What the Exams Cover

SANS Management 414, also known as SANS® +S™ Training Program for the CISSP® Certification Exam, prepares students for both the CISSP and GISP certification exams. The exams cover the 10 Common Body of Knowledge (or CBK):

1. Access Control Systems and Methodology
2. Telecommunications and Network Security
3. Security Management Practices
4. Applications and Systems Development Security
5. Cryptography
6. Security Architecture and Models
7. Operations Security
8. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
9. Law, Investigations, and Ethics
10. Physical Security

One Reasons to Get Certified

People have many reasons to become certified. For personal accounts of why people pursued certification, see Stephen Northcutt’s interviews posted on the SANS “Why Certification Matters” area. My reason was based on DoD directive 8570. To quote the 8570 FAQ:

DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians, managers, and members of IA specialties to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.

Agencies covered by 8570 include:

• Office of the Secretary of Defense
• Military Departments
• Chairman of the Joint Chiefs of Staff
• Combatant Commands
• Office of the Inspector General of the DoD
• Defense Agencies
• DoD Field Activities
• All other organizational entities in the DoD

Any full or part time military service member, contractor, or local nationals with privileged access to a DoD information system performing information assurance functions — regardless of job or occupational series is affected by 8570. For fiscal year 2008, the goal was to fill a total of 70 percent of the Information Assurance positions with certified personnel.

Reducing Costs

There are two great options for reducing training costs through SANS. First, the SANS Work Study Program. The program allows the volunteer to pay a fee of $700, which is applied towards tuition and certification costs. The volunteer works the selected event and in exchange they can attend the course and all other events at the conference (SANS@Night events, BoFs, Lunch & Learns, etc.).

Second, is the SANS COINS program (see post “SANS COINS Program Can Help With DoD 8570“). The program offers anyone who is a member of an OWASP, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization a 50% tuition discount for SANS @Home course.

I have not seen other organizations pursue cost cutting training alternatives. Unfortunately, some of the companies that need the most help will allocate little towards security training. I applaud SANS for offering people employed in poorly funded security groups a path to advance their security knowledge.

Training: SANS Compared to Authorized (ISC)2 Institute

SANS states that “over the past 18 months, 98% of all respondents, who studied our SANS® +S™ Training Program for the CISSP® Certification Exam and then took the exam passed; compared to a national average of around 70% for other prep courses.” While SANS does a great job of preparing students, I do have to wonder if the high pass rate is somewhat due to the quality of students that tend to attend SANS courses. Either way, SANS does a good job discussing the material that will be on the exam and providing helpful advice on how (ISC)2 will form questions for the exam.

I took the CISSP exam in Bushkill, PA. The Fernwood Resort was a great facility and the folks who ran the exam were very professional. Of the 30+ people taking the exam, all but three had attended an authorized (ISC)2 Institute “7-Day Accelerated Course Training Class” that week. The cost of $4,795.00 is considerably higher than what I could have paid. I talked with a few of the folks who took the course. They had five days of boot camp training, one day to decompress, and on the seventh day they took the exam.

I will confess, I am troubles by the idea of taking the exam right after training. The ITIL Foundation course also did it this way, but in that case the subject matter was not very challenging. I would never consider taking a SANS certification exam immediately after the course. Many SANS courses consist of six days where huge amounts of material is tossed at you. I refuse to use the firehouse imagery, having heard it too many times at SANS. It is not until I head home and start going over the material that the real learning occurs. Do not get me wrong, the SANS instructors are the best. There is just so much a person can handle until their memory banks overflow.

Having talked to the students of the class, is seems the authorized (ISC)2 Institute “7-Day Accelerated Course Training Class” is really about learning how to take the exam. Who better to help you pass than the people who wrote the exam? SANS does the same thing with their certifications, but SANS intends you to study. While the MGT 414 course gives good guidance on taking the CISSP exam, it also repeatedly stresses the need to go over the material and take many practice exams.

