Unnecessarily and deeply explained subjects in CISSP All-in-One Exam Guide, Sixth Ed.

Hi,

I was wondering if it also appeared you that, this book is consisting of almost 1500 pages and almost 50% of it is not even relevant to the exam?

I was going through chapter 4 - Security Arch. Design and it starts explaining CPU architecture (deeply) and adding tons of acronyms for CPU, RAM, ROM (it is not simply a RAM or ROM it has 5-6 different types for each) and additionally tons of access rights frame works (Bell-LaPadula model , Biba model etc...)

I have just downloaded the exam outline and non of these are covered...

I feel like I am wasting my time studying for staff which are not even going to be asked in the exam...

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

jt2929

Sam_aqua wrote: »

@ beads / Others

Do you mean CISSP exam's level of questions are different if one takes Associate Level & a different level of questions if one takes the regular one ?

There is one exam. If you meet the experience requirements and get through the endorsement process, you become CISSP. If you do not have the necessary experience, you can become an Associate of (ISC)2 and will have 6 years to gain the necessary experience.

!nf0s3cure

Not sure where this topic is heading but my gripe with the exam is the fact that some of so called fundamentals are old technological solution of the past. And they are still being tested! Again my favorite topic Crypto, with my 15+ years of IT work I have never come across requirement to know how Biba or any other model works or which one should I implement? Now I may not have directly worked in an area that needs that information but hey in 15 years I have touched a lot of IT topics and have not met a single person who has claimed to have done that. If fundamentals were so important then why not start with 'Abacus' and explain binary, here is a good fundamental for beginners! Again horses for courses but my view is ISC2 need to re-scope their CIB and CBK to align more on present day computing. Just mentioning SDN or MPLS on their CIB does not provide reason to believe that they have got it all covered. Last time I saw IoT (Internet of Things) was only mentioned once in the official book. That is the home version of SCADA in my view and need proper addressing! Go to SANS and they are bleating about the IoT risk and ISC2 one mention! This CIB needs to be reviewed every year at a minimum just like other policy updating recommendations, as there are changes that change what is on IT security radar every year at least broadly speaking. That is my view of where this should go.

TheFORCE

!nf0s3cure wrote: »

Not sure where this topic is heading but my gripe with the exam is the fact that some of so called fundamentals are old technological solution of the past. And they are still being tested! Again my favorite topic Crypto, with my 15+ years of IT work I have never come across requirement to know how Biba or any other model works or which one should I implement? Now I may not have directly worked in an area that needs that information but hey in 15 years I have touched a lot of IT topics and have not met a single person who has claimed to have done that. If fundamentals were so important then why not start with 'Abacus' and explain binary, here is a good fundamental for beginners! Again horses for courses but my view is ISC2 need to re-scope their CIB and CBK to align more on present day computing. Just mentioning SDN or MPLS on their CIB does not provide reason to believe that they have got it all covered. Last time I saw IoT (Internet of Things) was only mentioned once in the official book. That is the home version of SCADA in my view and need proper addressing! Go to SANS and they are bleating about the IoT risk and ISC2 one mention! This CIB needs to be reviewed every year at a minimum just like other policy updating recommendations, as there are changes that change what is on IT security radar every year at least broadly speaking. That is my view of where this should go.

Lol I read your post and it made me smile a bit.
You guys need to read some more on the access models.
First of all, you will probably never implement Biba or Bell on your own. Those are access models implemented on the machine level or operating system level. Those models are coded in the applications and systems you use everyday! How do you think Confidentiality and Integrity is achieved? When you click a button to give or remove access to someone how do you think that is being implemented? You have 15 years in IT and you have for sure used Biba and Bell in one for or another, it's just that they are so far deeply in the code that you don't even notice it. That doesn't mean you shouldn't know how they work.

dou2ble

One common trait I've noticed in CISSP criticism is that everyone forms their own opinion based mostly from their experience and aren't taking into consideration the breadth of knowledge ISC2 is trying to cover in one exam. Access models, reference monitors, processors, Fire extinguishers, ROM and RAM are a few topics most of us won't dive to deep in our day jobs. But that doesn't mean a security manager somewhere doesn't need this info. The CISSP tries to provide basic knowledge in every domain. There are only 2 criticisms that I think are valid. One, the test needs to be updated more frequently. Two, it has become watered down because almost anyone can pass with some studying and brain dumping. While passing is still impressive because it is a lot of info, when someone tells me they are a CISSP I no longer expect much from them.

