"CISSP All-in-One Certification Exam Guide", Shon Harris, 2002

BKCISPA1.RVW 20020503

"CISSP All-in-One Certification Exam Guide", Shon Harris, 2002, 0-07-219353-0, U$79.99
%A Shon Harris shonharris@h...
%C 300 Water Street, Whitby, Ontario L1N 9B6
%D 2002
%G 0-07-219353-0
%I McGraw-Hill Ryerson/Osborne
%O U$79.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020
%P 971 p. + CD-ROM
%T "CISSP All-in-One Certification Exam Guide"

Chapter one is a very reasonable review of the CISSP (Certified Information Systems Security Professional) credential, and the (ISC)^2 (International Information Systems Security Certification Consortium) exam process, including recertification. As with most of the chapters in the book, it has a set of sample questions, and while I could quibble with some, they cover a decent range of topics and a representative extent of difficulty. There are resources listed in this and other chapters, mostly Web sites. Web sites are, of course, most easily accessible, but they also die on a regular basis, and it might have been an idea to include references to other books on specific topics. It is difficult to see the point of chapter two--an opinion-piece level overview of various security related topics.

Chapter three begins the first of the ten domains of the Common Body of Knowledge (CBK) with security management practices. It is obvious that the material has been structured and based on the (ISC)^2 CBK review course, even to the use of specific tables and diagrams, but the material is, at least, enhanced and extended by narrative discussion. Access control is explained clearly (and sometimes amusingly) in chapter four (although biometrics is generally considered to be a form of authentication, not identification). In general, the coverage of security architecture and models in chapter five is quite useful. However, there is too much emphasis on the old" Orange Book" TCSEC (Trusted Computer System Evaluation Criteria) and not enough on the newer Common Criteria. (The inclusion of a section on computer hardware is also a bit odd.) Chapter six has many of the blind spots about physical security common to most computer security types (including some erroneous information about Halon from the old CBK course). The telecommunications and networking material, in chapter seven, presents the underlying concepts well, but for some reason fails to address many of the security technologies. The explanations of cryptography, in chapter eight, are problematic. Fortunately, the content is not necessarily wrong. The author obviously is not familiar with this area, and the text in such areas as DES (Data Encryption Standard) modes and one way encryption doesn't make sense, although it does not necessarily misinform the reader. Chapter nine, dealing with business continuity and disaster recovery, is reasonable, but not as detailed as other sections. Law, Investigation, and ethics is pretty good, although some old crimes and the insistence on the salami scam myth are some notable flaws in chapter ten. Chapter eleven, applications development, contains the basic information but does not always make the connections to security. Operations security gets a sensible review in chapter twelve.

The material is much more reliable and better structured than the SRV Press books (cf. BKCISPET.RVW), and much more reliable and complete than the Andress work (cf. BKCISPEC.RVW). Like the Krutz and Vines volume (cf. BKCISPPG.RVW) it is quite obvious that the content and organization is copied from the old CBK course (sometimes slavishly), although Harris does put more explanatory and narrative substance into the text. (Interestingly, there are some indications that this is based on an even older version of the course than Krutz and Vines used.) Even considering the noted weak areas in this book, it should provide a reasonable basis as a study guide for the CISSP exam, although those who use only this work should not expect to get a particularly high mark.