Preparing for the CISSP exam, Part 4

The long view of security strategies for your network.

In my last three columns, I began responding to a former student who recently wrote to me with a request for suggestions on what to read in preparing for the CISSP exam. In this fourth and last article, I suggest a few valuable (albeit sometimes expensive) books and some (free) review materials for such preparation.

Readers will find other lists of suggested readings on the Web by using search string “CISSP preparation course” in a Web search engine.

In my opinion, some of the most useful books for overall coverage of the field are:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In my last three columns, I began responding to a former student who recently wrote to me with a request for suggestions on what to read in preparing for the CISSP exam. In this fourth and last article, I suggest a few valuable (albeit sometimes expensive) books and some (free) review materials for such preparation.

Readers will find other lists of suggested readings on the Web by using search string “CISSP preparation course” in a Web search engine.

In my opinion, some of the most useful books for overall coverage of the field are:

* _The Official (ISC)2 Guide to the CISSP Exam_ by Susan Hansche, CISSP, John Berti, CISSP and Chris Hare, CISSP (ISBN: 0-8493-1707-X) is available from the (ISC)2 Company Store.

* _Information Security Management Handbook on CD-ROM, 2006 Edition_ (a classic in the field) by Harold F. Tipton and Micki Krause

* _Handbook of Information Security_ http://tinyurl.com/yf2549 3-Volume Set (I chose this as the new textbook for our Master’s program at Norwich University) by Hossein Bidgoli (get your company to buy it for their library). I reviewed this enormous work in this column a year ago.

* _Computer Security Handbook 4th Edition_ by Seymour Bosworth and M. E. Kabay (of course, I’m biased). Most people refer to this as the “CSH4.”

In addition, the (ISC)2 provides a slightly disorganized list of books. For some reason it refers to the 3rd edition of the CSH (twice) but not to the CSH4.

Ideally, people preparing for any exam do best if they can study in teams. For example, they can use my own lecture slides as review material to quiz each other - they should be able to speak intelligently about every point on every slide. The files thus serve as one of the ways to check for holes in coverage of the material and also as a way of consolidating and strengthening knowledge:

* I340 Intro to IA lectures (last updated Fall 2005) covers the first half of the CSH4.

* IS342 Management of IA (last updated Spring 2006). As you would expect, this course covers the second half of the CSH4.

* CJ341 Cybercrime & Cyberlaw (last updated Fall 2006) is a mind-numbingly detailed look at how law enforcement has to deal with digital evidence, including the specific laws relating to computer crimes of all sorts. Personally, I love it, but I know that some people find it dry. Still, “Legal, Regulations, Compliance and Investigations” is one of the 10 domains of the CBK (Common Body of Knowledge) for the CISSP.

In addition to all of this (mostly) free knowledge, it is also possible to enroll in a wide range of preparatory courses. I myself have taught for the (ISC)2 and think their courses are good reviews. I am leery, however, of taking a short course _instead_ of reading and thinking for a long time about any subject beyond the purely technical. In my experience, the most important aspect of learning is thinking, not memory. Take a course if you like, but not just before your exam. Use the course as a form of review and verification - a tool for strengthening what you already know but above all for identifying what you have to think and learn about at greater length.

And good luck to all in your certification exams!

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.