Preparation

Preparing for the GISP, like any SANS certification, involves studying your course notes. Take advantage of the practice exams. I know the exams are long. They simulate the five hour exam and consist of 250 questions. I find the sample exams to be the most helpful learning experience. I travel once a month, spending sixteen hours driving. Having the SANS course on MP3 is most helpful. Dr. Eric Cole, developer of the course, lectures on the material. As always, he does a great job.

The GISP questions will be straight forward. For the CISSP you will need to be prepared for the questions asked in very weird ways. I must refrain from discussing particular questions, though I really wish I could. There were several questions that simply annoyed the heck out of me. In areas where I am certified and I know the subject matter quite well, I still had at times difficulty figuring out what exactly some of the questions were asking and how the choices fit the question. Many a question will require you to select the least annoying choice.

I studied using:

• the SANS course material.
• the questions and CD from the Official (ISC)2 Guide to the CISSP CBK book.
• the CISSP Practice Questions Exam Cram, Second Edition book by Michael Gregg (which is available off Safari).
• the CCCure.org CISSP quizzes.
• the GISP practice exams.

A book I did not use, but is highly recommended is “The CISSP and CAP Prep Guide” by Ronald L. Krutz and Russell Dean Vines. The CCCure.org has some questions and answers from Krutz and Vines older book, “The CISSP prep guide.” Since the CISSP is being continuously updated, the older the book the greater the chance it may no longer accurately reflect the focus of the CISSP exam. For example, DITSCAP/DIACAP is no longer tested while the PCI standard may be.

The CISSP exam is all about getting use to being asked questions in odd ways. Practice by going over questions. It is important to know the material, but you don’t need to know it that well. After taking the exam, I was annoyed by all the stuff not asked by the CISSP exam. I felt that about 70% of what I studied was never touched. The exam failed to ask many of the details I memorized. There will be some detail questions but not as many as one would expect. I would recommend being familiar with the details but not getting hung up on memorizing those details. In respect to the GISP exam, the details you will be able to look up since it is an open book exam.

The Exams

Time is not your enemy. There is plenty of time to complete either exams. I have heard people talk about trying to prepare physically to take a six hour exam. This is not a Rocky movie. We are IT people who work in front of a computer all day and frequently work late into the night. I do not see how a six hour exam would be more taxing. You will likely finish way before six hours. Take your time, and make sure you to take breaks, stretch a bit, and get something to eat or drink from the back of the room. If you are a caffeine addict, caffeine gum is your friend. Physically enduring the exam really should not be a problem.

Dr. Eric close stated:

Most people think of the exam as knowing the technical knowledge, however that is only one piece. In my estimate 70% of the exam is technical knowledge, 20% is thinking like a CISSP and 10% is knowing how to take an exam. It is all three of these pieces together that allow people to take the exam and pass. If you take the course you are going to be worked very hard but at the end the results and knowledge is all that matters.

It is difficult for me to gauge if those numbers may be right. A colleague of mine use to tell me, “you could take the exam and pass without studying.” If anyone tells you that, they are just setting you up for failure. The CISSP is all about thinking like (ISC)2 wants you to think. The more you know, the more you will have problems with the questions. Learn to let your issues go and provide the answers (ISC)2 wants. I felt like 50% of the CISSP was knowing how to think the way (ISC)2 wanted.

The GISP exam, is a five hour exam with 250 questions. The questions covered the 10 CBK areas well. I am not one who enjoys memorizing information that I will not remember the day after taking the exam. I have always liked the SANS open book approach. It tends to keep the questions focused on the ideas behind security. If you do not know the material going into a SANS exam, there is not enough time to be figuring it out during the exam.

The CISSP was a more difficult exam, because of the odd way the questions are phrased. I have yet to decide if this is a good or bad thing. Many people in business, who are not exactly sure what they are talking about, will fuse together different terminologies. You will need to discuss security concepts with them. Being able to do mental gymnastics and figure out what others may be talking about is a valuable ability. While I disliked the questions, I can see their merit. In the end, it was a valuable experience to go over a large number of practice questions.

