on February 12, 2003
This book will not prepare you fully for the CISSP exam in and of itself as claimed. If you are looking for a single source to pass the CISSP exam, study the CISSP Examination Textbooks, vol. 1 & 2, 2nd edition from SRV Professional Publications. The first volume covers the material, while the second contains 1500 sample questions.
People criticize the CISSP Examination Textbooks as unwieldy and at times confusing, and they are, but all the important material is covered, and the sample exam questions are helpful in preparing for the test. So even though they read a bit like a VCR manual, they are very helpful. Knowing the information they cover should allow you to pass the test when combined with your three years of experience.
If you can read a second book, and I recommend that you do, read The Information Security Management Handbook, vol. 1, 4th edition compiled by Harold Tipton (often called "The Tipton Book"). It is a bit dated in its material, but puts you in the right mindset to think the way the test does.
All in all this book is a good introduction, and covers good information, but it doesn't dig deep enough into each of the domains to fulfill its goal as a one stop CISSP exam guide.
on April 1, 2002
I recently took and passed the CISSP exam. My two main study guides were this book and the Information Security Management Handbook. I also used the CISSP Exam Cram. The main benifit to this book is that it gave some background on topics that are useful to know for the exam and exposed me to areas I was unfamiliar with. Note, the above info is all I can say in relation to the exam, the rest of the review just contains general opinions about the book. One good thing about this book is that it has lots of definitions. The glossary is good and the index is great. I particularly enjoyed chapter 10. Chapters 4 and 8 were pretty good too. The reason I'm giving this book 3 stars is that it has some glaring failures. It's not a good place to learn about forensics, risk management, computer crime law or technical aspects of computer network security. Chapter 3 in particular is littered with errors. Perhaps the most offensive is the description of a buffer overflow on page 76. It's listed under denial of service attacks and a "Ping of Death" is described as typical. Check out Aleph One's "Smashing the Stack for Fun and Profit" (Phrack 49...) or the definition in Hacking Exposed for the real scoop.
on January 10, 2002
This is an excellent FIRST book for your CISSP study. Consider it required reading. Over 80% of the terms and concepts you need to learn are presented in an excellent framework. The organization is easy to follow and understand. It's like reading 500 pages of Cliff's notes. I give five stars for the organization, chapter review questions, and ease of reading. Chapter 3 does have errors - but, in my opinion, the rest of the book is the best organized "unofficial" tutorial and review I have seen on the subjects. It is not a techie's how-to manual. The author went above & beyond the call of duty when writing the Appendix sections. It includes full overview sections on the DOD rainbow books, IPSEC, BS-7799 and more. I suggest you then read "Information Security Management Handbook" by Krause & Tipton to round out your studies. These two books combined should give you a firm grasp of the basics. Several other good security books are available, but this one is a golden egg. Best of luck to you.
on December 9, 2001
I am a senior engineer for network security operations. I read "The CISSP Prep Guide" (TCPG) as a study aid for the CISSP exam, which I completed yesterday. CISSP candidates are not allowed to discuss the contents of the test, but I can comment on the quality of TCPG's text. If you tear out chapter 3 (Telecommunications and Network Security), the remaining content is informative and applicable. If you rely on chapter 3 to learn about network security, you'll be sorely disappointed.
By performing network security monitoring, I am intimately familiar with defensive tools and tactics, and adequately informed of offensive operations. I observe network defense and offense on a daily basis. Unfortunately, chapter 3 of TCPG demonstrates almost no understanding of these important concepts. The authors do not correctly explain network attacks. ("Ping of death" is the most common buffer overflow?) Their firewall deployment strategies are wrong, and their examples of "protocols" at each OSI layer are false. (Since when is SQL a session layer protocol?) The authors should have consulted someone with real knowledge of network security before publishing this poor material.
Thankfully, beyond chapter 3, the majority of the book is helpful and reliable. The authors cover each domain of the Common Body of Knowledge, and present information in a humorless but well-organized manner. TCPG introduced me to management concepts I hadn't formally studied elsewhere, such as risk management, risk assessment, business continuity planning, and disaster recovery planning. TCPG also offered helpful quizzes at the end of each chapter. The appendices, covering the RAINBOW series, HIPPA, NSA assessments, and the Common Criteria, were also enlightening.
Reading TCPG is not sufficient preparation for the CISSP exam. I also read Coriolis' "CISSP Exam Cram," and reviewed a CBK outline on the Internet. Still, my experience in the field proved better preparation than these references. Use books like TCPG to fill the gaps in your experience (probably security management), and be sure to discount material you know is incorrect.
(Disclaimer: I received a free review copy from the publisher.)
on November 21, 2001
I studied this work 30-days before taking the CISSP November 2001 examination. You don't pass the CISSP exam from just reading; broad experience is mandatory. The 'Prep Guide' helped me pull my experience into focus for the exam; the book does not give you the answers on the test, it helps you understand the concepts, thus, it helps the reader understand the exam questions which in turn allows the exam taker to go quickly into deep memory and find the answer that most resembles those on the exam. Of all the thousands of dollars of "security" books that I have purchased, read, and studied, the 'Prep Guide' is the only one that extensively covers the broad spectrum of topics emphasized in the exam.
Main plusses of the book:
(1)It keeps you focused in your study,
(2) The scholarly writing is a good preparation for the way the examination questions are stated,
(3) It will continue to be a solid reference book in my security practioners library (the added HIPAA information may have been filler but I find it useful in the profession if not for the exam), and
(4) Best price of any prepration security book for the focused information that it provides.
