及 TCP/IP 有基本认识
对网络安全系统拥有基本概念,拥有 3 - 4 年有关网络安全工作经验
課程內容 :
Module 1: Security Management Practices
- Concepts & Objectives
- Risk Management
- Policies and Procedures
- Information Classification
- Information Security Roles and Responsibilities
- Information Security Awareness
- Handling Incidents
Module 2: Access Control Systems & Methodology
- Concepts
- Issues
- Identification & Authentication
- Single Sign On
- Centralized Access Control Methodologies
- Decentralized/Distributed Access Control Methodologies
- Access Control Technologies
- Access Control Monitoring
Module 3: Law, Investigations, Ethics
- Laws and Regulations
- Conducting Investigations
- Information Ethics
Module 4: Physical Security
- Facilities Management
- Personnel Security
- Physical Controls
Module 5: Business Continuity & Disaster Recovery Planning
- Business Continuity Concepts
- Disaster Recovery Concepts
- Recovery Planning Process
- Program Management
- Vulnerability Assessment
- Plan Development & Maintenance
- Plan Testing
- Prevention
Module 6: Security Architecture & Models
- Computer Science and Architecture
- Security and Control Concepts
- Security Models
- Evaluation Criteria
- Host Based Security
- Client Server Security
- Network Architecture
- Network Security
- IP Security Architecture
Module 7: Cryptography
- History
- Definitions
- Applications & Uses of Cryptography
- Protocols and Standards
- Basic Technologies
- Encryptions Systems
- Symmetric / Asymmetric Cryptography
- Digital Signatures
- E-mail Security Using Encryption
- Internet Security Using Encryption
- Key Management
- Public Key Infrastructure (PKI)
- Cryptanalysis & Attacks
- Export Issues
Module 8: Telecommunications & Network Security
- Communications Security Management
- Network Protocols
- Identification & Authentication
- Data Communications
- Internet & Web Security
- Attack Methods
- Multimedia Security
- Incident Response Management
Module 9: Applications & Systems Development
- Definitions
- Security Goals & Threats
- System Life Cycle
- Security Architecture
- Change Control
- Application Development & Security Measures
- Databases and Data Warehousing
- Knowledge Based Systems
Module 10: Operations Security
- Resources
- Privileges
- Control Mechanisms
- Potential Abuses
- Appropriate Controls
- Principles
页:
[1]