原始连接:
http://www.windowsecurity.com/whitepapers/Getting-a-CISSP.html
Getting a CISSP
think of it as a journey ...
In March of 2001 I started on a mission : to get a CISSP certification. "Easy", I thought, do some studying, sit an exam, pass with flying colours, then sit back wait for the job offers to come rolling in. I was wrong. Really wrong.
Myth #1: A CISSP certification is easy.
Well, some people may think that it is easy. Most people find it hard work: you need to have at least 3 years in IT security before you even apply for the exam. You need to cover an extremely broad landscape of IT security - many areas, such as physical security, few people will have any experience in. And you'll need to do a fair bit of reading and studying to get through that exam: 250 questions to answer in 6 hours isn't much fun.
Myth #2: Once you get it, just sit back and relax.
No. Once you pass the exam you need to earn CPE credits in order to keep your certification. If you don't then you'll need to resit the exam after 3 years to keep the certification. Getting CPEs is fairly straightforward: if you publish papers, attend seminars, do some presentations, and basically remain active in the IT security arena then you should have no problem here. But it takes a little work: this isn't a get-it and forget-it sort of certification.
Myth #3: You'll get more money/better job/more recognition.
In actual fact, you probably won't. I've found (at least here in New Zealand) that many employers and even employment agencies have no idea what a CISSP is. They tend to think in terms of the product-certifications; you know, the Cisco CCNA and Checkpoint CCSE sort of thing. They have no idea that you need 3 years of experience to get a CISSP, and they have no idea that it is an ongoing professional-level certification like a CPA (Chartered Accountant). Ergo, you probably won't get a better job or more money from waving your CISSP certificate around.
So, why would you want a CISSP? Its not easy to get, it takes maintenance, and may not gain you much. Why would you want to go through all that hassle? Here's some good reasons:
To expand your knowledge in security concepts and practices.
To show a dedication to the security discipline.
To meet a growing demand for security professionals, and to work in a thriving field.
To join a professional organisation and to link up with like-minded individuals
If you're genuinely interested in IT security (cryptography, practices, ethics, etc), and you feel you need a driver to learn more then the CISSP is for you. Book the exam (if possible, getting your employer to pay the fee), then start learning as much as possible. On the other hand, if you just want a better job/more money then get an MCSE or CCNA.
How to begin: Don't panic!
First of all, go to the ISC2 web site and see when the next exams will be held in your area. You'll need at least 4 weeks for preparation - so see when the exam will be held that is 4 or more weeks away. You can also get a short study guide at the ISC2 web site (I believe you need to perform a non-committal registration first). Then start collecting studying material: books, papers, and maybe training courses if they are available in you area. The Open Study Guide papers at CCCure.org are very useful - download and print these, then read though then with a pen in your hand making notes and corrections along the way.
How much studying you do depends on what you level of skill is, how much free time you have, and how long you've got until the exam. I studied for 8 months, averaging about 1 hour per day - it sounds like a lot, but this was really because I had 8 months to wait from when I decided to do the certification and when the next exam was scheduled in my area.
You should definitely do a good number of sample questions before sitting the exam. The CCCure.org web site has a number of sample questions available, as does the Krutz & Vines book. Be sure to do the questions "blind" - that is with the answers completely hidden. After answering all of the questions go through and score them. If you get questions wrong - go back to the study material and work until you know exactly why you got it wrong and what the correct answer should be. Repeat the cycle until you get consistent high scores (90% would be a good target).
For more information: The following links will give you much more information on the CISSP examination than what I can provide here. Read on.
The official ISC2 CISSP site. Here is where you get some information and register for the exam. This is CISSP central.
Reasons to become a CISSP (PDF). A great paper with a good overview on certifying and staying certified.
The CISSP Open Study Guide (OSG). This is a collective of freely available study guides, and a lot of other information, which is very useful for studying for a CISSP.
Books that I've found useful: And some which aren't.
Ross Anderson's Security Engineering - a huge book covering many areas, although not the full CISSP landscape. A very good read if you're interested in IT security.
Krutz & Vines CISSP Prep Guide - a good book to study just before the exam. Be wary however, that the sample questions seem to be overly easy, and the book doesn't give much of an indication of the mixture of questions in the exam across the 10 CBK domains.
The SRV CISSP Books should be avoided. These are not well written, the information is out of date and in some cases irrelevant. Some of the answers to the sample questions are wrong. These books cost a lot too. You're better off reading the Open Study Guides.
Don't waste your time reading books which are too detailed. E.g. Hacking Exposed (McClure/Scambray/Kurtz) - while this is a very good book, has far too much detail to be worthwhile reading for the CISSP exam. If you're ordering from Amazon then go ahead and buy yourself a copy - but don't use it for studying.
About Kerry Thompson
Kerry Thompson is a Technology Consultant based in Auckland, New Zealand specialising in IT security and open systems. He has more than 20 years experience in the area and often publishes white papers in IT security both online and a number of magazines.
http://www.crypt.gen.nz/
