BKCISPPG.RVW 20010924 "The CISSP Prep Guide", Ronald L. Krutz/Russell Dean Vines, 2001, 0-471-41356-9, U$69.99 %A Ronald L. Krutz %A Russell Dean Vines %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2001 %G 0-471-41356-9 %I John Wiley & Sons, Inc. %O U$69.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471413569/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471413569/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471413569/robsladesin03-20 %P 556 p. %T "The CISSP Prep Guide: Mastering the Ten Domains of Computer Security" Of late there has been a significant increase in interest in the CISSP (Certified Information Systems Security Professional) exam and designation produced by the (ISC)^2 (International Information Systems Security Certification Consortium). The CISSP exam is based on the Common Body of Knowledge (CBK) which, as the name implies, is that information assumed to be customarily known by those qualified or experienced in the field of computer security. Since the (ISC)^2 also runs courses based on the CBK, many people seem to feel that there is some trick or secret to passing the exam. Krutz and Vines appear to want to foster this myth, since the first sentence of the introduction states that this book holds the "key to unlocking the secrets of the world of information systems security." If true, this assertion would make a mockery of the (ISC)^2 requirement for three years' work experience, and the insistence that no one book holds the entire CBK. The introduction also states that this work is intended as a preparatory guide for CISSP students, a reference for students of other information security courses, and a manual in security basics and emerging technologies for security professionals. That's a rather tall order. For those who have seen the (ISC)^2 CBK course materials, it is immediately obvious where the structure of the book, and most of the content, originates. Much of the text is in point form, following the slides used in the CBK, with only minor expansion to explain the elements. Discussion of concepts is limited, and some of the detail provided is of questionable value. In addition, while the CBK is a substantial and useful work, the (ISC)^2 course structure does suffer, over time, as areas are added or amended, and the strict adherence to that order, which can be smoothed over in a seminar, makes the book very jumpy in places. Security management practices, in chapter one, is rather choppy, and access control, in chapter two, is even worse in this regard. Each chapter covers one of the ten domains of the CBK. These topics tend to overlap in places, but there is little attempt to explain, reconcile, or reference duplicated material. Both chapter two and telecommunications and network security, in chapter three, address intrusion detection systems, but neither section refers to the other. (Telecom and networks is a large topic, and would have benefitted from some attempt at reorganization.) Chapter four describes many details of cryptography. While the particulars provided are correct, the lack of background reduces the value of the text. Security architecture and models, in chapter five, defines most of the terms, but does not give a complete picture of the topic. Operations security generally involves the coordination of a number of individually simple aspects, so chapter six deals with the topic adequately. The same minimalist denotation of points does not work as well for applications and systems development, in chapter seven. (In addition, it is disturbing to see that discussion of viruses has been completely excluded, particularly in view of the fact that the subject has greater representation in the CISSP exam than in the CBK course itself.) Again, business continuity and disaster recovery planning involve a number of basic operations, so chapter eight provides reasonable coverage. Chapter nine's review of law, investigation, and ethics is terse, but not out of line with the requirements of the exam. Physical security, in chapter ten, is covered better than most other areas. There are a number of appendices. A glossary is taken from the old (1985) US government glossary, with a few additions. There is an overview of the old "Rainbow" series of security manuals. An essay on using the Capability Maturity Model (CMM) with the Health Information Portability and Accountability Act (HIPAA) will possibly be of interest to a very select group. There is an overview of the National Security Agency (NSA) Infosec Assessment Methodology, a simplistic look at penetration testing, and a ludicrously brief list of the contents of British Standard 7799. The examination of the Common Criteria is slightly better, but not sufficient to address the needs of the CISSP exam. A list of references for further study is basically taken from the (ISC)^2 resource list with some added URLs, and is not annotated. Oddly, the illustrations are not copied from the CBK course, and table and section headings relate very poorly to the surrounding text. Practice with sample questions can be important in preparing for the CISSP exam. Those provided by the CBK course, and even the independent www.cccure.org site, are very similar in tone, style, and difficulty, to those on the exam. The specimen questions in this book, however, are not. The quizzes are simplistic reading checks and definition queries, with none of the complexity of the exam, and requiring little in the way of judgment. The full list of questions is given again in appendix C, with answers: the solutions are sometimes explained, but often are not. For those studying for the CISSP exam, this book does provide a guide to the topics to be covered. If you are confident that you know more than the book at every point, you should be in good shape to sit the exam: if not, you will have to get help somewhere else. If you are studying for another security course, or are a security professional, this work will not have much to offer you. copyright Robert M. Slade, 2001 BKCISPPG.RVW 20010924