Oh, yes, and it helped me receive my CISSP certification in November. Buy the book and study the book, you will not go wrong.
on November 13, 2001
This book is apparently right on target in terms of content. However it is in serious need of a good editor. I estimate it is taking me twice as long to read and understand the text because of poor grammer and ambiguities. For example, on pages 5-6, under the heading "Information Classification Objectives":
".. it is obvious that information classification has a higher, enterprise-level benefit. Information can have an impact on a business globally, not just on the business unit or operations levels. Its primary purpose is to enhance confidentiality, integrity, and availability..."
Ok, after reading that a couple of times, it is clear that "Its primary purpose" refers back to "information classification" in the first sentence, not to "Information" in the immediately preceding sentence. But it certainly would be easier to read if you didn't have to decipher things like this on every page.
Also, in the Introduction, page xiv, it says about the test, "No acronyms are used without being explained". Yet, in the sample questions at the end of chapeter 1, there are half a dozen or more questions that in essence are testing your knowledge of certain acronyms. So, do I need to memorize the acronyms or not?
I'm grateful that a text is available designed to focus my preparation for the test. It is probably the best available, but it just needs more work.
on October 31, 2001
This is a strong review guide that correlates perhaps 90% with the contents of the comprehensive CISSP exam. As a hands-on professional with decades' worth of security experience and in-the-trenches development of secure OS, comm protocols, and RDBMS, I was frustrated at the manner in which the book glossed over some material and, indeed, made frank errors here and there. (This is why I withheld the fifth star from my rating.) However, considering its purpose--which is to provide balanced coverage of the numerous exam areas--it does a very good job. Of course, the book isn't all you need, and I disagree for two reasons with the assertion in the book's preface that a professional with three years' experience could pass the CISSP exam. First, the material is far too broad. Second, the exam demands that the candidate have a strong handle on the business motivations behind various security-related policies, practices, and methodologies that you just can't glean in only a few years of professional practice.
on September 15, 2001
This book is exactly what CISSP candidates need to prepare for the exam. The authors make sure to cover the CISSP Common Body of Knowledge in enough detail, give pointers along the way, and include sample questions to practice for the exam.
Since this is a study guide, the emphasis is on breadth, not depth of coverage, and that's the way it should be.
Several inaccuracies and typos should be corrected in the second edition (e.g. the description of lattice-based control on p. 34, or sample question 9 in Chapter 10 and its answer).
So is this now my favorite survey of computer and information security? Not quite. I still prefer "Secure Computing" by Rita C. Summers, even though it is already 4 years old. Unfortunately it is out of print, and it is a mystery why McGraw Hill wouldn't print a few thousand copies to satisfy the demand.
Another CISSP prep book is coming soon (Mandy Andress, "CISSP Exam Cram"). Let's hope it will be as good as the Prep Guide.
on September 13, 2001
I have had the CISSP certification squarely on my radar for about a year now, but the sheer amount of information to compile and read and remember is simply too much. This is because the compiled readings are mainly at best, guesswork. What's more, the weightages of the Ten Domains of Computer Security can be markedly different, and no one can really be sure of the importance of certain sections as compared to others. For example, both authors who are themselves CISSP certified, place Telecommunications and Network Security as more heavily covered in the exam than say, Security Management Practices, clearly a time saver for those who like me, am also pursuing the BS7799 Auditor certification.
Within each chapter, the authors also clearly prioritize the topics. In the Chapter entitled Access Systems, the topic Decntralized/Distributed Access Control takes up half of the chapter, again, demonstrating that more attention has to be paid by the reader.
Though the information to cover is vast, I never felt that I needed a map to navigate the contents. Each chapter's objectives are clearly stated, and the section lucidly explained. Best of all, the visual and textual aspects are just right for the eye. Of course, for a exam that covers 10 domains, the number of acronyms faced is numerous, but the nifty Glossary takes care of any confusion that may arise. Besides the coverage of the ten domains in 10 chapters, the Appendices are extremely helpful. Topics such as HIPAA Compliance through HIPAA-CMM are covered, so is the British Standard 7799.
If you feel that coverage is not deep enough (which is not really a factor in the exam), the authors provide useful References for Further Study, also found as Appendix H.
In summation, the book is extremely well organized, and the additional information provided in each Appendix make this not only a required study tool, but also a "must have" reference.
on September 10, 2001
It's been said many times that the vast ocean of the CISSP Common Body of Knowledge (CBK) is fifty miles wide and two miles deep and preparing for it can be quite an overwhelming endeavor. Various on-line study groups and web sites have numerous suggestions and links where freely available materials and helpful hints may be found. Individuals share there study guides and suggest the best books to procure for the study quest. I myself have participated and contributed in these vibrant forums. It's been said many times over that NO one book can effectively cover the CBK and to prepare the CISSP candidate for the exam. I too have amassed a large collection of the most suggested tomes. Well The CISSP Prep Guide almost negates this statement. The CISSP Prep Guide is now the FIRST place to start! I wish it had been in print a year ago when I began my quest for the CISSP. It is a complete and affordable textbook covering the MEAT of the CBK. This book completely defines and explains the major points of the CBK. It is an extremely readable and understandable text. If you can't afford attending the ISC2 CISSP Seminar either because of cost or time away from work this book is for you. If you have already attended the CISSP Seminar this book is for you. I was blessed by having the opportunity in attending the CISSP Seminar yet I am still finding that The CISSP Prep Guide is building upon the materials presented in the seminar. I can see where my copy of The CISSP Prep Guide will quickly become a dog-eared reference text that I use to refer to while carrying out my duties as an Information Systems Security Officer with the U.S. Government.