The CISSP method of having students take the exam with pencil and paper should be changed. There is no value to this method. I was fortunate in that my results were reported in 10 days. A coworker had to wait two months for his results. SANS method of providing immediate feedback on whether your answers were right or wrong is a much more fair test methodology. With any wrong answers on the GISP exam, you know immediately. The exam itself is a learning tool revealing gaps in your knwoledge. I will never know what questions I got wrong on the CISSP exam. When I completed the CISSP exam, I did not feel I should have studied certain areas more. I just felt like I had spent too much time studying the material and should have spent more time on CCCure.org.

Privacy and Openess

This post claims I am a CISSP. How do you know? SANS GIAC certifications are easy to confirm. Go to the GIAC website and search by the name “Gerber.” You can see my test scores and any papers I have written. Knowing that my test score will be published motivates me to not only pass, but to get a good score. SANS operates in a very open manner. On the exams, you are shown the results of the question immediately. This allows you to later argue questions you felt were bad. I know people who have argued about questions and their efforts resulted in the questions being changed. That helps improve the questions.

(ISC)2 does not allow you to verify certification without the person’s “Member ID/Certification Number.” You will not learn your test score unless you fail. You will also never know which questions you answered incorrectly.

Final Thoughts

If two people were applying for a job, and one was a CISSP and the was a GISP, neither would be at an advantage in my book. Both exams test the same material in very different ways. The GISP exam does a better job testing the test taker’s knowledge of the 10 CBK areas. The CISSP exam, because of how the questions and choices are phrased, will causes the student to study more.

People working for DoD, or any of the above agencies, will likely benefit more by becoming a CISSP. The CISSP is a more widely recognized certification. While I question the number of quadrants the DoD directive 8570 places the CISSP in, I do hope DoD will come to recognizes the GISP certification. No system is perfect. I am glad DoD is working through commercial certification programs rather than trying to develop their own.

What I hope people reading Cory’s post walk away with is the recognition that sects exist. We all have various fanatics at each of the organization where we work. Many are good people earnest and true in their desire to do their jobs well. Yet, they could not be more different in their solutions to the problems facing their organizations. They may fall into the high priests or heretics camps, or a dozen other camps.

Let us talk about some of the divisions within IT and security. Richard Bejtlich points out in his post, , “Steve Liesman on Inputs vs Outputs,” two camps. Richard is continuing an argument he previously made in “Controls Are Not the Solution to Our Problem.” He argues that too much time and resources are being spent on auditing controls that are far too input-centric. Instead, Richard feels controls should become more output-aware and recommends directing attention away from inputs and devoting more energy to outputs. Included are some real world examples that management could understand and relate to. Steve Liesman is quoted in relation to our current economic crisis, “It’s not what you’re doing that matters; it’s whether or not it works.” Consider the following questions. Within your security organization, who focuses on controls/inputs and who focuses on output? How much of a division exist between these groups? Where do the auditors fit in?

To point out other divisions within security, take a look at Jeremiah Grossman recent post, “Quick Wins and Web Application Security.” To quote Jeremiah paraphrasing a recent conversation with Joseph Feiman (Gartner):

During an event a panel of Gartner Analysts asked the audience what the best way is for organization to invest $1 million dollars in effort to reduce risk. The choices were Network, Host, or Application security to which the Gartner analysts made their cases for these three disciplines. The catch was the budget could not be shared between them and must be prioritized into a single initiative. The audience selected Application security. However, the Gartner CSO (who took the role of CIO in the play) overruled the audiences’ decision. They instead selected Network security, while at the same time curiously agreeing that Application security would have been the better path. His rational was that that it is easier for him to show results to his CEO if he invests in the Network.

