IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled



BKMMCISP.RVW 20021106

"Mike Meyers' Certification Passport CISSP", Shon Harris, 2002, 0-07-222578-5, U$29.99/C$44.95
%A Shon Harris shonharris@hotmail.com www.intenseschool.com
%C 300 Water Street, Whitby, Ontario L1N 9B6
%D 2002
%G 0-07-222578-5
%I McGraw-Hill Ryerson/Osborne
%O U$29.99/C$44.95 +1-800-565-5758 +1-905-430-5134 fax: 905-430-5020
%O http://www.amazon.com/exec/obidos/ASIN/0072225785/robsladesinterne
%P 422 p.
%T "Mike Meyers' Certification Passport CISSP"

There is a "Check-In" foreword, which seems to be about the series, and an introduction that provides a very terse overview of the CISSP (Certified Information Systems Security Professional) exam.

The book consists of ten chapters, one for each of the CBK (Common Body of Knowledge) domains. "Security Management Practices" demonstrates that the book is perhaps a bit too thin: illustrations and other materials from Harris' "All-in-One" guide (cf. BKCISPA1.RVW) appear, but most of the tutorial material is vague and generic. (When covering "controls," a vital concept in this domain, the text provides an "exam tip" that controls should be visible enough to deter misdeeds, but not visible enough to be avoided, but completely neglects the second axis of the control matrix, which covers deterrence, detection, and so forth.) The review questions at the end of the chapter are better than some, but still quite simplistic. As well as being limited, the content is suspect in places: a "cognitive password" is very insecure, and why would a retina scanner blow air into your eye? The "Computers 101" part of "Security Architecture and Models" is all right, although very brief and with significant gaps, but the formal models are simplified to a problematic extent (and the explanation of lattice models is flatly wrong). The "Physical Security" chapter is probably adequate for study purposes. Even after all of the above, I was surprised at how poor the material in" Telecommunications and Networking Security" was. The TCP/IP content is definitely insufficient, and specific errors are made in a number of areas (such as the ability of PPTP [Point-to-Point Tunneling Protocol] to encrypt data). "Cryptography" is limited to little more than the terms involved, and it is odd how much space is wasted on editorial comment. (The text could also use a bit more organization: a number of topics appear, in isolation, at a fair distance away from related items.) "Disaster Recovery and Business Continuity" is terse, but possibly sufficient for study purposes. The material in "Law, Investigation, and Ethics" is problematic: it appears to be somewhat dated and has some important gaps, such as corporate liability, interviewing, and the process of incident response. A great deal of the content in "Application Development" seems to have been parroted without any understanding: the iterative class of systems development models are not collected, the spiral model description is incorrectly described, the point of Java as a hybrid of compilation and interpretation seems to have been completely lost, and the malware text is rife with errors. "Operations Security" doesn't have as many mistakes, but it seems to be pretty much of an unorganized grab bag of topics.

Yes, I can see the need (or desire) for a short and quick reference to the CISSP CBK. However, if you are going to take on that task, you have to make every single word (and figure) count. This book doesn't. Since McGraw-Hill also published "CISSP All-in-One Certification Exam Guide" they should probably have heeded the old dictum that "if it ain't broke, don't fix it." As it is, this work is well back in the CISSP pack, along with "Secured Computing" (cf. BKSCDCMP.RVW) and" CISSP for Dummies" (cf. BKCISPDM.RVW).

copyright Robert M. Slade, 2002 BKMMCISP.RVW 20021106