Forewords

It is a scary world out there—for individuals and for businesses. According to a November 2009 web site survey by Netcraft, the Internet is approaching a quarter of a billion web sites. And in March 2009, Google reported that the Internet contains over 25.2 billion web pages. That is a lot of risky turf with a lot of opportunity for the bad guys. In the most recent annual report from the FBI’s Internet Crime Complaint Center (IC3), IC3 received over 275,000 reports of crime, a 33% increase over the previous year. The attacks are more frequent, more targeted, and more successful.

Identity theft affected nearly 10 million people in the U.S. in 2008, up 22% from 2007, according to a 2009 report from Javelin Strategy and Research. There are many reasons to pursue increased knowledge and awareness in the realm of information systems security.

If you are currently in, or are looking for, a position in information technology, you should have, or should be actively pursuing, your CISSP certification. Many companies and government departments now require CISSP certification before considering you for a position in their IT departments. As of November 2009, Monster lists over 800 jobs that request or require the CISSP certification, and Indeed.com lists over 3,000 CISSP-related job opportunities. Get your CISSP to increase your “hire-ability” and to increase your retention factor on the job.

According to PayScale, a salary survey web site, it is not at all uncommon for the salary of a CISSP to range between $75,000 and $120,000 annually, with the average compensation settling in at around $90,000 U.S. Indeed.com shows CISSP job opportunities with compensation ranging from $60,000 to over $140,000 U.S. Get your CISSP to increase your income.

As you realize the value of your personal and corporate information assets, you may begin to realize just how vulnerable and exploitable they really are. The body of knowledge that makes up the CISSP provides details on how the bad guys gain access to your systems, and how you can and should be protecting yourself and those valuable information assets. Get your CISSP to improve your vision and understanding of prudent security, and how to identify and protect your own valuable information assets.

Because you have applied effort and have achieved a heightened level of knowledge and understanding of the topic, sign up for, take, and pass the CISSP certification exam. You’ve worked for it. Now add the credential to your resume.

Increasing your knowledge of the security of information systems and valuable information assets will only improve your world. You should be using this book, Shon Harris’s CISSP All-In-One Exam Guide, which is the golden bible on CISSP certification and one of the first and best CISSP resources for developing your knowledge of information systems security.

Shon Harris has been researching and writing this CISSP study guide (this edition and previous editions) for as long as I’ve known her. Shon is the consummate researcher, forever probing, studying, expanding, and refining her details. With a strong focus in the field of IT security, she balances that academic understanding with real-word experience through consulting companies with security and compliance issues. She is a worthy professional associate, as well as a close, trusted, and valued friend. A better soul is difficult to find.

Her CISSP study guide is second to none, and continues to be a best seller for good reason. This book is well written, comprehensive, and well targeted, helping thousands of students and professionals prepare for and achieve the CISSP certification. It covers a seemingly diverse array of topics that coalesce into the well-rounded skill set required of a security professional. This book is the best starting point to begin your approach to CISSP certification. It is also the best finishing point for putting the final polish on the massive volume of information you’ll need as your exam date draws near. Congratulations, reader, on your professional choices and successes so far, and on your upcoming CISSP certification.

David R. Miller
Security and Compliance Consultant, Author, Instructor
MicroLink Corporation

I remember my first exposure to a computer, during my senior year in high school. I was working in the evenings cleaning office buildings. One of those buildings was the First Bank of Evergreen Park, Illinois, and as I swept the floors in the basement, the single employee working was feeding a stack of cards to this behemoth of a machine. He sat at a machine that fed check after check, and he typed card after card and then fed the machine the card deck. That was 1969, and I couldn’t comprehend the value.

In 1980, after a ten-year stint in the Army, I went back to college and was “forced” to take two computer courses as part of the core curriculum—I became hooked. While I was taking an Introduction to Computer Science class in Europe, and consulting for the European Organization for Nuclear Research (known as CERN), Tim Berners-Lee wrote a program that allowed links to be made between nodes. He returned to CERN in 1984, and worked on the problem of needing to share data without the same machine or operating system. He wrote a proposal in 1989 for “a large hypertext database with typed links,” but few took notice. Little did he know that he had laid the foundation for what was to become known as the Internet.

Now, some 20 years later, the Internet plays a prominent role in our everyday life. When I’m on the road, it’s not unusual for me to log in and tell my digital video recorder to record a program so I can watch it later. I take my Blackberry everywhere I go, and it’s typical for me to answer an e-mail or two between shots on the golf course. The capabilities we have to socialize, shop, and bank without leaving our living room are phenomenal.

Unfortunately, all of these capabilities have also afforded the seedier side of the world an opportunity to exploit all elements of today’s society. Corporate and government data, banking records, and our very identities are all potentially at risk. This combination has led to an unprecedented need for professionals who are knowledgeable and able to counter these risks.

Enter the International Information Systems Security Certification Consortium (ISC)² in 1988 and the Certified Information Systems Security Professional standard in 1994, with ten domains that form the profession’s common body of knowledge. To attain this certification one has to possess the knowledge to survive a grueling six-hour-long, 250-question examination whose questions are often confusing and will weed out those who don’t know the material.

I took the CISSP examination in 2002 after reading Shon Harris’s All-In-One CISSP Study Guide for the CISSP Exam and attending a workshop that Shon taught. Even though I have been an information security professional since 1987, I was thrilled to receive the e-mail that told me I had passed.

The CISSP certification is recognized worldwide as the premier information security credential. Many employers encourage their information security staffs to attain this credential, and the U. S. Department of Defense recognizes the CISSP credential as one of those at the highest level.

Since 2002, I’ve gotten to know Shon Harris. She is a passionate professional who loves to help people learn. She knows the material contained within the Common Body of Knowledge backward and forward. She constantly revises her work to make sure her readers have every opportunity to fully understand the material within the context that (ISC)² has defined.

It’s my great honor to write a Foreword for the latest edition of Shon’s All-in-One Exam Guide. I am especially grateful for this opportunity to encourage everyone involved with the information security business to take the time to obtain the knowledge and experience necessary to sit for and successfully obtain the CISSP credential. Through her books, Shon Harris can help that goal become reality.

Thomas P. Madden, CISSP, CISM