Gary McGraw was recently interviewed by James McGovern for the SilverBullet podcast. They discuss the recent release of “Building Security In Maturity Model (BSIMM).” In the interview, Gary was asked about the leaders of the enterprises that “have a clue in making their security posture better.” While the leadership that helped develop the BSIMM had very diverse backgrounds, James asked, “It sounds like they are all from a technical background at some level. Are there IT executives out there that understand software security that are just business people?” Gary responded, “I don’t know the answer to that. I really don’t know any. I will say this about these people, they are the sort of hybrid people that can speak business and also have a very deep technical background. As you know those kind of creatures are rare on earth. Right now it appears that they might be necessary to cause software security initiatives to be a success. Hopefully, we will gain enough experience and write down enough empirical science that won’t be the case in the future.”

It is not a great surprise to learn that a major divide exists between the IT and the business camp. Recent frameworks often include governance components in an attempt to help bridge the gap between the two camps. As an example, the IT Governance Institute® (ITGI™) recently released v0.1 of risk based framework based on the principles of enterprise risk management standards/frameworks such as COSO ERM2 and AS/NZS 4360,3. The framework is called Risk IT. ITGI would argue that existing IT risk guidance documents tend to focus solely on IT security. Risk IT is meant to cover all aspects of IT risk. ITGI also develops the Control Objectives for Information and related Technology (COBIT), which is focused on “providing a comprehensive framework for the delivery of information technology-based services.” Risk IT and COBIT are meant to compliment each other. COBIT is a set of good practices which provide the means of risk management; while Risk IT is meant to set good practices for the ends by “providing a framework for enterprises to identify, govern and manage IT risk.” Recall Richard Bejtlich argument concerning the division between the controls/inputs and outputs.

All these different sects make effective security most difficult. A layered approach to security fails to work when the layers operate in isolation. Gary McGraw gets an “amen!” for describing leaders of the enterprises that understand security as a “sort of hybrid people that can speak business and also have a very deep technical background. As you know those kind of creatures are rare on earth.” On top of having an understanding that reaches into areas throughout the organization, they need to be leaders.

Rob Goffee and Gareth Jones wrote an article, “Leading Clever People.” Goffee and Jones will be publishing a book with the same title late in 2009. An audio interview is available from the London Business School. Goffee and Jones conducted over a 100 interviews with leaders at major organizations and report the relationships effective leaders have with their “clever people” can be shaped by seven shared characteristics:

1. They know their worth—and they know you have to employ them if you want their tacit skills.
2. They are organizationally savvy and will seek the company context in which their interests are most generously funded.
3. They ignore corporate hierarchy; although intellectual status is important to them, you can’t lure them with promotions.
4. They expect instant access to top management, and if they don’t get it, they may think the organization doesn’t take their work seriously.
5. They are plugged into highly developed knowledge networks, which both increases their value and makes them more of a flight risk.
6. They have a low boredom threshold, so you have to keep them challenged and committed.
7. They won’t thank you—even when you’re leading them well.

Now you may be thinking, “I am security, not the CEO of the company. I am not even their project manager. Why are you talking about leadership? What should I care about business? If users just did what I told them, life would be good.” It is important to note that a characteristic not listed above is “empathy.” Folks in your organization are not going to try and see things from security’s point of view. They want to do their job and if security appear to be a road block, they will go around. We need to avoid having each sect doing their own thing. As what occurs in many religions, an “us verses them” attitude will develop. If you want people to follow, you must first lead. To lead “clever people” you must understand those people.

James Parker, Southwest Airlines ex-CEO, offers some advice. He has written a fascinating book titled “Do the Right Thing.” One story particularly interesting concerned a manager who didn’t succeed despite being very intelligent and ambitious. “When this person finally left, I asked one of his former employees why she thought everybody disliked her former boss so much. She summed it up: ‘Because he was the kind of person who kissed up and spit down.’ ” When problems arose at American, “the primary focus of communications was blaming and avoidance of blame – in contrast, when something went wrong at Southwest, the focus of communications was problem-solving,” Parker quotes from the book, “The Southwest Airlines Way“.

