In my last three columns, I began responding to a former student who recently wrote to me with a request for suggestions on what to read in preparing for the CISSP exam. In this fourth and last article, I suggest a few valuable (albeit sometimes expensive) books and some (free) review materials for such preparation.

Readers will find other lists of suggested readings on the Web by using search string “CISSP preparation course” in a Web search engine.

In my opinion, some of the most useful books for overall coverage of the field are:

* _The Official (ISC)2 Guide to the CISSP Exam_ by Susan Hansche, CISSP, John Berti, CISSP and Chris Hare, CISSP (ISBN: 0-8493-1707-X) is available from the (ISC)2 Company Store.

* _Information Security Management Handbook on CD-ROM, 2006 Edition_ (a classic in the field) by Harold F. Tipton and Micki Krause

* _Handbook of Information Security_ http://tinyurl.com/yf2549 3-Volume Set (I chose this as the new textbook for our Master’s program at Norwich University) by Hossein Bidgoli (get your company to buy it for their library). I reviewed this enormous work in this column a year ago.

* _Computer Security Handbook 4th Edition_ by Seymour Bosworth and M. E. Kabay (of course, I’m biased). Most people refer to this as the “CSH4.”

In addition, the (ISC)2 provides a slightly disorganized list of books. For some reason it refers to the 3rd edition of the CSH (twice) but not to the CSH4.

Ideally, people preparing for any exam do best if they can study in teams. For example, they can use my own lecture slides as review material to quiz each other - they should be able to speak intelligently about every point on every slide. The files thus serve as one of the ways to check for holes in coverage of the material and also as a way of consolidating and strengthening knowledge:

* I340 Intro to IA lectures (last updated Fall 2005) covers the first half of the CSH4.

* IS342 Management of IA (last updated Spring 2006). As you would expect, this course covers the second half of the CSH4.

* CJ341 Cybercrime & Cyberlaw (last updated Fall 2006) is a mind-numbingly detailed look at how law enforcement has to deal with digital evidence, including the specific laws relating to computer crimes of all sorts. Personally, I love it, but I know that some people find it dry. Still, “Legal, Regulations, Compliance and Investigations” is one of the 10 domains of the CBK (Common Body of Knowledge) for the CISSP.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.