This document summarizes a presentation given as part of a CISSP mentor program. It discusses the history and structure of the mentor program, as well as an introduction to the CISSP certification. Key points include:
- The mentor program started in 2010 with 6 students and has grown significantly. Classes follow a typical structure of recapping content, questions, quizzes, lectures, and homework assignments.
- The CISSP certification is maintained by ISC2 and tests knowledge across 8 security domains. Becoming certified requires passing the exam as well as relevant work experience.
- Presenter Evan Francen has over 20 years of security experience and emphasizes the importance of listening, not assuming expertise, and focusing on security
2. CISSP Mentor Program Session #1
Welcome!
• What is the CISSP Mentor Program
• History
• 1st class was 2010; 6 students
• Today’s class; 80 students
• Why we do it
• Success Stories
• Heck, it’s free! If you aren’t satisfied, we’ll
refund everything you paid us. ;)
We need MORE good information security
people!
3. CISSP Mentor Program Session #1
We need MORE good information security people!
The CISSP is ideal for those working in positions such
as, but not limited to:
◦ Security Consultant
◦ Security Manager
◦ IT Director/Manager
◦ Security Auditor
◦ Security Architect
◦ Security Analyst
◦ Security Systems Engineer
◦ Chief Information Security Officer
◦ Director of Security
◦ Network Architect
4. CISSP Mentor Program Session #1
Typical Class Structure
• Recap of previous content/session
• Questions
• Quiz
• Current Events
• Lecture
• Homework Assignment - WHAT?! Yeah, we got homework.
• Questions
5. CISSP Mentor Program Session #1
Questions
• We may not get to all of the questions during class
• Send questions to Robb Stiffler (rstiffler@frsecure.com) – for now.
• We will soon (probably) assist in setting up (or facilitating) a study group.
• Content will be made available to all students upon request.
6. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or
“CISSP”)
• Maintained by the International Information Systems Security Certification
Consortium (or ISC2®)
• Tests your knowledge (or memorization) of the Common Body of Knowledge
(or “CBK”).
• “a mile wide and two inches deep” (or maybe just an inch deep).
• 2015 CBK, updated in April, 2015
• CBK consists of eight domains… next page
7. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or “CISSP”)
Eight domains for the CISSP CBK:
• Security and Risk Management
• Asset Security
• Security Engineering
• Communications and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security
8. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or “CISSP”)
Preparation (there are bunches of ways)
• 3x Book Read (my favorite)
• Read the book once, fast
• Read the book a second time, focus on concepts
• Read the book a third time, focus on mastery and memorization
• Note Cards
• Practice Tests (and quizzes)
• Study Groups
The CISSP Mentor Program a tool and facilitation of your studies, it does not supplant
them! YOU WILL STILL NEED TO STUDY.
9. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or “CISSP”)
How to take the exam
• Computer-based (“CBT”) at Pearson Vue
• 250 questions
• Six hour time limit
• Two (sort of four) types of questions:
• Multiple Choice (four options, two are almost obviously wrong)
• “Advanced Innovative”
• Scenario
• Drag/Drop
• Hotspot
• 25 (10%) of the questions are “experimental” or research questions.
10. CISSP Mentor Program Session #1
The Certified Information Systems Security
Professional (or “CISSP”)
How to take the exam
• Methods
• Two-pass
• Three-pass
• Suppose you could do one-pass too if you’re some kind of Jedi Master
(or whatever)
• You will know right away if you have passed or failed.
11. CISSP Mentor Program Session #1
The Certified Information Systems Security Professional (or
“CISSP”)
Becoming a CISSP
• Passing the exam is only one step.
• Need experience
• 5 or more years within 2 or more domains (can waive one year with a college degree or
with another relevant certification)
• Not enough experience? Pass the exam and you’re known as an “Associate of (ISC2)”
• Must agree to the (ISC2) Code of Ethics.
• Must be endorsed by another CISSP (in good standing).
12. CISSP Mentor Program Session #1
About me
• President & Co-founder of FRSecure
• 20+ years of information security experience
• Big breach inside experience
• Information security evangelist
• Specialties: Security leadership coaching, risk management, methodology development, and
Social Engineering ;)
• CISSP sixty thousand something (I forgot my number).
• Very, very passionate about information security, but most importantly in doing the right
thing.
FRSecure exists to fix the broken industry.
13. CISSP Mentor Program Session #1
Same presentation given numerous times… Good for us too.
• Introduction
• We’re all experts right?