James Parker and Barbara Stocking, Chief Executive of Oxfam GB, discuss below “Leadership in an Age of Uncertainty” with moderator Deborah G. Ancona. The discussion focuses on the need for distributed leadership. A key point made is that companies need “employees doing things outside the narrow scope of their job responsibilities, to contribute to the success of overall operations.” This is the cornerstone of the concept of “relational competence.”

The world continues to get more complicated. In response, more specialization occurs, which leads to less understanding of other groups. The history of religions have shown us how difficult things can get when various sects develop. In the corporate world communication breaks down, the focus on the mission is lost, and the relational competence of a company dissolves. I started this post with the statement that I come bearing no answers, only questions. While that is true, I have pointed to some very intelligent people who discuss the various sects and offer possible ways to coexist. Security professionals cannot exist in their own camp, separate from the rest of the organization, dictating how people should do their jobs. In such an environment, it will not matter if every pronouncement is the embodiment of wisdom and truth. Failure is inevitable. Abraham Lincoln offered these wise words when he addressed the Washington Temperance Society on February 22, 1842:

If you would win a man to your cause, first convince him that you are his sincere friend. Therein is a drop of honey that catches his heart, which, say what you will, is the great high-road to his reason, and which, when once gained, you will find but little trouble in convincing his judgment of the justice of your cause. If indeed that cause really be a just one.

On the contrary, assume to dictate to his judgment, or to command his action, or to mark him as one to be shunned and despised, and he will retreat within himself, close all the avenues to his head and his heart; and though your cause be naked truth itself, transformed to the heaviest lance, harder than steel, and sharper than steel can be made, and though you throw it with more than herculean force and precision, you shall be no more able to pierce him, than to penetrate the hard shell of a tortoise with a rye straw.

Amen, brother Abraham.

I am including a video of Dr. Eric Cole, SANS instructor, developer of the course material, and President of Secure Anchor, providing a course description.

While I tend to prefer more technically focused courses, DoD directive 8570.1M convinced me that becoming a CISSP would be useful. Below is a chart showing the certification requirements for 8570.1M.

SANS offers information on SANS courses that align with the 8570 Baseline and with CND & IASAE. If it sounds like I favor SANS a bit, I do. Over the past few years, I have had to work with a very limited security training budget. SANS has offered options allowing me to pick up certification while keeping costs low. I really appreciate that. Plus, SANS instructors are well trained and of the highest caliber. If you are on a budget, two low cost options are available:

• The SANS Work Study Program. The program allows the volunteer to pay a fee of $700, which is applied towards tuition and certification costs. The volunteer works the selected event and in exchange they can attend the course and all other events at the conference (SANS@Night events, BoFs, Lunch & Learns, etc.).
• The Community of Interest in Network Security (COINS) program. If you are a member of an OWASP chapter, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization, the COINS program offers you a 50% tuition discount for this or any other SANS @Home course.

I decided to take the SANS GISP exam first because SANS makes it so much easier to schedule the exam when compared to (ISC)2. The closest CISSP exam was over a 4.5 hour drive away from where I am currently residing. SANS allowed me to take the proctored at a local test center. Unlike the CISSP, SANS exams provide immediate results. For those not familiar with SANS certifications exams, they are given electronically. As you answer the questions, you are told whether you answered correctly.

A word of warning: The GISP is a 5 hours exam. Initially, the local test center stated they were only setup for maximum 3 hour exams. The test center was trying to avoid having to monitor the test takers over lunch. The good news is that SANS can resolve this problem, but you will have to ask them to do so.

Ted Demopoulos, over at SecurITyCerts.org, did one of the better posts, “CISSP versus SANS GISP Certification.” Unlike many writers on this subject, Ted was one of the few who had taken and passed both exams. Otherwise, I encountered people who had taken only one exam and tended to discuss how that exam was superior.

