The
introduction and frontmatter appear to be much more
concerned with
the structure of the book (and this particular series
of books) than
the CISSP (Certified Information Systems Security Professional)
exam.
The initial list of topics covered by the domains has
notable gaps and
some oddities in organization.
Part
one is entitled "Exam Preparation," and
is divided into the ten
standard domains of the CBK (Common Body of Knowledge).
Chapter one,
on access control, shows problems right away. The first
paragraph
tries to distinguish between access control and authentication,
but
doesn't really outline the relationship between the two
concepts, let
alone dealing with the broader and more usual interrelated
ideas of
identification, authentication, authorization, and accountability.
When discussing access models, the lattice content
touches
on advanced
outcomes of the model, but not the basic principles.
The biometric
material is simply inadequate. There are sample questions
at the end
of the chapter, and this first set, at least, do appear
to be crafted
in order to avoid the usual "reading check" level
of simplicity, but
the wording is extremely poor and many answers are either
flatly wrong
or highly misleading. Similar problems are evident with
telecommunications and networking, in chapter two, which
has excessive
space given to topics like cabling characteristics, poor
explanation
of the relationship between tunnelling and virtual private
networks,
an overview of intrusion detection that contradicts the
material in
chapter one, and some completely idiosyncratic terminology.
The
answers to sample question are more correct, but only
because the
questions themselves are overly simplistic. The rudimentary
factors
of security management are discussed in chapter three,
but in a
confused fashion, not assisted by the fact that topics
are repeated
and sections from other domains are introduced for no
apparent reason.
The central material is very brief, despite the sixty
pages devoted to
the topic, and entire sections, such as the various evaluation
criteria, are missing. Applications development, in chapter
four,
does possibly provide enough information to deal with
the CISSP exam
on this subject, but lists lots of problems without many
solutions,
and has a great deal of extraneous material such as lists
of different types of memory (fast
page mode [FPM] versus extended data out [EDO]
dynamic random access memory, for example). I thought
the
introduction to cryptography, in chapter five, wasn't
all that bad
(absent details such as the key in a one time pad having
to be no
shorter than the message being sent). That is, until
I realized that
it was the entire chapter, and details about any form
of encryption,
digital signatures, and the requirements for certification
and a
public key infrastructure were completely missing. Chapter
six does
cover the elemental points of security architecture,
but in a
disorganized manner, and has no material at all dealing
with computer
architecture. Operations security is discussed in terms
of details
like specific logs in Windows 2000 and updating antiviral
scanners,
and chapter seven misses more general concepts and operating
principles. Business continuity and disaster recovery
planning, in
chapter eight, does provide most necessary information
about the
process, except for the recovery phase. Law, in chapter
nine,
concentrates too heavily on US legislation, and the investigative
process fails to address incident response, interviewing,
and
relations with outside agencies. Chapter ten again covers
physical security with specific details rather than underlying
concepts.
Part
two is a review. About half of the "Fast Facts" are
useful and
the rest aren't: it would be hard for an exam candidate
to know which
is which. The study and exam prep tips are generic, and
probably not
much help. The practice exam questions are, like most
of the sample
questions in the book, far too simplistic and particular
to properly
prepare candidates for the actual CISSP exam.
Despite
the size of this volume, it does not contain as much
information as, say, Harris' "CISSP All-in-One Certification
Exam
Guide" (cf.
BKCISPA1.RVW), nor is it organized as
well as the Krutz
and Vines work (cf. BKCISPPG.RVW). It is closer to the
Endorf (cf.
BKSCDCMP.RVW), Miller/Gregory (cf. BKCISPDM.RVW),
or the second Harris
(cf.
BKMMCISP.RVW) works, and therefore its utility as
preparation for
the CISSP exam is questionable.
copyright, Robert M. Slade, 2003 BKCISPTG.RVW 20030127
|
