🎯

CISSP Exam Overview and Strategies

Jun 21, 2025

Overview

This CISSP exam cram lecture covers all eight CISSP domains, focusing on high-probability topics, key definitions, exam strategies, and practical study techniques to efficiently prepare for the exam.

Exam Prep Strategy & Learning Techniques

  • Study the 9th edition official CISSP guide (ebook recommended).
  • Focus on high-probability, high-difficulty topics first.
  • Use spaced repetition for long-term retention (review weak areas frequently).
  • Apply mnemonic devices and chunking to memorize complex concepts (e.g., OSI model, risk formulas).
  • Use practice quizzes to identify domain-specific weaknesses.
  • Map book chapters to domains to target practice.
  • Employ variety in study methods (quizzes, flashcards, readings) for best retention.

CISSP Exam Format & Recent Changes

  • CISSP has 8 domains; domain weightings changed minimally in 2021.
  • CAT (Computerized Adaptive Testing): 3 hours, 100–150 questions; adapts to your performance.
  • Pass requirement: 70%, must pass every domain.
  • Upcoming change: 4 hours, 125–175 questions, with 50 pre-test items.

Domain 1: Security and Risk Management

  • Key concepts: CIA Triad (Confidentiality, Integrity, Availability).
  • Due Care: Doing what a reasonable person would do (prudent man rule).
  • Due Diligence: Ongoing evaluation, risk assessments, and audits.
  • Know the ISCΒ² Code of Ethics.
  • Understand types and responses to risk: acceptance, mitigation, transference, avoidance, deterrence, rejection.
  • Know risk management frameworks, especially NIST 800-37 (7 steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor).
  • Be familiar with risk analysis: qualitative (subjective, uses rankings) vs. quantitative (objective, uses formulas).
  • Quantitative formulas:
    • SLE = Asset Value Γ— Exposure Factor
    • ALE = SLE Γ— Annualized Rate of Occurrence
    • Safeguard Value = (ALE before – ALE after) – Annual Safeguard Cost

Domain 2: Asset Security

  • Know the data lifecycle: create, store, use, share, archive, destroy.
  • Data must be classified immediately after creation for proper protection.
  • Data destruction methods: erasing (recoverable), clearing/overwriting (not recoverable with standard tools), purging, degaussing, destruction (most secure).
  • Data classification levels (government: unclassified, confidential, secret, top secret; commercial: public, sensitive, private, confidential/proprietary).
  • Understand PII (personally identifiable information) and PHI (protected health information).
  • Roles: Data Owner (senior management) delegates, Data Custodian implements.
  • GDPR terminology: data controller, data processor, data transfer restrictions, breach notification within 72 hours.
  • Anonymization (irreversible) vs. pseudonymization (reversible masking).

Domain 3: Security Architecture and Engineering

  • Secure design principles: zero trust, least privilege, defense in depth, secure defaults, fail securely, simplicity, shared responsibility.
  • Understand cryptographic concepts: symmetric/asymmetric, key management, non-repudiation, hashing.
  • Security models: Bell-LaPadula (confidentiality, no read up/no write down), Biba (integrity, no read down/no write up), Clark-Wilson (access control triple), lattice-based models.
  • Trusted Computing Base (TCB), security kernel, reference monitor.
  • Evaluation criteria: Common Criteria (EAL levels), TCSEC, ITSEC (focus on Common Criteria).
  • Access control types: MAC, DAC, RBAC, rule-based.

Domain 4: Communication and Network Security

  • OSI model layers (mnemonics: Please Do Not Throw Sausage Pizza Away).
  • TCP/IP stack vs. OSI.
  • Key protocols, ports, and cable types.
  • Network topologies: mesh, ring, bus, star.
  • Collision management: CSMA/CD (Ethernet), CSMA/CA (wireless).
  • Wireless security standards: WEP, WPA, WPA2 (CCMP/AES).
  • Firewalls: stateless, stateful, next-gen, web app firewall.
  • Network attacks: DoS, DDoS, SYN flood, ping of death, etc.

Domain 5: Identity and Access Management

  • Authentication factors: something you know, have, are.
  • Single Sign-On protocols: SAML, OAuth 2.0, OpenID Connect.
  • Know policies: need to know, least privilege, separation of duties.
  • Access control models: DAC, RBAC, ABAC, MAC.
  • Common attacks: brute force, dictionary, spoofing, phishing.

Domain 6: Security Assessment and Testing

  • Difference between vulnerability scanning (automated) and penetration testing (exploitation).
  • Software testing: static (code review) vs. dynamic (runtime).
  • Maintain ongoing assessment programs.
  • Internal vs. external audits.
  • Always have a defined, operational assessment and testing program.

Domain 7: Security Operations

  • Principles: least privilege, need to know, separation of duties, job rotation.
  • Information lifecycle: creation, classification, storage, use, archival, destruction.
  • Understand incident response: detection, response, mitigation, reporting, recovery, remediation, lessons learned (mnemonic: DRM RRL).
  • Denial of service attacks, botnets, honeypots.
  • Types of recovery sites: hot, warm, cold; RPO and RTO definitions.
  • Backup strategies: electronic vaulting, remote journaling, mirroring.
  • Business continuity and disaster recovery planning: know steps and key definitions.

Domain 8: Software Development Security

  • Secure SDLC models: Agile, Waterfall, Spiral.
  • Software testing: code review, peer review, static/dynamic analysis.
  • Secure coding practices, secure code repositories.
  • Code scanning: SAST (static) and DAST (dynamic).
  • Database security: primary/foreign keys, aggregation, inference, sql injection.
  • Change/configuration management and versioning.
  • Familiarity with software maturity models: SW-CMM, IDEAL.

Key Terms & Definitions

  • CIA Triad β€” Confidentiality, Integrity, Availability; core security principles.
  • Due Diligence β€” Ongoing evaluation and risk assessment.
  • Due Care β€” Acting as a prudent person would to prevent harm.
  • SLE (Single Loss Expectancy) β€” The financial loss from a single event.
  • ALE (Annualized Loss Expectancy) β€” Expected yearly loss; SLE Γ— ARO.
  • RBAC β€” Role-Based Access Control; assigns permissions by roles.
  • AAA β€” Authentication, Authorization, Accounting.
  • GDPR β€” EU data protection law impacting any org with EU customers.
  • Zero Trust β€” No default trust; always verify users/devices/requests.
  • EAL (Evaluation Assurance Level) β€” Security certification level under Common Criteria.

Action Items / Next Steps

  • Obtain the official (9th ed.) CISSP study guide (ebook).
  • Identify and focus on weakest domains first using practice quizzes.
  • Memorize risk formulas and security model properties.
  • Review key laws, GDPR terminology, and data classification schemes.
  • Practice OSI model layers and common network attacks.
  • Download and use FAQ/errata and supplemental resources from video description.

Full transcript