• Fundamentals
• The value of listening
• Principles
• Solutions – What to do…
• Questions
14. Information Security Fundamentals
Introduction
• FRSecure
• Information security consulting company
• Business since 2008
• 700+ clients, many in legal, healthcare, and finance
• Speaker – Evan Francen
• President & Co-founder of FRSecure
• 20+ years of information security experience
• Big breach inside experience
• Information security evangelist
• Specialties: Security leadership coaching, risk management, methodology development, and
Social Engineering ;)
15. Information Security Fundamentals
If there’s one thing that I’ve learned in 20+ years in information
security it’s to LISTEN.
If there’s one more thing that I’ve learned in 20+ years in
information security it’s that I don’t know everything!
Although too many information security “experts” won’t admit it.
17. Information Security Fundamentals
What are some of the fundamentals?
We’re all experts, right?
What is “information security”?
We can argue about who’s definition is better, but we need to start with a common understanding (or definition).
18. Information Security Fundamentals
What are some of the fundamentals?
Information security is the application of administrative, physical,
and technical controls to protect the confidentiality, integrity, and
availability of information.
“Most organizations overemphasize technical controls to protect confidentiality
and do so at the expense of other critical controls and purposes.”
Seems fundamental. How about a story?
19. Information Security Fundamentals
What are some of the fundamentals?
Probably one of the most overused words in all of security…
What is “risk”?
Again, we can argue about who’s definition is better, but we need to start with a common understanding (or
definition).
20. Information Security Fundamentals
What are some of the fundamentals?
Risk is the likelihood of something bad happening and the impact if it
did.
“The likelihood of a threat exploiting a vulnerability, leads an associated
impact.”
Seems fundamental. How about another story?
22. Information Security Fundamentals
What are some of the fundamentals?
What is information security?
What is risk?
Why are these definitions so important?
Because they should drive everything you’re doing.
23. Information Security Fundamentals
The value of listening.
To keep us honest (and humble), we organized the FRSecure
Customer Advisory Board (or “CAB”).
We posed two simple questions…
What is your greatest frustration with respect to information security?
What is your greatest challenge with respect to information security?
Then we listened…
24. Information Security Fundamentals
The value of listening.
Greatest frustrations:
1. Lack of common information security understanding.
2. Different interpretations of different information security
regulations and standards.
3. Lack of education for practitioners and executive management.
4. Constantly changing priorities based on outside influences.
Together we derived a core frustration that sums up everything; we are all speaking different languages
for the same topic.
25. Information Security Fundamentals
The value of listening.
Greatest Challenges:
1. Education/training for executives, IT personnel, and users.
2. Management commitment to continuous improvement.
3. Obtaining the necessary resources to manage information
security.
4. Measuring information security (metrics, status, improvements,
etc.)
Greatest frustrations could be summed up with; we don’t know how to fix the issues facing us within the
greater context of a strategic information security program.
26. Information Security Fundamentals
So what are we going to do?
Our two problems, summed up by listening:
1. We are all speaking different languages for the same topic.
2. We don’t know how to fix the issues.
Now we can offer some advice, but only after listening.
27. Information Security Fundamentals
We are all speaking different languages for the same topic.
1. Define and live by your definition of information security. Get
everybody in agreement with the common definition because it
will (or should) drive everything.
2. Define and live by your definition of risk. If you can understand
and communicate risk well:
• You will automatically be compliant with regulations.
• You will be able to make good decisions.
• You will build a security program that works for you.
28. Information Security Fundamentals
We don’t know how to fix the issues.
Start with defining your information security principles. These are
the rules that you are going to live by. Here’s ours:
1. A business is in business to make money.
2. Information Security is a business issue.
3. Information Security is fun.
4. People are the biggest risk.
5. “Compliant” and “secure” are different.
29. Information Security Fundamentals
We don’t know how to fix the issues.
Start with defining your information security principles. These are
the rules that you are going to live by. Here’s ours:
6. There is no common sense in Information Security.
7. “Secure” is relative.
8. Information Security should drive business.
9. Information Security is not one size fits all.
10. There is no “easy button”.
30. Information Security Fundamentals
We don’t know how to fix the issues.
Now that you’re bought in on principles for managing your security
program, go here:
1. Management commitment. For real. Either you’re in or you’re not.
2. Asset management. You can’t secure what you don’t know you have.
3. Access control. You can’t secure what you can’t control.
4. Change control. See step 3.
5. Measure, measure, measure. You can’t manage what you can’t
measure.
31. Information Security Fundamentals
As you build, implement, manage, and improve your security
program…
Don’t forget to listen!
The things that people are telling you are real, and you might learn a
thing or two.
It’s also OK to admit that you don’t know everything.