|
BKMMCISP.RVW
20021106
"Mike
Meyers' Certification Passport CISSP", Shon Harris,
2002,
0-07-222578-5, U$29.99/C$44.95
%A Shon Harris shonharris@hotmail.com www.intenseschool.com
%C 300 Water Street, Whitby, Ontario L1N 9B6
%D 2002
%G 0-07-222578-5
%I McGraw-Hill Ryerson/Osborne
%O U$29.99/C$44.95 +1-800-565-5758 +1-905-430-5134 fax: 905-430-5020
%O http://www.amazon.com/exec/obidos/ASIN/0072225785/robsladesinterne
%P 422 p.
%T "Mike Meyers' Certification Passport CISSP" |
There
is a "Check-In" foreword,
which seems to be about the series,
and an introduction that provides a very terse overview
of the CISSP
(Certified Information Systems Security Professional)
exam.
The
book consists of ten chapters, one for each of the
CBK (Common
Body of Knowledge) domains. "Security Management
Practices" demonstrates that
the book is perhaps a bit too thin: illustrations
and other materials from Harris' "All-in-One" guide
(cf. BKCISPA1.RVW)
appear, but most of the tutorial material is vague and
generic. (When
covering "controls," a vital concept in this
domain, the text provides
an "exam tip" that controls should be visible
enough to deter
misdeeds, but not visible enough to be avoided, but completely
neglects the second axis of the control matrix, which
covers
deterrence, detection, and so forth.) The review questions
at the end
of the chapter are better than some, but still quite
simplistic. As
well as being limited, the content is suspect in places:
a "cognitive
password" is very insecure, and why would a retina
scanner blow air
into your eye? The "Computers 101" part of "Security
Architecture and
Models" is all right, although very brief and with
significant gaps,
but the formal models are simplified to a problematic
extent (and the
explanation of lattice models is flatly wrong). The "Physical
Security" chapter is probably adequate for study
purposes. Even after
all of the above, I was surprised at how poor the material
in"
Telecommunications and Networking Security" was.
The TCP/IP content
is definitely insufficient, and specific errors are made
in a number
of areas (such as the ability of PPTP [Point-to-Point
Tunneling
Protocol] to encrypt data). "Cryptography" is
limited to little more
than the terms involved, and it is odd how much space
is wasted on
editorial comment. (The text could also use a bit more
organization:
a number of topics appear, in isolation, at a fair distance
away from
related items.) "Disaster Recovery and Business
Continuity" is terse,
but possibly sufficient for study purposes. The material
in "Law,
Investigation, and Ethics" is problematic: it appears
to be somewhat
dated and has some important gaps, such as corporate
liability,
interviewing, and the process of incident response. A
great deal of
the content in "Application Development" seems
to have been parroted
without any understanding: the iterative class of systems
development
models are not collected, the spiral model description
is incorrectly
described, the point of Java as a hybrid of compilation
and
interpretation seems to have been completely lost, and
the malware
text is rife with errors. "Operations Security" doesn't
have as many
mistakes, but it seems to be pretty much of an unorganized
grab bag of
topics.
Yes,
I can see the need (or desire) for a short and quick
reference to
the CISSP CBK. However, if you are going to take on that
task, you
have to make every single word (and figure) count. This
book doesn't.
Since McGraw-Hill also published "CISSP All-in-One
Certification Exam
Guide" they should probably have heeded the old
dictum that "if it
ain't broke, don't fix it." As it is, this work
is well back in the
CISSP pack, along with "Secured Computing" (cf.
BKSCDCMP.RVW) and"
CISSP for Dummies" (cf. BKCISPDM.RVW).
copyright Robert M. Slade, 2002 BKMMCISP.RVW 20021106
|