I will hold off offering an opinion as to how the exams compare until after I pass the CISSP. Since I plan on doing DoD work, the fact that the CISSP fulfills the certification requirements for half of the DoD categories makes the certification choice pretty obvious. In the future, SANS may be better represented under DoD directive 8570.1. Generally speaking, security professionals will be aware of SANS and will respect the GIAC certification. People in business and IT, but outside of security, are more likely to know about the CISSP. You will likely find yourself in a position where you need to impress both groups. If you have the option, consider taking both exams.

Please note that if you are a member of an OWASP chapter, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization, the COINS program offers you a 50% tuition discount for this or any other SANS @Home course.

Being very interested, I contacted Steve Peterson, director of mentor programs. Steve explained that COINS is a fairly new program at SANS. To quote Steve:

The goal of COINS is to work with local security organizations to strengthen the security community by offering SANS discounts to chapter members and free content to chapter meetings. COINS typically will run an event at our conferences as well. If you attend a conference, keep an eye out for the COINS event.

I used the COINS program to signed up for the SANS® +S™ Training Program for the CISSP® Certification Exam (Management 414). While I tend to prefer more technically focused courses, the DoD directive 8570 convinced me that having the Certified Information Systems Security Professional (CISSP) certification would be useful. To quote the 8570 FAQ:

DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians, managers, and members of IA specialties to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.

Agencies covered by 8570 include:

• Office of the Secretary of Defense
• Military Departments
• Chairman of the Joint Chiefs of Staff
• Combatant Commands
• Office of the Inspector General of the DoD
• Defense Agencies
• DoD Field Activities
• All other organizational entities in the DoD

Any full or part time military service member, contractor, or local nationals with privileged access to a DoD information system performing information assurance functions — regardless of job or occupational series is affected by 8570. For fiscal year 2008, the goal was to fill a total of 70 percent of the Information Assurance positions with certified personnel.

The tables below describe the DoD Approved Baseline Certifications, according to DoD 8570.01-M. This includes requirements for Information Assurance Technical (IAT), IA Management (IAM), IA System Architect and Engineers (IASAE), and Computer Network Defense-Service Providers (CND-SP). All must be be fully trained and certified to baseline requirements to perform their IA duties.

IAT workforce members consists of anyone with privileged information system access performing IA functions. IAT Level certifications are cumulative. Higher level certifications qualify for lower level requirements. Certifications listed in Level II or III cells can be used to qualify for Level I. However, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell.

IAM personnel are responsible for secure implementation and operation of a DoD information system (IS). IAMs perform IS security management functions for DoD operational systems. Management certifications corresponding to the position level do not cascade down. Each position requires the individual to meet one of the specific certifications associated with that Management Level. An IAM I must obtain one of certifications shown in the IAM I box, such as the GISF. The IAM I should not take the CISSP unless already qualified in one of the certifications listed in the IAM I box (e.g., GISF).

The CND-SP personnel are members of “Accredited” CND-SP teams performing the functions listed.

IASAE personnel perform system design functions, such as requirements gathering.

In the above table, I put CISSP in bold, along with a few other certifications I currently possess, as an example of how a few certifications can help cover requirements for many of the DoD Information Assurance positions. With the CISSP certification, IAT Level I, II and II are covered along with IASAE I and II. It is easy enough to pick up one of the IAM Level I certification, depending on that you are managing, and the CISSP will cover you for IAM Level II and III.

Now if you are not directly affected by 8570, why should you care? There are a large number of military service member, contractor, and local nationals with privileged access to DoD information systems. These folks are performing information assurance functions and DoD 8570 will eventually require them to have various security certifications. At some point, there is a good chance that these certified individuals are going to be competing with you for a job. Management often does not know how to tell the difference between candidates. Obtaining these certifications will help level the playing field so you can get past human resources, obtain management approval, and have the opportunity to impress the security folks. Of course, obtaining training and taking certification exams can get expensive. Thankfully there are programs like the SANS Work Study and COINS program providing great options for those with financially disadvantaged training budgets.