Hunter85

Well I am really interested in security field but it is a huge domain by itself, in today's world you dont have any time to waste, everyones time is so precious, if you look at my initial post I am not complaining about how CISSP is outdated, I am talking about massive amount of information which is covered in almost any CISSP book and how i feel about it.

I have personal interest in many fields of security but i dont feel the same interest level for every subject. CISSP exam covers nearly most of the important parts of IS thats why you have to have an idea about it all but study books are making it harder for everyone and covering each and every subject deeply.

Again these are exam study books, if i had real interest in a specific subject i would go and buy a book related to it and read it carefully. Exam books should only cover what is necessary for the exam.

Yes I am studying all CBK meterial just to be able to pass the exam, most of the information is not relevant to what i do in day to day job and they will probably not be relevant ever. Everybody is specializing more and more and there is no place for an IT Security person who just knows a little bit of everything. You need to choose what you love the most and concentrate on it.

TheFORCE

Hunter85 wrote: »

Well I am really interested in security field but it is a huge domain by itself, in today's world you dont have any time to waste, everyones time is so precious, if you look at my initial post I am not complaining about how CISSP is outdated, I am talking about massive amount of information which is covered in almost any CISSP book and how i feel about it.

I have personal interest in many fields of security but i dont feel the same interest level for every subject. CISSP exam covers nearly most of the important parts of IS thats why you have to have an idea about it all but study books are making it harder for everyone and covering each and every subject deeply.

Again these are exam study books, if i had real interest in a specific subject i would go and buy a book related to it and read it carefully. Exam books should only cover what is necessary for the exam.

Yes I am studying all CBK meterial just to be able to pass the exam, most of the information is not relevant to what i do in day to day job and they will probably not be relevant ever. Everybody is specializing more and more and there is no place for an IT Security person who just knows a little bit of everything. You need to choose what you love the most and concentrate on it.

And then your consentration and specialization dies off and becomes a thing of the past or the demand drops and so your job dies as well. But by knowinh just enough from every subject you can float on the surface of the ocean, grab onto something else that's moving and re-invent yourself.

Note: You are aware that CISSP requires 5 year on the job experience in 2 domains right? Why bother taking the exam if you only care about just passing the exam?
Note 2: You also need to maintain 120 cpe credits for 3 years and pay about $255 per 3 year period.

Note 3: You will always find something wrong with an area you are not really interested with or that you find boring. That's how life is also.

Khaos1911

I truly believe the AIO 6th Edition is why I passed the exam with such ease. I didn't find the exam challenging at all. *Kanye shrug*

Hunter85

Well I already have almost 8 years of experience with more than 2 domains but the thing you are wrong is that security domains remain the same but the technologies change, you are right about sticking to a single or 2 technologies but I was referring to being specialized in domains.

Vulnerabilities will always exist and pentesters or compliance officers wil always find a job, in todays world windows, linux, unix servers are popular, if you stick only with 1 of them you will not have a 100% secure future but again this is technology, the domain itself will always remain.

You asked why I am taking the exam if i am only about passing the exam? Who is taking this exam to fail? or who is taking this exam to know everything about security? human brain tends to start forgetting things even after 24 hours and do you think you will remember all these concepts even after a year? Some of the information will still remain with you yes but you will remember more things about your day to day job and concepts in CISSP might somehow improve you (well i must admit it wont make a really huge difference because everything you are interacting is already designed by CISSPs so you should be already knowing, interacting with these concepts anyway, it might be usefull when you are hired for a big corporation which has no security policy defined (which is again very unlikely))

You can always change your domain but it wont be from an IT position to finance, you can change from enterprise app security to mobile app security.

These days the hardest part of getting a job is to pass the HR or recruiting companies. These clerks have defined processes which wont allow them to recommend someone with a Linux background to a Risk Assessment position. They only look for key words and no matter how good you know how to prepare a risk assessment since your previous job was all about Linux server administration, you wont be even called for a screening interview. (I have worked with many HR representatives and they also have a point, they are receiving 100s of applications and your Linux background will be insignificant when they compare it to an actual risk assessor with a good experience)

Career moves can be done in first phases, it is hard to change your path after sometime (unless you are referred by someone else)

sponge2

Hunter85 I am surprised that no one has brought up the value of old fashioned note taking.
I made extensive notes for each of the domains.
I wrote my notes out a couple of times which helped me recall material quickly.
Each of us have different strengths and domain expertise, so the books try and cover everything.
All the best for your exam.